From 60b62546ad05d436b64b2e0feafc7a5cf4727aee Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 8 Aug 2024 10:15:02 +1200 Subject: [PATCH 01/40] [Dev Deps] update `mock-property` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6dae0521..b7182e06 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "in-publish": "^2.0.1", "jackspeak": "=2.1.1", "mkdirp": "^0.5.5", - "mock-property": "^1.0.3", + "mock-property": "^1.1.0", "module-deps": "^6.2.3", "npmignore": "^0.3.1", "nyc": "^10.3.2", From d089efd91e27bbaf5dc8c4dd13f690806f0c4be8 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 8 Aug 2024 11:49:32 +1200 Subject: [PATCH 02/40] [Tests] fix a test case --- test/stringify.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/stringify.js b/test/stringify.js index 12b1c71d..e8a5ea5c 100644 --- a/test/stringify.js +++ b/test/stringify.js @@ -1254,7 +1254,7 @@ test('stringify()', function (t) { }; st.equal( - qs.stringify(obj, { arrayFormat: 'bracket', charset: 'utf-8' }), + qs.stringify(obj, { arrayFormat: 'brackets', charset: 'utf-8' }), 'foo=' + expected.join('') ); From 99fd543b666387fb77281ccb82d0c6b13906ec36 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 8 Aug 2024 11:48:36 +1200 Subject: [PATCH 03/40] [Fix] `stringify`: ensure a non-string `filter` does not crash --- lib/stringify.js | 4 ++-- test/stringify.js | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/lib/stringify.js b/lib/stringify.js index 9b934d69..e98303a0 100644 --- a/lib/stringify.js +++ b/lib/stringify.js @@ -150,7 +150,7 @@ var stringify = function stringify( objKeys = sort ? keys.sort(sort) : keys; } - var encodedPrefix = encodeDotInKeys ? prefix.replace(/\./g, '%2E') : prefix; + var encodedPrefix = encodeDotInKeys ? String(prefix).replace(/\./g, '%2E') : String(prefix); var adjustedPrefix = commaRoundTrip && isArray(obj) && obj.length === 1 ? encodedPrefix + '[]' : encodedPrefix; @@ -166,7 +166,7 @@ var stringify = function stringify( continue; } - var encodedKey = allowDots && encodeDotInKeys ? key.replace(/\./g, '%2E') : key; + var encodedKey = allowDots && encodeDotInKeys ? String(key).replace(/\./g, '%2E') : String(key); var keyPrefix = isArray(obj) ? typeof generateArrayPrefix === 'function' ? generateArrayPrefix(adjustedPrefix, encodedKey) : adjustedPrefix : adjustedPrefix + (allowDots ? '.' + encodedKey : '[' + encodedKey + ']'); diff --git a/test/stringify.js b/test/stringify.js index e8a5ea5c..be9186d6 100644 --- a/test/stringify.js +++ b/test/stringify.js @@ -1295,4 +1295,16 @@ test('stringifies empty keys', function (t) { st.end(); }); + + t.test('stringifies non-string keys', function (st) { + var actual = qs.stringify({ a: 'b', 'false': {} }, { + filter: ['a', false], + allowDots: true, + encodeDotInKeys: true + }); + + st.equal(actual, 'a=b', 'stringifies correctly'); + + st.end(); + }); }); From ca55d0f8653f88d92c78cbdbb7d590a30ab71fb3 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 8 Aug 2024 17:02:02 +1200 Subject: [PATCH 04/40] [Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset --- lib/parse.js | 2 +- test/parse.js | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/parse.js b/lib/parse.js index 3d74c715..9d323fab 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -101,7 +101,7 @@ var parseValues = function parseQueryStringValues(str, options) { } if (val && options.interpretNumericEntities && charset === 'iso-8859-1') { - val = interpretNumericEntities(val); + val = interpretNumericEntities(String(val)); } if (part.indexOf('[]=') > -1) { diff --git a/test/parse.js b/test/parse.js index 8a2f487c..5d7b3e58 100644 --- a/test/parse.js +++ b/test/parse.js @@ -998,6 +998,15 @@ test('parse()', function (t) { st.end(); }); + t.test('interpretNumericEntities with comma:true and iso charset does not crash', function (st) { + st.deepEqual( + qs.parse('b&a[]=1,' + urlEncodedNumSmiley, { comma: true, charset: 'iso-8859-1', interpretNumericEntities: true }), + { b: '', a: ['1,☺'] } + ); + + st.end(); + }); + t.test('does not interpret %uXXXX syntax in iso-8859-1 mode', function (st) { st.deepEqual(qs.parse('%u263A=%u263A', { charset: 'iso-8859-1' }), { '%u263A': '%u263A' }); st.end(); From 3e750c1ac6bb7ea328b9c3183d867902dce43c95 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 22 Aug 2024 10:42:54 -0700 Subject: [PATCH 05/40] [Refactor] misc cleanup --- .eslintrc | 1 + lib/parse.js | 3 ++- lib/stringify.js | 13 +++++++++---- lib/utils.js | 7 +++++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.eslintrc b/.eslintrc index b6927611..a89f60e6 100644 --- a/.eslintrc +++ b/.eslintrc @@ -13,6 +13,7 @@ "func-name-matching": 0, "id-length": [2, { "min": 1, "max": 25, "properties": "never" }], "indent": [2, 4], + "max-lines": 0, "max-lines-per-function": [2, { "max": 150 }], "max-params": [2, 18], "max-statements": [2, 100], diff --git a/lib/parse.js b/lib/parse.js index 9d323fab..f7fadc07 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -86,7 +86,8 @@ var parseValues = function parseQueryStringValues(str, options) { var bracketEqualsPos = part.indexOf(']='); var pos = bracketEqualsPos === -1 ? part.indexOf('=') : bracketEqualsPos + 1; - var key, val; + var key; + var val; if (pos === -1) { key = options.decoder(part, defaults.decoder, charset, 'key'); val = options.strictNullHandling ? null : ''; diff --git a/lib/stringify.js b/lib/stringify.js index e98303a0..3bdd4e93 100644 --- a/lib/stringify.js +++ b/lib/stringify.js @@ -34,11 +34,13 @@ var defaults = { arrayFormat: 'indices', charset: 'utf-8', charsetSentinel: false, + commaRoundTrip: false, delimiter: '&', encode: true, encodeDotInKeys: false, encoder: utils.encode, encodeValuesOnly: false, + filter: void undefined, format: defaultFormat, formatter: formats.formatters[defaultFormat], // deprecated @@ -160,7 +162,9 @@ var stringify = function stringify( for (var j = 0; j < objKeys.length; ++j) { var key = objKeys[j]; - var value = typeof key === 'object' && typeof key.value !== 'undefined' ? key.value : obj[key]; + var value = typeof key === 'object' && typeof key.value !== 'undefined' + ? key.value + : obj[key]; if (skipNulls && value === null) { continue; @@ -257,7 +261,7 @@ var normalizeStringifyOptions = function normalizeStringifyOptions(opts) { arrayFormat: arrayFormat, charset: charset, charsetSentinel: typeof opts.charsetSentinel === 'boolean' ? opts.charsetSentinel : defaults.charsetSentinel, - commaRoundTrip: opts.commaRoundTrip, + commaRoundTrip: !!opts.commaRoundTrip, delimiter: typeof opts.delimiter === 'undefined' ? defaults.delimiter : opts.delimiter, encode: typeof opts.encode === 'boolean' ? opts.encode : defaults.encode, encodeDotInKeys: typeof opts.encodeDotInKeys === 'boolean' ? opts.encodeDotInKeys : defaults.encodeDotInKeys, @@ -308,12 +312,13 @@ module.exports = function (object, opts) { var sideChannel = getSideChannel(); for (var i = 0; i < objKeys.length; ++i) { var key = objKeys[i]; + var value = obj[key]; - if (options.skipNulls && obj[key] === null) { + if (options.skipNulls && value === null) { continue; } pushToArray(keys, stringify( - obj[key], + value, key, generateArrayPrefix, commaRoundTrip, diff --git a/lib/utils.js b/lib/utils.js index 7c860f1b..d4e19566 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -54,7 +54,10 @@ var merge = function merge(target, source, options) { if (isArray(target)) { target.push(source); } else if (target && typeof target === 'object') { - if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) { + if ( + (options && (options.plainObjects || options.allowPrototypes)) + || !has.call(Object.prototype, source) + ) { target[source] = true; } } else { @@ -108,7 +111,7 @@ var assign = function assignSingleSource(target, source) { }, target); }; -var decode = function (str, decoder, charset) { +var decode = function (str, defaultDecoder, charset) { var strWithoutPlus = str.replace(/\+/g, ' '); if (charset === 'iso-8859-1') { // unescape never throws, no try...catch needed: From 2a548a95e7409e9fbbd1f0b972aad57f25764cae Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 22 Aug 2024 10:47:16 -0700 Subject: [PATCH 06/40] [Tests] `utils.merge`: add some coverage --- test/utils.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/utils.js b/test/utils.js index aa84dfdc..21429937 100644 --- a/test/utils.js +++ b/test/utils.js @@ -28,6 +28,20 @@ test('merge()', function (t) { var noOptionsNonObjectSource = utils.merge({ foo: 'baz' }, 'bar'); t.deepEqual(noOptionsNonObjectSource, { foo: 'baz', bar: true }); + var func = function f() {}; + t.deepEqual( + utils.merge(func, { foo: 'bar' }), + [func, { foo: 'bar' }], + 'functions can not be merged into' + ); + + func.bar = 'baz'; + t.deepEqual( + utils.merge({ foo: 'bar' }, func), + { foo: 'bar', 'function f() {}': true }, + 'functions can not be merge sources' + ); + t.test( 'avoids invoking array setters unnecessarily', { skip: typeof Object.defineProperty !== 'function' }, From aa1f0a8432a7a918c36486e8b2334ef12ff4f46b Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 22 Aug 2024 10:47:46 -0700 Subject: [PATCH 07/40] [Fix] `utils.merge`: functions should not be stringified into keys --- lib/utils.js | 2 +- test/utils.js | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index d4e19566..d325ffdb 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -50,7 +50,7 @@ var merge = function merge(target, source, options) { return target; } - if (typeof source !== 'object') { + if (typeof source !== 'object' && typeof source !== 'function') { if (isArray(target)) { target.push(source); } else if (target && typeof target === 'object') { diff --git a/test/utils.js b/test/utils.js index 21429937..7a4ff1b2 100644 --- a/test/utils.js +++ b/test/utils.js @@ -38,8 +38,8 @@ test('merge()', function (t) { func.bar = 'baz'; t.deepEqual( utils.merge({ foo: 'bar' }, func), - { foo: 'bar', 'function f() {}': true }, - 'functions can not be merge sources' + { foo: 'bar', bar: 'baz' }, + 'functions can be merge sources' ); t.test( From 96f4d93e171ada73cb466a5abe3ac23c9ed4217a Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 22 Aug 2024 10:53:38 -0700 Subject: [PATCH 08/40] [Fix] `stringify`: avoid a crash when a `filter` key is `null` --- lib/stringify.js | 2 +- test/stringify.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/stringify.js b/lib/stringify.js index 3bdd4e93..2666eaf9 100644 --- a/lib/stringify.js +++ b/lib/stringify.js @@ -162,7 +162,7 @@ var stringify = function stringify( for (var j = 0; j < objKeys.length; ++j) { var key = objKeys[j]; - var value = typeof key === 'object' && typeof key.value !== 'undefined' + var value = typeof key === 'object' && key && typeof key.value !