Skip to content

feat: Replace query-string with qs@6-compatible bracket-notation parser#3662

Merged
daffl merged 2 commits intov6from
v6-qs
Feb 19, 2026
Merged

feat: Replace query-string with qs@6-compatible bracket-notation parser#3662
daffl merged 2 commits intov6from
v6-qs

Conversation

@marshallswain
Copy link
Member

@marshallswain marshallswain commented Feb 19, 2026

Summary

  • Replace the lightweight URLSearchParams-based query-string.ts with a zero-dependency bracket-notation parser/stringifier (qs.ts) that is wire-compatible with qs@6 defaults
  • Restore support for nested query objects ($in, $sort, etc.) lost when the qs npm package was removed
  • Harden against the two main qs CVE classes: prototype pollution and memory overflow via array indices
  • Remove qs and @types/qs from devDependencies
  • Restore the supports nested arrays in queries integration test that was removed in feat: Remove qs dependency #3659

Safety limits

Limit Value Behavior
PARAMETER_LIMIT 2000 Pairs beyond the limit silently dropped
ARRAY_INDEX_LIMIT 2000 Indices >= 2000 silently dropped (no empty shells)
DEPTH_LIMIT 5 Bracket nesting beyond depth 5 collapses into literal keys
Prototype keys __proto__, constructor, prototype silently dropped at every level

Test plan

  • 77 unit tests covering parse, stringify, round-trip, security hardening, and edge cases
  • Restored supports nested arrays in queries integration test passes
  • Full feathers package suite passes (493 tests, 29 files)
  • TypeScript compiles with zero errors

marshallswain and others added 2 commits February 19, 2026 16:09
@marshallswain
feat: Replace query-string with qs@6-compatible bracket-notation parser
d4d6cc4 
Replace the lightweight URLSearchParams-based query-string module with a
zero-dependency bracket-notation parser/stringifier that is wire-compatible
with qs@6 defaults. This restores support for nested query objects (e.g.
$in, $sort) that was lost when the qs npm package was removed.

Security hardening against the two main qs CVE classes:
- Prototype pollution: __proto__, constructor, prototype keys silently dropped
- Memory overflow: array indices >= 2000 silently dropped (no empty shells)

Additional safety limits (all set to 2000):
- PARAMETER_LIMIT: pairs beyond the limit are dropped
- ARRAY_INDEX_LIMIT: array indices >= 2000 are dropped
- DEPTH_LIMIT: bracket nesting beyond depth 5 collapses into literal keys
@daffl
Update client fixture data
21254e4
@daffl daffl merged commit 471e571 into v6 Feb 19, 2026
4 checks passed
@daffl daffl deleted the v6-qs branch February 19, 2026 23:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marshallswain @daffl