v1.1.0 — compat shim release

First compat shim release. deparam now delegates parsing to qs (currently 6.15.2) while param keeps the original jQuery-traditional stringify implementation. All 58 conformance cases stay green; the only API change since 1.0.0 is none — the optional maxDepth parameter was already there.

What changed

• lib/deparam.js rewritten as a qs.parse wrapper with three local protections layered on top:
  • safeDecoder: ISO-8859 fallback via unescape() when decodeURIComponent rejects malformed UTF-8. Preserves accents from legacy Latin-1 query strings (e.g. on the way to Elasticsearch).
  • preFilter: per-parameter rejection of __proto__ / constructor / prototype key segments and of paths exceeding maxDepth (default 5).
  • coerceWalk: post-parse type coercion (true/false/null/undefined strings, numerics) — opt-out via deparam(qs, false).
• lib/param.js unchanged from 1.0.0 — pure ES5, zero deps, no attack surface.

Dependency change

• qs ^6.15.2 added as a runtime dependency (was zero deps in 1.0.0).
• Future qs CVE patches flow in automatically via Dependabot lockfile bumps in downstream projects — no republish of this library needed for routine patches.

CI changes

• New job: Conformance against qs@latest — installs bleeding-edge qs unsaved and reruns the conformance suite. Early-warning for any future qs release that would break the shim.

Install

npm install node-qs-serialization@1.1.0

Verified

• All 58 conformance cases green on Node 18/20/22/24
• Smoke test green on Node 0.10 through 16 via Docker
• Full saas-sitesearch integration suite (757 mocha tests, 90% coverage gates) green with 1.1.0 swapped in as a transparent drop-in for 0.0.2