== 'undefined' ? key.value : obj[key]; diff --git a/test/stringify.js b/test/stringify.js index be9186d6..75eaf738 100644 --- a/test/stringify.js +++ b/test/stringify.js @@ -1298,7 +1298,7 @@ test('stringifies empty keys', function (t) { t.test('stringifies non-string keys', function (st) { var actual = qs.stringify({ a: 'b', 'false': {} }, { - filter: ['a', false], + filter: ['a', false, null], allowDots: true, encodeDotInKeys: true }); From 3c8a6f5a1e8d2c4772fd733c7ca1a28e92498fd7 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 22 Aug 2024 11:13:54 -0700 Subject: [PATCH 09/40] [Refactor] use `__proto__` syntax instead of `Object.create` for null objects --- README.md | 2 +- lib/parse.js | 6 +++--- lib/utils.js | 2 +- package.json | 2 ++ test/parse.js | 34 +++++++++++++++++++++------------- test/stringify.js | 16 ++++++---------- 6 files changed, 34 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 1e0d9adc..7347a3c4 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ assert.deepEqual(qs.parse('foo[bar]=baz'), { }); ``` -When using the `plainObjects` option the parsed value is returned as a null object, created via `Object.create(null)` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like: +When using the `plainObjects` option the parsed value is returned as a null object, created via `{ __proto__: null }` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like: ```javascript var nullObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true }); diff --git a/lib/parse.js b/lib/parse.js index f7fadc07..f6dabf14 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -132,7 +132,7 @@ var parseObject = function (chain, val, options, valuesParsed) { ? [] : [].concat(leaf); } else { - obj = options.plainObjects ? Object.create(null) : {}; + obj = options.plainObjects ? { __proto__: null } : {}; var cleanRoot = root.charAt(0) === '[' && root.charAt(root.length - 1) === ']' ? root.slice(1, -1) : root; var decodedRoot = options.decodeDotInKeys ? cleanRoot.replace(/%2E/g, '.') : cleanRoot; var index = parseInt(decodedRoot, 10); @@ -274,11 +274,11 @@ module.exports = function (str, opts) { var options = normalizeParseOptions(opts); if (str === '' || str === null || typeof str === 'undefined') { - return options.plainObjects ? Object.create(null) : {}; + return options.plainObjects ? { __proto__: null } : {}; } var tempObj = typeof str === 'string' ? parseValues(str, options) : str; - var obj = options.plainObjects ? Object.create(null) : {}; + var obj = options.plainObjects ? { __proto__: null } : {}; // Iterate over the keys and setup the new object diff --git a/lib/utils.js b/lib/utils.js index d325ffdb..2905ff01 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -34,7 +34,7 @@ var compactQueue = function compactQueue(queue) { }; var arrayToObject = function arrayToObject(source, options) { - var obj = options && options.plainObjects ? Object.create(null) : {}; + var obj = options && options.plainObjects ? { __proto__: null } : {}; for (var i = 0; i < source.length; ++i) { if (typeof source[i] !== 'undefined') { obj[i] = source[i]; diff --git a/package.json b/package.json index b7182e06..2b11951b 100644 --- a/package.json +++ b/package.json @@ -46,8 +46,10 @@ "evalmd": "^0.0.19", "for-each": "^0.3.3", "glob": "=10.3.7", + "has-bigints": "^1.0.2", "has-override-mistake": "^1.0.1", "has-property-descriptors": "^1.0.2", + "has-proto": "^1.0.3", "has-symbols": "^1.0.3", "iconv-lite": "^0.5.1", "in-publish": "^2.0.1", diff --git a/test/parse.js b/test/parse.js index 5d7b3e58..d678ac1d 100644 --- a/test/parse.js +++ b/test/parse.js @@ -9,6 +9,7 @@ var SaferBuffer = require('safer-buffer').Buffer; var v = require('es-value-fixtures'); var inspect = require('object-inspect'); var emptyTestCases = require('./empty-keys-cases').emptyTestCases; +var hasProto = require('has-proto')(); var qs = require('../'); var utils = require('../lib/utils'); @@ -691,9 +692,8 @@ test('parse()', function (t) { st.end(); }); - t.test('parses null objects correctly', { skip: !Object.create }, function (st) { - var a = Object.create(null); - a.b = 'c'; + t.test('parses null objects correctly', { skip: !hasProto }, function (st) { + var a = { __proto__: null, b: 'c' }; st.deepEqual(qs.parse(a), { b: 'c' }); var result = qs.parse({ a: a }); @@ -870,17 +870,25 @@ test('parse()', function (t) { st.end(); }); - t.test('can return null objects', { skip: !Object.create }, function (st) { - var expected = Object.create(null); - expected.a = Object.create(null); - expected.a.b = 'c'; - expected.a.hasOwnProperty = 'd'; + t.test('can return null objects', { skip: !hasProto }, function (st) { + var expected = { + __proto__: null, + a: { + __proto__: null, + b: 'c', + hasOwnProperty: 'd' + } + }; st.deepEqual(qs.parse('a[b]=c&a[hasOwnProperty]=d', { plainObjects: true }), expected); - st.deepEqual(qs.parse(null, { plainObjects: true }), Object.create(null)); - var expectedArray = Object.create(null); - expectedArray.a = Object.create(null); - expectedArray.a[0] = 'b'; - expectedArray.a.c = 'd'; + st.deepEqual(qs.parse(null, { plainObjects: true }), { __proto__: null }); + var expectedArray = { + __proto__: null, + a: { + __proto__: null, + 0: 'b', + c: 'd' + } + }; st.deepEqual(qs.parse('a[]=b&a[c]=d', { plainObjects: true }), expectedArray); st.end(); }); diff --git a/test/stringify.js b/test/stringify.js index 75eaf738..72531441 100644 --- a/test/stringify.js +++ b/test/stringify.js @@ -8,7 +8,8 @@ var SaferBuffer = require('safer-buffer').Buffer; var hasSymbols = require('has-symbols'); var mockProperty = require('mock-property'); var emptyTestCases = require('./empty-keys-cases').emptyTestCases; -var hasBigInt = typeof BigInt === 'function'; +var hasProto = require('has-proto')(); +var hasBigInt = require('has-bigints')(); test('stringify()', function (t) { t.test('stringifies a querystring object', function (st) { @@ -650,10 +651,8 @@ test('stringify()', function (t) { st.end(); }); - t.test('stringifies a null object', { skip: !Object.create }, function (st) { - var obj = Object.create(null); - obj.a = 'b'; - st.equal(qs.stringify(obj), 'a=b'); + t.test('stringifies a null object', { skip: !hasProto }, function (st) { + st.equal(qs.stringify({ __proto__: null, a: 'b' }), 'a=b'); st.end(); }); @@ -665,11 +664,8 @@ test('stringify()', function (t) { st.end(); }); - t.test('stringifies an object with a null object as a child', { skip: !Object.create }, function (st) { - var obj = { a: Object.create(null) }; - - obj.a.b = 'c'; - st.equal(qs.stringify(obj), 'a%5Bb%5D=c'); + t.test('stringifies an object with a null object as a child', { skip: !hasProto }, function (st) { + st.equal(qs.stringify({ a: { __proto__: null, b: 'c' } }), 'a%5Bb%5D=c'); st.end(); }); From 4cf55677ba561ef915a8cfb0b30e1a0ae3b4aeca Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 6 Nov 2024 20:36:17 +0000 Subject: [PATCH 10/40] [Dev Deps] update `es-value-fixtures`, `tape` --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 2b11951b..5de870a5 100644 --- a/package.json +++ b/package.json @@ -41,7 +41,7 @@ "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", "eclint": "^2.8.1", - "es-value-fixtures": "^1.4.2", + "es-value-fixtures": "^1.5.0", "eslint": "=8.8.0", "evalmd": "^0.0.19", "for-each": "^0.3.3", @@ -63,7 +63,7 @@ "qs-iconv": "^1.0.4", "safe-publish-latest": "^2.0.0", "safer-buffer": "^2.1.2", - "tape": "^5.8.1", + "tape": "^5.9.0", "unassertify": "^3.0.1" }, "scripts": { From d185cee45f17f1a69705d034eb370dbbbc9fba2d Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 6 Nov 2024 20:36:40 +0000 Subject: [PATCH 11/40] [actions] split out node 10-20, and 20+ --- .github/workflows/node-tens.yml | 11 ++--------- .github/workflows/node-twenties.yml | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/node-twenties.yml diff --git a/.github/workflows/node-tens.yml b/.github/workflows/node-tens.yml index ce8d325e..7ac9c5b1 100644 --- a/.github/workflows/node-tens.yml +++ b/.github/workflows/node-tens.yml @@ -1,4 +1,4 @@ -name: 'Tests: node.js >= 10' +name: 'Tests: node.js 10 - 20' on: [pull_request, push] @@ -9,13 +9,6 @@ jobs: tests: uses: ljharb/actions/.github/workflows/node.yml@main with: - range: '>= 10' + range: '>= 10 < 20' type: minors command: npm run tests-only - - node: - name: 'node >= 10' - needs: [tests] - runs-on: ubuntu-latest - steps: - - run: 'echo tests completed' diff --git a/.github/workflows/node-twenties.yml b/.github/workflows/node-twenties.yml new file mode 100644 index 00000000..209e1572 --- /dev/null +++ b/.github/workflows/node-twenties.yml @@ -0,0 +1,14 @@ +name: 'Tests: node.js >= 20' + +on: [pull_request, push] + +permissions: + contents: read + +jobs: + tests: + uses: ljharb/actions/.github/workflows/node.yml@main + with: + range: '>= 20' + type: minors + command: npm run tests-only From afd20d014f6885a8ccc4fc5b86d127a698851f0f Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Sun, 17 Nov 2024 10:31:24 -0800 Subject: [PATCH 12/40] [Dev Deps] update `object-inspect` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5de870a5..ac6c1832 100644 --- a/package.json +++ b/package.json @@ -59,7 +59,7 @@ "module-deps": "^6.2.3", "npmignore": "^0.3.1", "nyc": "^10.3.2", - "object-inspect": "^1.13.2", + "object-inspect": "^1.13.3", "qs-iconv": "^1.0.4", "safe-publish-latest": "^2.0.0", "safer-buffer": "^2.1.2", From f1ee0376c1dfd06606520f3268ee0c5f3aaece65 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Sun, 17 Nov 2024 10:32:51 -0800 Subject: [PATCH 13/40] v6.13.1 --- CHANGELOG.md | 12 ++++++++++++ component.json | 2 +- dist/qs.js | 8 ++++---- package.json | 2 +- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02a6b504..465c9541 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +## **6.13.1** +[Fix] `stringify`: avoid a crash when a `filter` key is `null` +[Fix] `utils.merge`: functions should not be stringified into keys +[Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset +[Fix] `stringify`: ensure a non-string `filter` does not crash +[Refactor] use `__proto__` syntax instead of `Object.create` for null objects +[Refactor] misc cleanup +[Tests] `utils.merge`: add some coverage +[Tests] fix a test case +[actions] split out node 10-20, and 20+ +[Dev Deps] update `es-value-fixtures`, `mock-property`, `object-inspect`, `tape` + ## **6.13.0** - [New] `parse`: add `strictDepth` option (#511) - [Tests] use `npm audit` instead of `aud` diff --git a/component.json b/component.json index 3e5f3c34..268d5b4c 100644 --- a/component.json +++ b/component.json @@ -2,7 +2,7 @@ "name": "qs", "repository": "ljharb/qs", "description": "query-string parser / stringifier with nesting support", - "version": "6.10.3", + "version": "6.13.1", "keywords": ["querystring", "query", "parser"], "main": "lib/index.js", "scripts": [ diff --git a/dist/qs.js b/dist/qs.js index 154e72e5..fa84340f 100644 --- a/dist/qs.js +++ b/dist/qs.js @@ -5,13 +5,13 @@ "use strict";var stringify=require(4),parse=require(3),formats=require(1);module.exports={formats:formats,parse:parse,stringify:stringify}; },{"1":1,"3":3,"4":4}],3:[function(require,module,exports){ -"use strict";var utils=require(5),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,defaults={allowDots:!1,allowEmptyArrays:!1,allowPrototypes:!1,allowSparse:!1,arrayLimit:20,charset:"utf-8",charsetSentinel:!1,comma:!1,decodeDotInKeys:!1,decoder:utils.decode,delimiter:"&",depth:5,duplicates:"combine",ignoreQueryPrefix:!1,interpretNumericEntities:!1,parameterLimit:1e3,parseArrays:!0,plainObjects:!1,strictDepth:!1,strictNullHandling:!1},interpretNumericEntities=function(e){return e.replace(/&#(\d+);/g,(function(e,t){return String.fromCharCode(parseInt(t,10))}))},parseArrayValue=function(e,t){return e&&"string"==typeof e&&t.comma&&e.indexOf(",")>-1?e.split(","):e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},a=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;a=a.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var i,o=t.parameterLimit===1/0?void 0:t.parameterLimit,l=a.split(t.delimiter,o),s=-1,n=t.charset;if(t.charsetSentinel)for(i=0;i-1&&(c=isArray(c)?[c]:c);var y=has.call(r,p);y&&"combine"===t.duplicates?r[p]=utils.combine(r[p],c):y&&"last"!==t.duplicates||(r[p]=c)}return r},parseObject=function(e,t,r,a){for(var i=a?t:parseArrayValue(t,r),o=e.length-1;o>=0;--o){var l,s=e[o];if("[]"===s&&r.parseArrays)l=r.allowEmptyArrays&&(""===i||r.strictNullHandling&&null===i)?[]:[].concat(i);else{l=r.plainObjects?Object.create(null):{};var n="["===s.charAt(0)&&"]"===s.charAt(s.length-1)?s.slice(1,-1):s,p=r.decodeDotInKeys?n.replace(/%2E/g,"."):n,c=parseInt(p,10);r.parseArrays||""!==p?!isNaN(c)&&s!==p&&String(c)===p&&c>=0&&r.parseArrays&&c<=r.arrayLimit?(l=[])[c]=i:"__proto__"!==p&&(l[p]=i):l={0:i}}i=l}return i},parseKeys=function parseQueryStringKeys(e,t,r,a){if(e){var i=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(i),s=l?i.slice(0,l.index):i,n=[];if(s){if(!r.plainObjects&&has.call(Object.prototype,s)&&!r.allowPrototypes)return;n.push(s)}for(var p=0;r.depth>0&&null!==(l=o.exec(i))&&p-1?e.split(","):e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},a=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;a=a.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var i,o=t.parameterLimit===1/0?void 0:t.parameterLimit,l=a.split(t.delimiter,o),s=-1,n=t.charset;if(t.charsetSentinel)for(i=0;i-1&&(c=isArray(c)?[c]:c);var y=has.call(r,p);y&&"combine"===t.duplicates?r[p]=utils.combine(r[p],c):y&&"last"!==t.duplicates||(r[p]=c)}return r},parseObject=function(e,t,r,a){for(var i=a?t:parseArrayValue(t,r),o=e.length-1;o>=0;--o){var l,s=e[o];if("[]"===s&&r.parseArrays)l=r.allowEmptyArrays&&(""===i||r.strictNullHandling&&null===i)?[]:[].concat(i);else{l=r.plainObjects?{__proto__:null}:{};var n="["===s.charAt(0)&&"]"===s.charAt(s.length-1)?s.slice(1,-1):s,p=r.decodeDotInKeys?n.replace(/%2E/g,"."):n,c=parseInt(p,10);r.parseArrays||""!==p?!isNaN(c)&&s!==p&&String(c)===p&&c>=0&&r.parseArrays&&c<=r.arrayLimit?(l=[])[c]=i:"__proto__"!==p&&(l[p]=i):l={0:i}}i=l}return i},parseKeys=function parseQueryStringKeys(e,t,r,a){if(e){var i=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(i),s=l?i.slice(0,l.index):i,n=[];if(s){if(!r.plainObjects&&has.call(Object.prototype,s)&&!r.allowPrototypes)return;n.push(s)}for(var p=0;r.depth>0&&null!==(l=o.exec(i))&&p0?w.join(",")||null:void 0}];else if(isArray(f))E=f;else{var S=Object.keys(w);E=u?S.sort(u):S}var O=l?r.replace(/\./g,"%2E"):r,T=o&&isArray(w)&&1===w.length?O+"[]":O;if(a&&isArray(w)&&0===w.length)return T+"[]";for(var k=0;k0?y+d:""}; +"use strict";var getSideChannel=require(29),utils=require(5),formats=require(1),has=Object.prototype.hasOwnProperty,arrayPrefixGenerators={brackets:function brackets(e){return e+"[]"},comma:"comma",indices:function indices(e,r){return e+"["+r+"]"},repeat:function repeat(e){return e}},isArray=Array.isArray,push=Array.prototype.push,pushToArray=function(e,r){push.apply(e,isArray(r)?r:[r])},toISO=Date.prototype.toISOString,defaultFormat=formats.default,defaults={addQueryPrefix:!1,allowDots:!1,allowEmptyArrays:!1,arrayFormat:"indices",charset:"utf-8",charsetSentinel:!1,commaRoundTrip:!1,delimiter:"&",encode:!0,encodeDotInKeys:!1,encoder:utils.encode,encodeValuesOnly:!1,filter:void 0,format:defaultFormat,formatter:formats.formatters[defaultFormat],indices:!1,serializeDate:function serializeDate(e){return toISO.call(e)},skipNulls:!1,strictNullHandling:!1},isNonNullishPrimitive=function isNonNullishPrimitive(e){return"string"==typeof e||"number"==typeof e||"boolean"==typeof e||"symbol"==typeof e||"bigint"==typeof e},sentinel={},stringify=function stringify(e,r,t,o,a,n,i,l,s,f,u,d,y,c,p,m,h,v){for(var g=e,w=v,b=0,A=!1;void 0!==(w=w.get(sentinel))&&!A;){var D=w.get(e);if(b+=1,void 0!==D){if(D===b)throw new RangeError("Cyclic object value");A=!0}void 0===w.get(sentinel)&&(b=0)}if("function"==typeof f?g=f(r,g):g instanceof Date?g=y(g):"comma"===t&&isArray(g)&&(g=utils.maybeMap(g,(function(e){return e instanceof Date?y(e):e}))),null===g){if(n)return s&&!m?s(r,defaults.encoder,h,"key",c):r;g=""}if(isNonNullishPrimitive(g)||utils.isBuffer(g))return s?[p(m?r:s(r,defaults.encoder,h,"key",c))+"="+p(s(g,defaults.encoder,h,"value",c))]:[p(r)+"="+p(String(g))];var S,E=[];if(void 0===g)return E;if("comma"===t&&isArray(g))m&&s&&(g=utils.maybeMap(g,s)),S=[{value:g.length>0?g.join(",")||null:void 0}];else if(isArray(f))S=f;else{var N=Object.keys(g);S=u?N.sort(u):N}var T=l?String(r).replace(/\./g,"%2E"):String(r),O=o&&isArray(g)&&1===g.length?T+"[]":T;if(a&&isArray(g)&&0===g.length)return O+"[]";for(var k=0;k0?c+y:""}; },{"1":1,"29":29,"5":5}],5:[function(require,module,exports){ -"use strict";var formats=require(1),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,hexTable=function(){for(var e=[],r=0;r<256;++r)e.push("%"+((r<16?"0":"")+r.toString(16)).toUpperCase());return e}(),compactQueue=function compactQueue(e){for(;e.length>1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,p=[],s=0;s=48&&f<=57||f>=65&&f<=90||f>=97&&f<=122||n===formats.RFC1738&&(40===f||41===f)?p[p.length]=u.charAt(s):f<128?p[p.length]=hexTable[f]:f<2048?p[p.length]=hexTable[192|f>>6]+hexTable[128|63&f]:f<55296||f>=57344?p[p.length]=hexTable[224|f>>12]+hexTable[128|f>>6&63]+hexTable[128|63&f]:(s+=1,f=65536+((1023&f)<<10|1023&u.charCodeAt(s)),p[p.length]=hexTable[240|f>>18]+hexTable[128|f>>12&63]+hexTable[128|f>>6&63]+hexTable[128|63&f])}c+=p.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;o1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,p=[],f=0;f=48&&s<=57||s>=65&&s<=90||s>=97&&s<=122||n===formats.RFC1738&&(40===s||41===s)?p[p.length]=u.charAt(f):s<128?p[p.length]=hexTable[s]:s<2048?p[p.length]=hexTable[192|s>>6]+hexTable[128|63&s]:s<55296||s>=57344?p[p.length]=hexTable[224|s>>12]+hexTable[128|s>>6&63]+hexTable[128|63&s]:(f+=1,s=65536+((1023&s)<<10|1023&u.charCodeAt(f)),p[p.length]=hexTable[240|s>>18]+hexTable[128|s>>12&63]+hexTable[128|s>>6&63]+hexTable[128|63&s])}c+=p.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;o-1e3&&t<1e3||$test.call(/e/,e))return e;var r=/[0-9](?=(?:[0-9]{3})+(?![0-9]))/g;if("number"==typeof t){var n=t<0?-$floor(-t):$floor(t);if(n!==t){var o=String(n),i=$slice.call(e,o.length+1);return $replace.call(o,r,"$&_")+"."+$replace.call($replace.call(i,/([0-9]{3})/g,"$&_"),/_$/,"")}}return $replace.call(e,r,"$&_")}var utilInspect=require(6),inspectCustom=utilInspect.custom,inspectSymbol=isSymbol(inspectCustom)?inspectCustom:null;function wrapQuotes(t,e,r){var n="double"===(r.quoteStyle||e)?'"':"'";return n+t+n}function quote(t){return $replace.call(String(t),/"/g,""")}function isArray(t){return!("[object Array]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isDate(t){return!("[object Date]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isRegExp(t){return!("[object RegExp]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isError(t){return!("[object Error]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isString(t){return!("[object String]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isNumber(t){return!("[object Number]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isBoolean(t){return!("[object Boolean]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isSymbol(t){if(hasShammedSymbols)return t&&"object"==typeof t&&t instanceof Symbol;if("symbol"==typeof t)return!0;if(!t||"object"!=typeof t||!symToString)return!1;try{return symToString.call(t),!0}catch(t){}return!1}function isBigInt(t){if(!t||"object"!=typeof t||!bigIntValueOf)return!1;try{return bigIntValueOf.call(t),!0}catch(t){}return!1}module.exports=function inspect_(t,e,r,n){var o=e||{};if(has(o,"quoteStyle")&&"single"!==o.quoteStyle&&"double"!==o.quoteStyle)throw new TypeError('option "quoteStyle" must be "single" or "double"');if(has(o,"maxStringLength")&&("number"==typeof o.maxStringLength?o.maxStringLength<0&&o.maxStringLength!==1/0:null!==o.maxStringLength))throw new TypeError('option "maxStringLength", if provided, must be a positive integer, Infinity, or `null`');var i=!has(o,"customInspect")||o.customInspect;if("boolean"!=typeof i&&"symbol"!==i)throw new TypeError("option \"customInspect\", if provided, must be `true`, `false`, or `'symbol'`");if(has(o,"indent")&&null!==o.indent&&"\t"!==o.indent&&!(parseInt(o.indent,10)===o.indent&&o.indent>0))throw new TypeError('option "indent" must be "\\t", an integer > 0, or `null`');if(has(o,"numericSeparator")&&"boolean"!=typeof o.numericSeparator)throw new TypeError('option "numericSeparator", if provided, must be `true` or `false`');var a=o.numericSeparator;if(void 0===t)return"undefined";if(null===t)return"null";if("boolean"==typeof t)return t?"true":"false";if("string"==typeof t)return inspectString(t,o);if("number"==typeof t){if(0===t)return 1/0/t>0?"0":"-0";var c=String(t);return a?addNumericSeparator(t,c):c}if("bigint"==typeof t){var l=String(t)+"n";return a?addNumericSeparator(t,l):l}var p=void 0===o.depth?5:o.depth;if(void 0===r&&(r=0),r>=p&&p>0&&"object"==typeof t)return isArray(t)?"[Array]":"[Object]";var u=getIndent(o,r);if(void 0===n)n=[];else if(indexOf(n,t)>=0)return"[Circular]";function inspect(t,e,i){if(e&&(n=$arrSlice.call(n)).push(e),i){var a={depth:o.depth};return has(o,"quoteStyle")&&(a.quoteStyle=o.quoteStyle),inspect_(t,a,r+1,n)}return inspect_(t,o,r+1,n)}if("function"==typeof t&&!isRegExp(t)){var f=nameOf(t),s=arrObjKeys(t,inspect);return"[Function"+(f?": "+f:" (anonymous)")+"]"+(s.length>0?" { "+$join.call(s,", ")+" }":"")}if(isSymbol(t)){var y=hasShammedSymbols?$replace.call(String(t),/^(Symbol\(.*\))_[^)]*$/,"$1"):symToString.call(t);return"object"!=typeof t||hasShammedSymbols?y:markBoxed(y)}if(isElement(t)){for(var S="<"+$toLowerCase.call(String(t.nodeName)),g=t.attributes||[],b=0;b"}if(isArray(t)){if(0===t.length)return"[]";var m=arrObjKeys(t,inspect);return u&&!singleLineValues(m)?"["+indentedJoin(m,u)+"]":"[ "+$join.call(m,", ")+" ]"}if(isError(t)){var h=arrObjKeys(t,inspect);return"cause"in Error.prototype||!("cause"in t)||isEnumerable.call(t,"cause")?0===h.length?"["+String(t)+"]":"{ ["+String(t)+"] "+$join.call(h,", ")+" }":"{ ["+String(t)+"] "+$join.call($concat.call("[cause]: "+inspect(t.cause),h),", ")+" }"}if("object"==typeof t&&i){if(inspectSymbol&&"function"==typeof t[inspectSymbol]&&utilInspect)return utilInspect(t,{depth:p-r});if("symbol"!==i&&"function"==typeof t.inspect)return t.inspect()}if(isMap(t)){var d=[];return mapForEach&&mapForEach.call(t,(function(e,r){d.push(inspect(r,t,!0)+" => "+inspect(e,t))})),collectionOf("Map",mapSize.call(t),d,u)}if(isSet(t)){var j=[];return setForEach&&setForEach.call(t,(function(e){j.push(inspect(e,t))})),collectionOf("Set",setSize.call(t),j,u)}if(isWeakMap(t))return weakCollectionOf("WeakMap");if(isWeakSet(t))return weakCollectionOf("WeakSet");if(isWeakRef(t))return weakCollectionOf("WeakRef");if(isNumber(t))return markBoxed(inspect(Number(t)));if(isBigInt(t))return markBoxed(inspect(bigIntValueOf.call(t)));if(isBoolean(t))return markBoxed(booleanValueOf.call(t));if(isString(t))return markBoxed(inspect(String(t)));if("undefined"!=typeof window&&t===window)return"{ [object Window] }";if("undefined"!=typeof globalThis&&t===globalThis||"undefined"!=typeof global&&t===global)return"{ [object globalThis] }";if(!isDate(t)&&!isRegExp(t)){var O=arrObjKeys(t,inspect),w=gPO?gPO(t)===Object.prototype:t instanceof Object||t.constructor===Object,$=t instanceof Object?"":"null prototype",k=!w&&toStringTag&&Object(t)===t&&toStringTag in t?$slice.call(toStr(t),8,-1):$?"Object":"",v=(w||"function"!=typeof t.constructor?"":t.constructor.name?t.constructor.name+" ":"")+(k||$?"["+$join.call($concat.call([],k||[],$||[]),": ")+"] ":"");return 0===O.length?v+"{}":u?v+"{"+indentedJoin(O,u)+"}":v+"{ "+$join.call(O,", ")+" }"}return String(t)};var hasOwn=Object.prototype.hasOwnProperty||function(t){return t in this};function has(t,e){return hasOwn.call(t,e)}function toStr(t){return objectToString.call(t)}function nameOf(t){if(t.name)return t.name;var e=$match.call(functionToString.call(t),/^function\s*([\w$]+)/);return e?e[1]:null}function indexOf(t,e){if(t.indexOf)return t.indexOf(e);for(var r=0,n=t.length;re.maxStringLength){var r=t.length-e.maxStringLength,n="... "+r+" more character"+(r>1?"s":"");return inspectString($slice.call(t,0,e.maxStringLength),e)+n}return wrapQuotes($replace.call($replace.call(t,/(['\\])/g,"\\$1"),/[\x00-\x1f]/g,lowbyte),"single",e)}function lowbyte(t){var e=t.charCodeAt(0),r={8:"b",9:"t",10:"n",12:"f",13:"r"}[e];return r?"\\"+r:"\\x"+(e<16?"0":"")+$toUpperCase.call(e.toString(16))}function markBoxed(t){return"Object("+t+")"}function weakCollectionOf(t){return t+" { ? }"}function collectionOf(t,e,r,n){return t+" ("+e+") {"+(n?indentedJoin(r,n):$join.call(r,", "))+"}"}function singleLineValues(t){for(var e=0;e=0)return!1;return!0}function getIndent(t,e){var r;if("\t"===t.indent)r="\t";else{if(!("number"==typeof t.indent&&t.indent>0))return null;r=$join.call(Array(t.indent+1)," ")}return{base:r,prev:$join.call(Array(e+1),r)}}function indentedJoin(t,e){if(0===t.length)return"";var r="\n"+e.prev+e.base;return r+$join.call(t,","+r)+"\n"+e.prev}function arrObjKeys(t,e){var r=isArray(t),n=[];if(r){n.length=t.length;for(var o=0;o-1e3&&t<1e3||$test.call(/e/,e))return e;var r=/[0-9](?=(?:[0-9]{3})+(?![0-9]))/g;if("number"==typeof t){var n=t<0?-$floor(-t):$floor(t);if(n!==t){var o=String(n),i=$slice.call(e,o.length+1);return $replace.call(o,r,"$&_")+"."+$replace.call($replace.call(i,/([0-9]{3})/g,"$&_"),/_$/,"")}}return $replace.call(e,r,"$&_")}var utilInspect=require(6),inspectCustom=utilInspect.custom,inspectSymbol=isSymbol(inspectCustom)?inspectCustom:null,quotes={__proto__:null,double:'"',single:"'"},quoteREs={__proto__:null,double:/(["\\])/g,single:/(['\\])/g};function wrapQuotes(t,e,r){var n=r.quoteStyle||e,o=quotes[n];return o+t+o}function quote(t){return $replace.call(String(t),/"/g,""")}function isArray(t){return!("[object Array]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isDate(t){return!("[object Date]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isRegExp(t){return!("[object RegExp]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isError(t){return!("[object Error]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isString(t){return!("[object String]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isNumber(t){return!("[object Number]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isBoolean(t){return!("[object Boolean]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isSymbol(t){if(hasShammedSymbols)return t&&"object"==typeof t&&t instanceof Symbol;if("symbol"==typeof t)return!0;if(!t||"object"!=typeof t||!symToString)return!1;try{return symToString.call(t),!0}catch(t){}return!1}function isBigInt(t){if(!t||"object"!=typeof t||!bigIntValueOf)return!1;try{return bigIntValueOf.call(t),!0}catch(t){}return!1}module.exports=function inspect_(t,e,r,n){var o=e||{};if(has(o,"quoteStyle")&&!has(quotes,o.quoteStyle))throw new TypeError('option "quoteStyle" must be "single" or "double"');if(has(o,"maxStringLength")&&("number"==typeof o.maxStringLength?o.maxStringLength<0&&o.maxStringLength!==1/0:null!==o.maxStringLength))throw new TypeError('option "maxStringLength", if provided, must be a positive integer, Infinity, or `null`');var i=!has(o,"customInspect")||o.customInspect;if("boolean"!=typeof i&&"symbol"!==i)throw new TypeError("option \"customInspect\", if provided, must be `true`, `false`, or `'symbol'`");if(has(o,"indent")&&null!==o.indent&&"\t"!==o.indent&&!(parseInt(o.indent,10)===o.indent&&o.indent>0))throw new TypeError('option "indent" must be "\\t", an integer > 0, or `null`');if(has(o,"numericSeparator")&&"boolean"!=typeof o.numericSeparator)throw new TypeError('option "numericSeparator", if provided, must be `true` or `false`');var a=o.numericSeparator;if(void 0===t)return"undefined";if(null===t)return"null";if("boolean"==typeof t)return t?"true":"false";if("string"==typeof t)return inspectString(t,o);if("number"==typeof t){if(0===t)return 1/0/t>0?"0":"-0";var c=String(t);return a?addNumericSeparator(t,c):c}if("bigint"==typeof t){var l=String(t)+"n";return a?addNumericSeparator(t,l):l}var p=void 0===o.depth?5:o.depth;if(void 0===r&&(r=0),r>=p&&p>0&&"object"==typeof t)return isArray(t)?"[Array]":"[Object]";var u=getIndent(o,r);if(void 0===n)n=[];else if(indexOf(n,t)>=0)return"[Circular]";function inspect(t,e,i){if(e&&(n=$arrSlice.call(n)).push(e),i){var a={depth:o.depth};return has(o,"quoteStyle")&&(a.quoteStyle=o.quoteStyle),inspect_(t,a,r+1,n)}return inspect_(t,o,r+1,n)}if("function"==typeof t&&!isRegExp(t)){var s=nameOf(t),f=arrObjKeys(t,inspect);return"[Function"+(s?": "+s:" (anonymous)")+"]"+(f.length>0?" { "+$join.call(f,", ")+" }":"")}if(isSymbol(t)){var y=hasShammedSymbols?$replace.call(String(t),/^(Symbol\(.*\))_[^)]*$/,"$1"):symToString.call(t);return"object"!=typeof t||hasShammedSymbols?y:markBoxed(y)}if(isElement(t)){for(var S="<"+$toLowerCase.call(String(t.nodeName)),g=t.attributes||[],b=0;b"}if(isArray(t)){if(0===t.length)return"[]";var m=arrObjKeys(t,inspect);return u&&!singleLineValues(m)?"["+indentedJoin(m,u)+"]":"[ "+$join.call(m,", ")+" ]"}if(isError(t)){var h=arrObjKeys(t,inspect);return"cause"in Error.prototype||!("cause"in t)||isEnumerable.call(t,"cause")?0===h.length?"["+String(t)+"]":"{ ["+String(t)+"] "+$join.call(h,", ")+" }":"{ ["+String(t)+"] "+$join.call($concat.call("[cause]: "+inspect(t.cause),h),", ")+" }"}if("object"==typeof t&&i){if(inspectSymbol&&"function"==typeof t[inspectSymbol]&&utilInspect)return utilInspect(t,{depth:p-r});if("symbol"!==i&&"function"==typeof t.inspect)return t.inspect()}if(isMap(t)){var d=[];return mapForEach&&mapForEach.call(t,(function(e,r){d.push(inspect(r,t,!0)+" => "+inspect(e,t))})),collectionOf("Map",mapSize.call(t),d,u)}if(isSet(t)){var j=[];return setForEach&&setForEach.call(t,(function(e){j.push(inspect(e,t))})),collectionOf("Set",setSize.call(t),j,u)}if(isWeakMap(t))return weakCollectionOf("WeakMap");if(isWeakSet(t))return weakCollectionOf("WeakSet");if(isWeakRef(t))return weakCollectionOf("WeakRef");if(isNumber(t))return markBoxed(inspect(Number(t)));if(isBigInt(t))return markBoxed(inspect(bigIntValueOf.call(t)));if(isBoolean(t))return markBoxed(booleanValueOf.call(t));if(isString(t))return markBoxed(inspect(String(t)));if("undefined"!=typeof window&&t===window)return"{ [object Window] }";if("undefined"!=typeof globalThis&&t===globalThis||"undefined"!=typeof global&&t===global)return"{ [object globalThis] }";if(!isDate(t)&&!isRegExp(t)){var O=arrObjKeys(t,inspect),w=gPO?gPO(t)===Object.prototype:t instanceof Object||t.constructor===Object,$=t instanceof Object?"":"null prototype",k=!w&&toStringTag&&Object(t)===t&&toStringTag in t?$slice.call(toStr(t),8,-1):$?"Object":"",v=(w||"function"!=typeof t.constructor?"":t.constructor.name?t.constructor.name+" ":"")+(k||$?"["+$join.call($concat.call([],k||[],$||[]),": ")+"] ":"");return 0===O.length?v+"{}":u?v+"{"+indentedJoin(O,u)+"}":v+"{ "+$join.call(O,", ")+" }"}return String(t)};var hasOwn=Object.prototype.hasOwnProperty||function(t){return t in this};function has(t,e){return hasOwn.call(t,e)}function toStr(t){return objectToString.call(t)}function nameOf(t){if(t.name)return t.name;var e=$match.call(functionToString.call(t),/^function\s*([\w$]+)/);return e?e[1]:null}function indexOf(t,e){if(t.indexOf)return t.indexOf(e);for(var r=0,n=t.length;re.maxStringLength){var r=t.length-e.maxStringLength,n="... "+r+" more character"+(r>1?"s":"");return inspectString($slice.call(t,0,e.maxStringLength),e)+n}var o=quoteREs[e.quoteStyle||"single"];return o.lastIndex=0,wrapQuotes($replace.call($replace.call(t,o,"\\$1"),/[\x00-\x1f]/g,lowbyte),"single",e)}function lowbyte(t){var e=t.charCodeAt(0),r={8:"b",9:"t",10:"n",12:"f",13:"r"}[e];return r?"\\"+r:"\\x"+(e<16?"0":"")+$toUpperCase.call(e.toString(16))}function markBoxed(t){return"Object("+t+")"}function weakCollectionOf(t){return t+" { ? }"}function collectionOf(t,e,r,n){return t+" ("+e+") {"+(n?indentedJoin(r,n):$join.call(r,", "))+"}"}function singleLineValues(t){for(var e=0;e=0)return!1;return!0}function getIndent(t,e){var r;if("\t"===t.indent)r="\t";else{if(!("number"==typeof t.indent&&t.indent>0))return null;r=$join.call(Array(t.indent+1)," ")}return{base:r,prev:$join.call(Array(e+1),r)}}function indentedJoin(t,e){if(0===t.length)return"";var r="\n"+e.prev+e.base;return r+$join.call(t,","+r)+"\n"+e.prev}function arrObjKeys(t,e){var r=isArray(t),n=[];if(r){n.length=t.length;for(var o=0;o Date: Wed, 13 Nov 2024 00:19:08 +0600 Subject: [PATCH 14/40] [New] `parse`: add `throwOnParameterLimitExceeded` option --- README.md | 24 +++++++++++ lib/parse.js | 40 ++++++++++++++--- test/parse.js | 117 ++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 162 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 7347a3c4..22c411df 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,18 @@ var limited = qs.parse('a=b&c=d', { parameterLimit: 1 }); assert.deepEqual(limited, { a: 'b' }); ``` +If you want an error to be thrown whenever the a limit is exceeded (eg, `parameterLimit`, `arrayLimit`), set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit. +```javascript +try { + qs.parse('a=1&b=2&c=3&d=4', { parameterLimit: 3, throwOnLimitExceeded: true }); +} catch (err) { + assert(err instanceof Error); + assert.strictEqual(err.message, 'Parameter limit exceeded. Only 3 parameters allowed.'); +} +``` + +When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `parameterLimit` and ignore the rest without throwing an error. + To bypass the leading question mark, use `ignoreQueryPrefix`: ```javascript @@ -286,6 +298,18 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 }); assert.deepEqual(withArrayLimit, { a: { '1': 'b' } }); ``` +If you want to throw an error whenever the array limit is exceeded, set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit. +```javascript +try { + qs.parse('a[1]=b', { arrayLimit: 0, throwOnLimitExceeded: true }); +} catch (err) { + assert(err instanceof Error); + assert.strictEqual(err.message, 'Array limit exceeded. Only 0 elements allowed in an array.'); +} +``` + +When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `arrayLimit` and if the limit is exceeded, the array will instead be converted to an object with the index as the key + To disable array parsing entirely, set `parseArrays` to `false`. ```javascript diff --git a/lib/parse.js b/lib/parse.js index f6dabf14..39e861fc 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -34,11 +34,15 @@ var interpretNumericEntities = function (str) { }); }; -var parseArrayValue = function (val, options) { +var parseArrayValue = function (val, options, currentArrayLength) { if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) { return val.split(','); } + if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) { + throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); + } + return val; }; @@ -57,8 +61,17 @@ var parseValues = function parseQueryStringValues(str, options) { var cleanStr = options.ignoreQueryPrefix ? str.replace(/^\?/, '') : str; cleanStr = cleanStr.replace(/%5B/gi, '[').replace(/%5D/gi, ']'); + var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit; - var parts = cleanStr.split(options.delimiter, limit); + var parts = cleanStr.split( + options.delimiter, + options.throwOnLimitExceeded ? limit + 1 : limit + ); + + if (options.throwOnLimitExceeded && parts.length > limit) { + throw new RangeError('Parameter limit exceeded. Only ' + limit + ' parameter' + (limit === 1 ? '' : 's') + ' allowed.'); + } + var skipIndex = -1; // Keep track of where the utf8 sentinel was found var i; @@ -93,8 +106,13 @@ var parseValues = function parseQueryStringValues(str, options) { val = options.strictNullHandling ? null : ''; } else { key = options.decoder(part.slice(0, pos), defaults.decoder, charset, 'key'); + val = utils.maybeMap( - parseArrayValue(part.slice(pos + 1), options), + parseArrayValue( + part.slice(pos + 1), + options, + isArray(obj[key]) ? obj[key].length : 0 + ), function (encodedVal) { return options.decoder(encodedVal, defaults.decoder, charset, 'value'); } @@ -121,7 +139,13 @@ var parseValues = function parseQueryStringValues(str, options) { }; var parseObject = function (chain, val, options, valuesParsed) { - var leaf = valuesParsed ? val : parseArrayValue(val, options); + var currentArrayLength = 0; + if (chain.length > 0 && chain[chain.length - 1] === '[]') { + var parentKey = chain.slice(0, -1).join(''); + currentArrayLength = Array.isArray(val) && val[parentKey] ? val[parentKey].length : 0; + } + + var leaf = valuesParsed ? val : parseArrayValue(val, options, currentArrayLength); for (var i = chain.length - 1; i >= 0; --i) { var obj; @@ -235,6 +259,11 @@ var normalizeParseOptions = function normalizeParseOptions(opts) { if (typeof opts.charset !== 'undefined' && opts.charset !== 'utf-8' && opts.charset !== 'iso-8859-1') { throw new TypeError('The charset option must be either utf-8, iso-8859-1, or undefined'); } + + if (typeof opts.throwOnLimitExceeded !== 'undefined' && typeof opts.throwOnLimitExceeded !== 'boolean') { + throw new TypeError('`throwOnLimitExceeded` option must be a boolean'); + } + var charset = typeof opts.charset === 'undefined' ? defaults.charset : opts.charset; var duplicates = typeof opts.duplicates === 'undefined' ? defaults.duplicates : opts.duplicates; @@ -266,7 +295,8 @@ var normalizeParseOptions = function normalizeParseOptions(opts) { parseArrays: opts.parseArrays !== false, plainObjects: typeof opts.plainObjects === 'boolean' ? opts.plainObjects : defaults.plainObjects, strictDepth: typeof opts.strictDepth === 'boolean' ? !!opts.strictDepth : defaults.strictDepth, - strictNullHandling: typeof opts.strictNullHandling === 'boolean' ? opts.strictNullHandling : defaults.strictNullHandling + strictNullHandling: typeof opts.strictNullHandling === 'boolean' ? opts.strictNullHandling : defaults.strictNullHandling, + throwOnLimitExceeded: typeof opts.throwOnLimitExceeded === 'boolean' ? opts.throwOnLimitExceeded : false }; }; diff --git a/test/parse.js b/test/parse.js index d678ac1d..32cdfd8e 100644 --- a/test/parse.js +++ b/test/parse.js @@ -118,7 +118,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should decode dot in key of object, and allow enabling dot notation when decodeDotInKeys is set to true and allowDots is undefined', function (st) { + t.test('decodes dot in key of object, and allow enabling dot notation when decodeDotInKeys is set to true and allowDots is undefined', function (st) { st.deepEqual( qs.parse( 'name%252Eobj%252Esubobject.first%252Egodly%252Ename=John&name%252Eobj%252Esubobject.last=Doe', @@ -131,7 +131,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should throw when decodeDotInKeys is not of type boolean', function (st) { + t.test('throws when decodeDotInKeys is not of type boolean', function (st) { st['throws']( function () { qs.parse('foo[]&bar=baz', { decodeDotInKeys: 'foobar' }); }, TypeError @@ -161,7 +161,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should throw when allowEmptyArrays is not of type boolean', function (st) { + t.test('throws when allowEmptyArrays is not of type boolean', function (st) { st['throws']( function () { qs.parse('foo[]&bar=baz', { allowEmptyArrays: 'foobar' }); }, TypeError @@ -444,7 +444,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should not throw when a native prototype has an enumerable property', function (st) { + t.test('does not throw when a native prototype has an enumerable property', function (st) { st.intercept(Object.prototype, 'crash', { value: '' }); st.intercept(Array.prototype, 'crash', { value: '' }); @@ -965,7 +965,7 @@ test('parse()', function (t) { st.end(); }); - t.test('should ignore an utf8 sentinel with an unknown value', function (st) { + t.test('ignores an utf8 sentinel with an unknown value', function (st) { st.deepEqual(qs.parse('utf8=foo&' + urlEncodedOSlashInUtf8 + '=' + urlEncodedOSlashInUtf8, { charsetSentinel: true, charset: 'utf-8' }), { ø: 'ø' }); st.end(); }); @@ -1035,6 +1035,95 @@ test('parse()', function (t) { st.end(); }); + t.test('parameter limit tests', function (st) { + st.test('does not throw error when within parameter limit', function (sst) { + var result = qs.parse('a=1&b=2&c=3', { parameterLimit: 5, throwOnLimitExceeded: true }); + sst.deepEqual(result, { a: '1', b: '2', c: '3' }, 'parses without errors'); + sst.end(); + }); + + st.test('throws error when throwOnLimitExceeded is present but not boolean', function (sst) { + sst['throws']( + function () { + qs.parse('a=1&b=2&c=3&d=4&e=5&f=6', { parameterLimit: 3, throwOnLimitExceeded: 'true' }); + }, + new TypeError('`throwOnLimitExceeded` option must be a boolean'), + 'throws error when throwOnLimitExceeded is present and not boolean' + ); + sst.end(); + }); + + st.test('throws error when parameter limit exceeded', function (sst) { + sst['throws']( + function () { + qs.parse('a=1&b=2&c=3&d=4&e=5&f=6', { parameterLimit: 3, throwOnLimitExceeded: true }); + }, + new RangeError('Parameter limit exceeded. Only 3 parameters allowed.'), + 'throws error when parameter limit is exceeded' + ); + sst.end(); + }); + + st.test('silently truncates when throwOnLimitExceeded is not given', function (sst) { + var result = qs.parse('a=1&b=2&c=3&d=4&e=5', { parameterLimit: 3 }); + sst.deepEqual(result, { a: '1', b: '2', c: '3' }, 'parses and truncates silently'); + sst.end(); + }); + + st.test('silently truncates when parameter limit exceeded without error', function (sst) { + var result = qs.parse('a=1&b=2&c=3&d=4&e=5', { parameterLimit: 3, throwOnLimitExceeded: false }); + sst.deepEqual(result, { a: '1', b: '2', c: '3' }, 'parses and truncates silently'); + sst.end(); + }); + + st.test('allows unlimited parameters when parameterLimit set to Infinity', function (sst) { + var result = qs.parse('a=1&b=2&c=3&d=4&e=5&f=6', { parameterLimit: Infinity }); + sst.deepEqual(result, { a: '1', b: '2', c: '3', d: '4', e: '5', f: '6' }, 'parses all parameters without truncation'); + sst.end(); + }); + + st.end(); + }); + + t.test('array limit tests', function (st) { + st.test('does not throw error when array is within limit', function (sst) { + var result = qs.parse('a[]=1&a[]=2&a[]=3', { arrayLimit: 5, throwOnLimitExceeded: true }); + sst.deepEqual(result, { a: ['1', '2', '3'] }, 'parses array without errors'); + sst.end(); + }); + + st.test('throws error when throwOnLimitExceeded is present but not boolean for array limit', function (sst) { + sst['throws']( + function () { + qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3, throwOnLimitExceeded: 'true' }); + }, + new TypeError('`throwOnLimitExceeded` option must be a boolean'), + 'throws error when throwOnLimitExceeded is present and not boolean for array limit' + ); + sst.end(); + }); + + st.test('throws error when array limit exceeded', function (sst) { + sst['throws']( + function () { + qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3, throwOnLimitExceeded: true }); + }, + new RangeError('Array limit exceeded. Only 3 elements allowed in an array.'), + 'throws error when array limit is exceeded' + ); + sst.end(); + }); + + st.test('converts array to object if length is greater than limit', function (sst) { + var result = qs.parse('a[1]=1&a[2]=2&a[3]=3&a[4]=4&a[5]=5&a[6]=6', { arrayLimit: 5 }); + + sst.deepEqual(result, { a: { 1: '1', 2: '2', 3: '3', 4: '4', 5: '5', 6: '6' } }, 'parses into object if array length is greater than limit'); + sst.end(); + }); + + st.end(); + }); + t.end(); }); @@ -1093,7 +1182,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1104,7 +1193,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[0][1][2][3][4]=b', { depth: 3, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1115,7 +1204,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[b][c][0][d][e]=f', { depth: 3, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1126,7 +1215,7 @@ test('qs strictDepth option - throw cases', function (t) { qs.parse('a[b][c][d][e]=true&a[b][c][d][f]=42', { depth: 3, strictDepth: true }); }, RangeError, - 'Should throw RangeError' + 'throws RangeError' ); st.end(); }); @@ -1140,7 +1229,7 @@ test('qs strictDepth option - non-throw cases', function (t) { qs.parse('a[b][c][d][e]=true&a[b][c][d][f]=42', { depth: 0, strictDepth: true }); }, RangeError, - 'Should not throw RangeError' + 'does not throw RangeError' ); st.end(); }); @@ -1149,7 +1238,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b]=c', { depth: 1, strictDepth: true }); - st.deepEqual(result, { a: { b: 'c' } }, 'Should parse correctly'); + st.deepEqual(result, { a: { b: 'c' } }, 'parses correctly'); } ); st.end(); @@ -1159,7 +1248,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 }); - st.deepEqual(result, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } }, 'Should parse with depth limit'); + st.deepEqual(result, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } }, 'parses with depth limit'); } ); st.end(); @@ -1169,7 +1258,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b]=c', { depth: 1 }); - st.deepEqual(result, { a: { b: 'c' } }, 'Should parse correctly'); + st.deepEqual(result, { a: { b: 'c' } }, 'parses correctly'); } ); st.end(); @@ -1179,7 +1268,7 @@ test('qs strictDepth option - non-throw cases', function (t) { st.doesNotThrow( function () { var result = qs.parse('a[b][c]=d', { depth: 2, strictDepth: true }); - st.deepEqual(result, { a: { b: { c: 'd' } } }, 'Should parse correctly'); + st.deepEqual(result, { a: { b: { c: 'd' } } }, 'parses correctly'); } ); st.end(); From 32e48a2f94f3a433dd69bf011356616c5e81f1a5 Mon Sep 17 00:00:00 2001 From: Kye Russell Date: Mon, 18 Nov 2024 15:33:50 +0800 Subject: [PATCH 15/40] [meta] Fix changelog formatting bug A proper Markdown list wasn't used in the last set of changelog changes. --- CHANGELOG.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 465c9541..67cb513b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,14 @@ ## **6.13.1** -[Fix] `stringify`: avoid a crash when a `filter` key is `null` -[Fix] `utils.merge`: functions should not be stringified into keys -[Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset -[Fix] `stringify`: ensure a non-string `filter` does not crash -[Refactor] use `__proto__` syntax instead of `Object.create` for null objects -[Refactor] misc cleanup -[Tests] `utils.merge`: add some coverage -[Tests] fix a test case -[actions] split out node 10-20, and 20+ -[Dev Deps] update `es-value-fixtures`, `mock-property`, `object-inspect`, `tape` +- [Fix] `stringify`: avoid a crash when a `filter` key is `null` +- [Fix] `utils.merge`: functions should not be stringified into keys +- [Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset +- [Fix] `stringify`: ensure a non-string `filter` does not crash +- [Refactor] use `__proto__` syntax instead of `Object.create` for null objects +- [Refactor] misc cleanup +- [Tests] `utils.merge`: add some coverage +- [Tests] fix a test case +- [actions] split out node 10-20, and 20+ +- [Dev Deps] update `es-value-fixtures`, `mock-property`, `object-inspect`, `tape` ## **6.13.0** - [New] `parse`: add `strictDepth` option (#511) From 51fdc98d72cbfb33f5bab9da1eb8d511b3160249 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 12 Dec 2024 23:30:12 -0800 Subject: [PATCH 16/40] [actions] re-add finishers --- .github/workflows/node-tens.yml | 7 +++++++ .github/workflows/node-twenties.yml | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/.github/workflows/node-tens.yml b/.github/workflows/node-tens.yml index 7ac9c5b1..6b71d59c 100644 --- a/.github/workflows/node-tens.yml +++ b/.github/workflows/node-tens.yml @@ -12,3 +12,10 @@ jobs: range: '>= 10 < 20' type: minors command: npm run tests-only + + node: + name: 'node 10 - 20' + needs: [tests] + runs-on: ubuntu-latest + steps: + - run: true diff --git a/.github/workflows/node-twenties.yml b/.github/workflows/node-twenties.yml index 209e1572..66c93824 100644 --- a/.github/workflows/node-twenties.yml +++ b/.github/workflows/node-twenties.yml @@ -12,3 +12,10 @@ jobs: range: '>= 20' type: minors command: npm run tests-only + + node: + name: 'node >= 20' + needs: [tests] + runs-on: ubuntu-latest + steps: + - run: true From e26e7a8946b507c9445e08de04ee1b95c8eb6693 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 12 Dec 2024 23:30:32 -0800 Subject: [PATCH 17/40] [Dev Deps] update `has-proto`, `has-symbols` --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 4910fd8f..e3ecaa20 100644 --- a/package.json +++ b/package.json @@ -49,8 +49,8 @@ "has-bigints": "^1.0.2", "has-override-mistake": "^1.0.1", "has-property-descriptors": "^1.0.2", - "has-proto": "^1.0.3", - "has-symbols": "^1.0.3", + "has-proto": "^1.2.0", + "has-symbols": "^1.1.0", "iconv-lite": "^0.5.1", "in-publish": "^2.0.1", "jackspeak": "=2.1.1", From 89edfd25f9598b5ccfe7eec9c4c184d5e8854ee2 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 12 Dec 2024 23:30:44 -0800 Subject: [PATCH 18/40] [Deps] update `side-channel` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e3ecaa20..d2db25af 100644 --- a/package.json +++ b/package.json @@ -31,7 +31,7 @@ "node": ">=0.6" }, "dependencies": { - "side-channel": "^1.0.6" + "side-channel": "^1.1.0" }, "devDependencies": { "@browserify/envify": "^6.0.0", From 6cd60a59aae428123d45810996f4ac6b2c4e5c52 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 17 Dec 2024 13:35:41 -0800 Subject: [PATCH 19/40] [actions] use shared action --- .github/workflows/rebase.yml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 18181913..b9e1712f 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -2,21 +2,8 @@ name: Automatic Rebase on: [pull_request_target] -permissions: - contents: read - jobs: _: - permissions: - contents: write # for ljharb/rebase to push code to rebase - pull-requests: read # for ljharb/rebase to get info about PR - - name: "Automatic Rebase" - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - uses: ljharb/rebase@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: ljharb/actions/.github/workflows/rebase.yml@main + secrets: + token: ${{ secrets.GITHUB_TOKEN }} From 1d590de5eb325a6ea332812b260c024e6a58ab8c Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 08:41:30 -0800 Subject: [PATCH 20/40] [actions] simplify finisher --- .github/workflows/node-aught.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/node-aught.yml b/.github/workflows/node-aught.yml index 624596ff..ad153851 100644 --- a/.github/workflows/node-aught.yml +++ b/.github/workflows/node-aught.yml @@ -18,4 +18,4 @@ jobs: needs: [tests] runs-on: ubuntu-latest steps: - - run: 'echo tests completed' + - run: true From b189ed49c8dfe5b41afe6cecabdaa562de56764b Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 08:57:13 -0800 Subject: [PATCH 21/40] [patch] `parse`: add explicit `throwOnLimitExceeded` default --- lib/parse.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/parse.js b/lib/parse.js index 39e861fc..520299f9 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -25,7 +25,8 @@ var defaults = { parseArrays: true, plainObjects: false, strictDepth: false, - strictNullHandling: false + strictNullHandling: false, + throwOnLimitExceeded: false }; var interpretNumericEntities = function (str) { From 25956a73e8cf56d445b0972cc3d9d16eb0958435 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 09:01:24 -0800 Subject: [PATCH 22/40] [Refactor] `parse`: use `utils.combine` more --- lib/parse.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/parse.js b/lib/parse.js index 520299f9..d25be001 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -155,7 +155,7 @@ var parseObject = function (chain, val, options, valuesParsed) { if (root === '[]' && options.parseArrays) { obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null)) ? [] - : [].concat(leaf); + : utils.combine([], leaf); } else { obj = options.plainObjects ? { __proto__: null } : {}; var cleanRoot = root.charAt(0) === '[' && root.charAt(root.length - 1) === ']' ? root.slice(1, -1) : root; From a240c52c7c48d3ead6bd77c5bc3b1275bab252fc Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 09:31:38 -0800 Subject: [PATCH 23/40] [Tests] increase coverage --- test/utils.js | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/test/utils.js b/test/utils.js index 7a4ff1b2..39335165 100644 --- a/test/utils.js +++ b/test/utils.js @@ -4,6 +4,8 @@ var test = require('tape'); var inspect = require('object-inspect'); var SaferBuffer = require('safer-buffer').Buffer; var forEach = require('for-each'); +var v = require('es-value-fixtures'); + var utils = require('../lib/utils'); test('merge()', function (t) { @@ -133,6 +135,104 @@ test('combine()', function (t) { t.end(); }); +test('decode', function (t) { + t.equal( + utils.decode('a+b'), + 'a b', + 'decodes + to space' + ); + + t.equal( + utils.decode('name%2Eobj'), + 'name.obj', + 'decodes a string' + ); + t.equal( + utils.decode('name%2Eobj%2Efoo', null, 'iso-8859-1'), + 'name.obj.foo', + 'decodes a string in iso-8859-1' + ); + + t.end(); +}); + +test('encode', function (t) { + forEach(v.nullPrimitives, function (nullish) { + t['throws']( + function () { utils.encode(nullish); }, + TypeError, + inspect(nullish) + ' is not a string' + ); + }); + + t.equal(utils.encode(''), '', 'empty string returns itself'); + t.deepEqual(utils.encode([]), [], 'empty array returns itself'); + t.deepEqual(utils.encode({ length: 0 }), { length: 0 }, 'empty arraylike returns itself'); + + t.test('symbols', { skip: !v.hasSymbols }, function (st) { + st.equal(utils.encode(Symbol('x')), 'Symbol%28x%29', 'symbol is encoded'); + + st.end(); + }); + + t.equal( + utils.encode('(abc)'), + '%28abc%29', + 'encodes parentheses' + ); + t.equal( + utils.encode({ toString: function () { return '(abc)'; } }), + '%28abc%29', + 'toStrings and encodes parentheses' + ); + + t.equal( + utils.encode('abc 123 💩', null, 'iso-8859-1'), + 'abc%20123%20%26%2355357%3B%26%2356489%3B', + 'encodes in iso-8859-1' + ); + + var longString = ''; + var expectedString = ''; + for (var i = 0; i < 1500; i++) { + longString += ' '; + expectedString += '%20'; + } + + t.equal( + utils.encode(longString), + expectedString, + 'encodes a long string' + ); + + t.equal( + utils.encode('\x28\x29'), + '%28%29', + 'encodes parens normally' + ); + t.equal( + utils.encode('\x28\x29', null, null, null, 'RFC1738'), + '()', + 'does not encode parens in RFC1738' + ); + + // todo RFC1738 format + + t.equal( + utils.encode('Āက豈'), + '%C4%80%E1%80%80%EF%A4%80', + 'encodes multibyte chars' + ); + + t.equal( + utils.encode('\uD83D \uDCA9'), + '%F0%9F%90%A0%F0%BA%90%80', + 'encodes lone surrogates' + ); + + t.end(); +}); + test('isBuffer()', function (t) { forEach([null, undefined, true, false, '', 'abc', 42, 0, NaN, {}, [], function () {}, /a/g], function (x) { t.equal(utils.isBuffer(x), false, inspect(x) + ' is not a buffer'); @@ -148,3 +248,15 @@ test('isBuffer()', function (t) { t.equal(utils.isBuffer(buffer), true, 'real Buffer instance is a buffer'); t.end(); }); + +test('isRegExp()', function (t) { + t.equal(utils.isRegExp(/a/g), true, 'RegExp is a RegExp'); + t.equal(utils.isRegExp(new RegExp('a', 'g')), true, 'new RegExp is a RegExp'); + t.equal(utils.isRegExp(new Date()), false, 'Date is not a RegExp'); + + forEach(v.primitives, function (primitive) { + t.equal(utils.isRegExp(primitive), false, inspect(primitive) + ' is not a RegExp'); + }); + + t.end(); +}); From 4ec582b07a411f49b3192ea92562e2ad503a4dc0 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 09:32:12 -0800 Subject: [PATCH 24/40] [Dev Deps] update `es-value-fixtures`, `has-bigints` --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index d2db25af..f17784a1 100644 --- a/package.json +++ b/package.json @@ -41,12 +41,12 @@ "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", "eclint": "^2.8.1", - "es-value-fixtures": "^1.5.0", + "es-value-fixtures": "^1.7.0", "eslint": "=8.8.0", "evalmd": "^0.0.19", "for-each": "^0.3.3", "glob": "=10.3.7", - "has-bigints": "^1.0.2", + "has-bigints": "^1.1.0", "has-override-mistake": "^1.0.1", "has-property-descriptors": "^1.0.2", "has-proto": "^1.2.0", From 32dcc637f90be175c0d4617b429263115a87e3a8 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 10:01:49 -0800 Subject: [PATCH 25/40] v6.14.0 --- CHANGELOG.md | 10 ++++ dist/qs.js | 135 +++++++++++++++++++++++++++++++++++---------------- package.json | 2 +- 3 files changed, 104 insertions(+), 43 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67cb513b..dc8e8794 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## **6.14.0** +- [New] `parse`: add `throwOnParameterLimitExceeded` option (#517) +- [Refactor] `parse`: use `utils.combine` more +- [patch] `parse`: add explicit `throwOnLimitExceeded` default +- [actions] use shared action; re-add finishers +- [meta] Fix changelog formatting bug +- [Deps] update `side-channel` +- [Dev Deps] update `es-value-fixtures`, `has-bigints`, `has-proto`, `has-symbols` +- [Tests] increase coverage + ## **6.13.1** - [Fix] `stringify`: avoid a crash when a `filter` key is `null` - [Fix] `utils.merge`: functions should not be stringified into keys diff --git a/dist/qs.js b/dist/qs.js index fa84340f..f37989a5 100644 --- a/dist/qs.js +++ b/dist/qs.js @@ -5,86 +5,137 @@ "use strict";var stringify=require(4),parse=require(3),formats=require(1);module.exports={formats:formats,parse:parse,stringify:stringify}; },{"1":1,"3":3,"4":4}],3:[function(require,module,exports){ -"use strict";var utils=require(5),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,defaults={allowDots:!1,allowEmptyArrays:!1,allowPrototypes:!1,allowSparse:!1,arrayLimit:20,charset:"utf-8",charsetSentinel:!1,comma:!1,decodeDotInKeys:!1,decoder:utils.decode,delimiter:"&",depth:5,duplicates:"combine",ignoreQueryPrefix:!1,interpretNumericEntities:!1,parameterLimit:1e3,parseArrays:!0,plainObjects:!1,strictDepth:!1,strictNullHandling:!1},interpretNumericEntities=function(e){return e.replace(/&#(\d+);/g,(function(e,t){return String.fromCharCode(parseInt(t,10))}))},parseArrayValue=function(e,t){return e&&"string"==typeof e&&t.comma&&e.indexOf(",")>-1?e.split(","):e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},a=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;a=a.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var i,o=t.parameterLimit===1/0?void 0:t.parameterLimit,l=a.split(t.delimiter,o),s=-1,n=t.charset;if(t.charsetSentinel)for(i=0;i-1&&(c=isArray(c)?[c]:c);var y=has.call(r,p);y&&"combine"===t.duplicates?r[p]=utils.combine(r[p],c):y&&"last"!==t.duplicates||(r[p]=c)}return r},parseObject=function(e,t,r,a){for(var i=a?t:parseArrayValue(t,r),o=e.length-1;o>=0;--o){var l,s=e[o];if("[]"===s&&r.parseArrays)l=r.allowEmptyArrays&&(""===i||r.strictNullHandling&&null===i)?[]:[].concat(i);else{l=r.plainObjects?{__proto__:null}:{};var n="["===s.charAt(0)&&"]"===s.charAt(s.length-1)?s.slice(1,-1):s,p=r.decodeDotInKeys?n.replace(/%2E/g,"."):n,c=parseInt(p,10);r.parseArrays||""!==p?!isNaN(c)&&s!==p&&String(c)===p&&c>=0&&r.parseArrays&&c<=r.arrayLimit?(l=[])[c]=i:"__proto__"!==p&&(l[p]=i):l={0:i}}i=l}return i},parseKeys=function parseQueryStringKeys(e,t,r,a){if(e){var i=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(i),s=l?i.slice(0,l.index):i,n=[];if(s){if(!r.plainObjects&&has.call(Object.prototype,s)&&!r.allowPrototypes)return;n.push(s)}for(var p=0;r.depth>0&&null!==(l=o.exec(i))&&p-1)return e.split(",");if(t.throwOnLimitExceeded&&r>=t.arrayLimit)throw new RangeError("Array limit exceeded. Only "+t.arrayLimit+" element"+(1===t.arrayLimit?"":"s")+" allowed in an array.");return e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},i=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;i=i.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var a=t.parameterLimit===1/0?void 0:t.parameterLimit,o=i.split(t.delimiter,t.throwOnLimitExceeded?a+1:a);if(t.throwOnLimitExceeded&&o.length>a)throw new RangeError("Parameter limit exceeded. Only "+a+" parameter"+(1===a?"":"s")+" allowed.");var l,n=-1,s=t.charset;if(t.charsetSentinel)for(l=0;l-1&&(p=isArray(p)?[p]:p);var f=has.call(r,d);f&&"combine"===t.duplicates?r[d]=utils.combine(r[d],p):f&&"last"!==t.duplicates||(r[d]=p)}return r},parseObject=function(e,t,r,i){var a=0;if(e.length>0&&"[]"===e[e.length-1]){var o=e.slice(0,-1).join("");a=Array.isArray(t)&&t[o]?t[o].length:0}for(var l=i?t:parseArrayValue(t,r,a),n=e.length-1;n>=0;--n){var s,d=e[n];if("[]"===d&&r.parseArrays)s=r.allowEmptyArrays&&(""===l||r.strictNullHandling&&null===l)?[]:utils.combine([],l);else{s=r.plainObjects?{__proto__:null}:{};var p="["===d.charAt(0)&&"]"===d.charAt(d.length-1)?d.slice(1,-1):d,c=r.decodeDotInKeys?p.replace(/%2E/g,"."):p,u=parseInt(c,10);r.parseArrays||""!==c?!isNaN(u)&&d!==c&&String(u)===c&&u>=0&&r.parseArrays&&u<=r.arrayLimit?(s=[])[u]=l:"__proto__"!==c&&(s[c]=l):s={0:l}}l=s}return l},parseKeys=function parseQueryStringKeys(e,t,r,i){if(e){var a=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(a),n=l?a.slice(0,l.index):a,s=[];if(n){if(!r.plainObjects&&has.call(Object.prototype,n)&&!r.allowPrototypes)return;s.push(n)}for(var d=0;r.depth>0&&null!==(l=o.exec(a))&&d0?g.join(",")||null:void 0}];else if(isArray(f))S=f;else{var N=Object.keys(g);S=u?N.sort(u):N}var T=l?String(r).replace(/\./g,"%2E"):String(r),O=o&&isArray(g)&&1===g.length?T+"[]":T;if(a&&isArray(g)&&0===g.length)return O+"[]";for(var k=0;k0?c+y:""}; +"use strict";var getSideChannel=require(46),utils=require(5),formats=require(1),has=Object.prototype.hasOwnProperty,arrayPrefixGenerators={brackets:function brackets(e){return e+"[]"},comma:"comma",indices:function indices(e,r){return e+"["+r+"]"},repeat:function repeat(e){return e}},isArray=Array.isArray,push=Array.prototype.push,pushToArray=function(e,r){push.apply(e,isArray(r)?r:[r])},toISO=Date.prototype.toISOString,defaultFormat=formats.default,defaults={addQueryPrefix:!1,allowDots:!1,allowEmptyArrays:!1,arrayFormat:"indices",charset:"utf-8",charsetSentinel:!1,commaRoundTrip:!1,delimiter:"&",encode:!0,encodeDotInKeys:!1,encoder:utils.encode,encodeValuesOnly:!1,filter:void 0,format:defaultFormat,formatter:formats.formatters[defaultFormat],indices:!1,serializeDate:function serializeDate(e){return toISO.call(e)},skipNulls:!1,strictNullHandling:!1},isNonNullishPrimitive=function isNonNullishPrimitive(e){return"string"==typeof e||"number"==typeof e||"boolean"==typeof e||"symbol"==typeof e||"bigint"==typeof e},sentinel={},stringify=function stringify(e,r,t,o,a,n,i,l,s,f,u,d,y,c,p,m,h,v){for(var g=e,w=v,b=0,A=!1;void 0!==(w=w.get(sentinel))&&!A;){var D=w.get(e);if(b+=1,void 0!==D){if(D===b)throw new RangeError("Cyclic object value");A=!0}void 0===w.get(sentinel)&&(b=0)}if("function"==typeof f?g=f(r,g):g instanceof Date?g=y(g):"comma"===t&&isArray(g)&&(g=utils.maybeMap(g,(function(e){return e instanceof Date?y(e):e}))),null===g){if(n)return s&&!m?s(r,defaults.encoder,h,"key",c):r;g=""}if(isNonNullishPrimitive(g)||utils.isBuffer(g))return s?[p(m?r:s(r,defaults.encoder,h,"key",c))+"="+p(s(g,defaults.encoder,h,"value",c))]:[p(r)+"="+p(String(g))];var S,E=[];if(void 0===g)return E;if("comma"===t&&isArray(g))m&&s&&(g=utils.maybeMap(g,s)),S=[{value:g.length>0?g.join(",")||null:void 0}];else if(isArray(f))S=f;else{var N=Object.keys(g);S=u?N.sort(u):N}var T=l?String(r).replace(/\./g,"%2E"):String(r),O=o&&isArray(g)&&1===g.length?T+"[]":T;if(a&&isArray(g)&&0===g.length)return O+"[]";for(var k=0;k0?c+y:""}; -},{"1":1,"29":29,"5":5}],5:[function(require,module,exports){ +},{"1":1,"46":46,"5":5}],5:[function(require,module,exports){ "use strict";var formats=require(1),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,hexTable=function(){for(var e=[],r=0;r<256;++r)e.push("%"+((r<16?"0":"")+r.toString(16)).toUpperCase());return e}(),compactQueue=function compactQueue(e){for(;e.length>1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,p=[],f=0;f=48&&s<=57||s>=65&&s<=90||s>=97&&s<=122||n===formats.RFC1738&&(40===s||41===s)?p[p.length]=u.charAt(f):s<128?p[p.length]=hexTable[s]:s<2048?p[p.length]=hexTable[192|s>>6]+hexTable[128|63&s]:s<55296||s>=57344?p[p.length]=hexTable[224|s>>12]+hexTable[128|s>>6&63]+hexTable[128|63&s]:(f+=1,s=65536+((1023&s)<<10|1023&u.charCodeAt(f)),p[p.length]=hexTable[240|s>>18]+hexTable[128|s>>12&63]+hexTable[128|s>>6&63]+hexTable[128|63&s])}c+=p.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;o-1?callBind(t):t}; +"use strict";var bind=require(24),$apply=require(8),$call=require(9),$reflectApply=require(11);module.exports=$reflectApply||bind.call($call,$apply); -},{"20":20,"8":8}],20:[function(require,module,exports){ -"use strict";var undefined,$Error=require(12),$EvalError=require(11),$RangeError=require(13),$ReferenceError=require(14),$SyntaxError=require(15),$TypeError=require(16),$URIError=require(17),$Function=Function,getEvalledConstructor=function(r){try{return $Function('"use strict"; return ('+r+").constructor;")()}catch(r){}},$gOPD=Object.getOwnPropertyDescriptor;if($gOPD)try{$gOPD({},"")}catch(r){$gOPD=null}var throwTypeError=function(){throw new $TypeError},ThrowTypeError=$gOPD?function(){try{return throwTypeError}catch(r){try{return $gOPD(arguments,"callee").get}catch(r){return throwTypeError}}}():throwTypeError,hasSymbols=require(24)(),hasProto=require(23)(),getProto=Object.getPrototypeOf||(hasProto?function(r){return r.__proto__}:null),needsEval={},TypedArray="undefined"!=typeof Uint8Array&&getProto?getProto(Uint8Array):undefined,INTRINSICS={__proto__:null,"%AggregateError%":"undefined"==typeof AggregateError?undefined:AggregateError,"%Array%":Array,"%ArrayBuffer%":"undefined"==typeof ArrayBuffer?undefined:ArrayBuffer,"%ArrayIteratorPrototype%":hasSymbols&&getProto?getProto([][Symbol.iterator]()):undefined,"%AsyncFromSyncIteratorPrototype%":undefined,"%AsyncFunction%":needsEval,"%AsyncGenerator%":needsEval,"%AsyncGeneratorFunction%":needsEval,"%AsyncIteratorPrototype%":needsEval,"%Atomics%":"undefined"==typeof Atomics?undefined:Atomics,"%BigInt%":"undefined"==typeof BigInt?undefined:BigInt,"%BigInt64Array%":"undefined"==typeof BigInt64Array?undefined:BigInt64Array,"%BigUint64Array%":"undefined"==typeof BigUint64Array?undefined:BigUint64Array,"%Boolean%":Boolean,"%DataView%":"undefined"==typeof DataView?undefined:DataView,"%Date%":Date,"%decodeURI%":decodeURI,"%decodeURIComponent%":decodeURIComponent,"%encodeURI%":encodeURI,"%encodeURIComponent%":encodeURIComponent,"%Error%":$Error,"%eval%":eval,"%EvalError%":$EvalError,"%Float32Array%":"undefined"==typeof Float32Array?undefined:Float32Array,"%Float64Array%":"undefined"==typeof Float64Array?undefined:Float64Array,"%FinalizationRegistry%":"undefined"==typeof FinalizationRegistry?undefined:FinalizationRegistry,"%Function%":$Function,"%GeneratorFunction%":needsEval,"%Int8Array%":"undefined"==typeof Int8Array?undefined:Int8Array,"%Int16Array%":"undefined"==typeof Int16Array?undefined:Int16Array,"%Int32Array%":"undefined"==typeof Int32Array?undefined:Int32Array,"%isFinite%":isFinite,"%isNaN%":isNaN,"%IteratorPrototype%":hasSymbols&&getProto?getProto(getProto([][Symbol.iterator]())):undefined,"%JSON%":"object"==typeof JSON?JSON:undefined,"%Map%":"undefined"==typeof Map?undefined:Map,"%MapIteratorPrototype%":"undefined"!=typeof Map&&hasSymbols&&getProto?getProto((new Map)[Symbol.iterator]()):undefined,"%Math%":Math,"%Number%":Number,"%Object%":Object,"%parseFloat%":parseFloat,"%parseInt%":parseInt,"%Promise%":"undefined"==typeof Promise?undefined:Promise,"%Proxy%":"undefined"==typeof Proxy?undefined:Proxy,"%RangeError%":$RangeError,"%ReferenceError%":$ReferenceError,"%Reflect%":"undefined"==typeof Reflect?undefined:Reflect,"%RegExp%":RegExp,"%Set%":"undefined"==typeof Set?undefined:Set,"%SetIteratorPrototype%":"undefined"!=typeof Set&&hasSymbols&&getProto?getProto((new Set)[Symbol.iterator]()):undefined,"%SharedArrayBuffer%":"undefined"==typeof SharedArrayBuffer?undefined:SharedArrayBuffer,"%String%":String,"%StringIteratorPrototype%":hasSymbols&&getProto?getProto(""[Symbol.iterator]()):undefined,"%Symbol%":hasSymbols?Symbol:undefined,"%SyntaxError%":$SyntaxError,"%ThrowTypeError%":ThrowTypeError,"%TypedArray%":TypedArray,"%TypeError%":$TypeError,"%Uint8Array%":"undefined"==typeof Uint8Array?undefined:Uint8Array,"%Uint8ClampedArray%":"undefined"==typeof Uint8ClampedArray?undefined:Uint8ClampedArray,"%Uint16Array%":"undefined"==typeof Uint16Array?undefined:Uint16Array,"%Uint32Array%":"undefined"==typeof Uint32Array?undefined:Uint32Array,"%URIError%":$URIError,"%WeakMap%":"undefined"==typeof WeakMap?undefined:WeakMap,"%WeakRef%":"undefined"==typeof WeakRef?undefined:WeakRef,"%WeakSet%":"undefined"==typeof WeakSet?undefined:WeakSet};if(getProto)try{null.error}catch(r){var errorProto=getProto(getProto(r));INTRINSICS["%Error.prototype%"]=errorProto}var doEval=function doEval(r){var e;if("%AsyncFunction%"===r)e=getEvalledConstructor("async function () {}");else if("%GeneratorFunction%"===r)e=getEvalledConstructor("function* () {}");else if("%AsyncGeneratorFunction%"===r)e=getEvalledConstructor("async function* () {}");else if("%AsyncGenerator%"===r){var t=doEval("%AsyncGeneratorFunction%");t&&(e=t.prototype)}else if("%AsyncIteratorPrototype%"===r){var o=doEval("%AsyncGenerator%");o&&getProto&&(e=getProto(o.prototype))}return INTRINSICS[r]=e,e},LEGACY_ALIASES={__proto__:null,"%ArrayBufferPrototype%":["ArrayBuffer","prototype"],"%ArrayPrototype%":["Array","prototype"],"%ArrayProto_entries%":["Array","prototype","entries"],"%ArrayProto_forEach%":["Array","prototype","forEach"],"%ArrayProto_keys%":["Array","prototype","keys"],"%ArrayProto_values%":["Array","prototype","values"],"%AsyncFunctionPrototype%":["AsyncFunction","prototype"],"%AsyncGenerator%":["AsyncGeneratorFunction","prototype"],"%AsyncGeneratorPrototype%":["AsyncGeneratorFunction","prototype","prototype"],"%BooleanPrototype%":["Boolean","prototype"],"%DataViewPrototype%":["DataView","prototype"],"%DatePrototype%":["Date","prototype"],"%ErrorPrototype%":["Error","prototype"],"%EvalErrorPrototype%":["EvalError","prototype"],"%Float32ArrayPrototype%":["Float32Array","prototype"],"%Float64ArrayPrototype%":["Float64Array","prototype"],"%FunctionPrototype%":["Function","prototype"],"%Generator%":["GeneratorFunction","prototype"],"%GeneratorPrototype%":["GeneratorFunction","prototype","prototype"],"%Int8ArrayPrototype%":["Int8Array","prototype"],"%Int16ArrayPrototype%":["Int16Array","prototype"],"%Int32ArrayPrototype%":["Int32Array","prototype"],"%JSONParse%":["JSON","parse"],"%JSONStringify%":["JSON","stringify"],"%MapPrototype%":["Map","prototype"],"%NumberPrototype%":["Number","prototype"],"%ObjectPrototype%":["Object","prototype"],"%ObjProto_toString%":["Object","prototype","toString"],"%ObjProto_valueOf%":["Object","prototype","valueOf"],"%PromisePrototype%":["Promise","prototype"],"%PromiseProto_then%":["Promise","prototype","then"],"%Promise_all%":["Promise","all"],"%Promise_reject%":["Promise","reject"],"%Promise_resolve%":["Promise","resolve"],"%RangeErrorPrototype%":["RangeError","prototype"],"%ReferenceErrorPrototype%":["ReferenceError","prototype"],"%RegExpPrototype%":["RegExp","prototype"],"%SetPrototype%":["Set","prototype"],"%SharedArrayBufferPrototype%":["SharedArrayBuffer","prototype"],"%StringPrototype%":["String","prototype"],"%SymbolPrototype%":["Symbol","prototype"],"%SyntaxErrorPrototype%":["SyntaxError","prototype"],"%TypedArrayPrototype%":["TypedArray","prototype"],"%TypeErrorPrototype%":["TypeError","prototype"],"%Uint8ArrayPrototype%":["Uint8Array","prototype"],"%Uint8ClampedArrayPrototype%":["Uint8ClampedArray","prototype"],"%Uint16ArrayPrototype%":["Uint16Array","prototype"],"%Uint32ArrayPrototype%":["Uint32Array","prototype"],"%URIErrorPrototype%":["URIError","prototype"],"%WeakMapPrototype%":["WeakMap","prototype"],"%WeakSetPrototype%":["WeakSet","prototype"]},bind=require(19),hasOwn=require(26),$concat=bind.call(Function.call,Array.prototype.concat),$spliceApply=bind.call(Function.apply,Array.prototype.splice),$replace=bind.call(Function.call,String.prototype.replace),$strSlice=bind.call(Function.call,String.prototype.slice),$exec=bind.call(Function.call,RegExp.prototype.exec),rePropName=/[^%.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|%$))/g,reEscapeChar=/\\(\\)?/g,stringToPath=function stringToPath(r){var e=$strSlice(r,0,1),t=$strSlice(r,-1);if("%"===e&&"%"!==t)throw new $SyntaxError("invalid intrinsic syntax, expected closing `%`");if("%"===t&&"%"!==e)throw new $SyntaxError("invalid intrinsic syntax, expected opening `%`");var o=[];return $replace(r,rePropName,(function(r,e,t,n){o[o.length]=t?$replace(n,reEscapeChar,"$1"):e||r})),o},getBaseIntrinsic=function getBaseIntrinsic(r,e){var t,o=r;if(hasOwn(LEGACY_ALIASES,o)&&(o="%"+(t=LEGACY_ALIASES[o])[0]+"%"),hasOwn(INTRINSICS,o)){var n=INTRINSICS[o];if(n===needsEval&&(n=doEval(o)),void 0===n&&!e)throw new $TypeError("intrinsic "+r+" exists, but is not available. Please file an issue!");return{alias:t,name:o,value:n}}throw new $SyntaxError("intrinsic "+r+" does not exist!")};module.exports=function GetIntrinsic(r,e){if("string"!=typeof r||0===r.length)throw new $TypeError("intrinsic name must be a non-empty string");if(arguments.length>1&&"boolean"!=typeof e)throw new $TypeError('"allowMissing" argument must be a boolean');if(null===$exec(/^%?[^%]*%?$/,r))throw new $SyntaxError("`%` may not be present anywhere but at the beginning and end of the intrinsic name");var t=stringToPath(r),o=t.length>0?t[0]:"",n=getBaseIntrinsic("%"+o+"%",e),a=n.name,y=n.value,i=!1,p=n.alias;p&&(o=p[0],$spliceApply(t,$concat([0,1],p)));for(var d=1,s=!0;d=t.length){var c=$gOPD(y,f);y=(s=!!c)&&"get"in c&&!("originalValue"in c.get)?c.get:y[f]}else s=hasOwn(y,f),y=y[f];s&&!i&&(INTRINSICS[a]=y)}}return y}; +},{"11":11,"24":24,"8":8,"9":9}],8:[function(require,module,exports){ +"use strict";module.exports=Function.prototype.apply; -},{"11":11,"12":12,"13":13,"14":14,"15":15,"16":16,"17":17,"19":19,"23":23,"24":24,"26":26}],8:[function(require,module,exports){ -"use strict";var bind=require(19),GetIntrinsic=require(20),setFunctionLength=require(28),$TypeError=require(16),$apply=GetIntrinsic("%Function.prototype.apply%"),$call=GetIntrinsic("%Function.prototype.call%"),$reflectApply=GetIntrinsic("%Reflect.apply%",!0)||bind.call($call,$apply),$defineProperty=require(10),$max=GetIntrinsic("%Math.max%");module.exports=function callBind(e){if("function"!=typeof e)throw new $TypeError("a function is required");var n=$reflectApply(bind,$call,arguments);return setFunctionLength(n,1+$max(0,e.length-(arguments.length-1)),!0)};var applyBind=function applyBind(){return $reflectApply(bind,$apply,arguments)};$defineProperty?$defineProperty(module.exports,"apply",{value:applyBind}):module.exports.apply=applyBind; +},{}],9:[function(require,module,exports){ +"use strict";module.exports=Function.prototype.call; -},{"10":10,"16":16,"19":19,"20":20,"28":28}],16:[function(require,module,exports){ -"use strict";module.exports=TypeError; +},{}],24:[function(require,module,exports){ +"use strict";var implementation=require(23);module.exports=Function.prototype.bind||implementation; -},{}],19:[function(require,module,exports){ -"use strict";var implementation=require(18);module.exports=Function.prototype.bind||implementation; +},{"23":23}],11:[function(require,module,exports){ +"use strict";module.exports="undefined"!=typeof Reflect&&Reflect&&Reflect.apply; -},{"18":18}],10:[function(require,module,exports){ -"use strict";var GetIntrinsic=require(20),$defineProperty=GetIntrinsic("%Object.defineProperty%",!0)||!1;if($defineProperty)try{$defineProperty({},"a",{value:1})}catch(e){$defineProperty=!1}module.exports=$defineProperty; +},{}],10:[function(require,module,exports){ +"use strict";var bind=require(24),$TypeError=require(20),$call=require(9),$actualApply=require(7);module.exports=function callBindBasic(r){if(r.length<1||"function"!=typeof r[0])throw new $TypeError("a function is required");return $actualApply(bind,$call,r)}; -},{"20":20}],28:[function(require,module,exports){ -"use strict";var GetIntrinsic=require(20),define=require(9),hasDescriptors=require(22)(),gOPD=require(21),$TypeError=require(16),$floor=GetIntrinsic("%Math.floor%");module.exports=function setFunctionLength(e,r){if("function"!=typeof e)throw new $TypeError("`fn` is not a function");if("number"!=typeof r||r<0||r>4294967295||$floor(r)!==r)throw new $TypeError("`length` must be a positive 32-bit integer");var t=arguments.length>2&&!!arguments[2],i=!0,n=!0;if("length"in e&&gOPD){var o=gOPD(e,"length");o&&!o.configurable&&(i=!1),o&&!o.writable&&(n=!1)}return(i||n||!t)&&(hasDescriptors?define(e,"length",r,!0,!0):define(e,"length",r)),e}; +},{"20":20,"24":24,"7":7,"9":9}],20:[function(require,module,exports){ +"use strict";module.exports=TypeError; -},{"16":16,"20":20,"21":21,"22":22,"9":9}],9:[function(require,module,exports){ -"use strict";var $defineProperty=require(10),$SyntaxError=require(15),$TypeError=require(16),gopd=require(21);module.exports=function defineDataProperty(e,r,o){if(!e||"object"!=typeof e&&"function"!=typeof e)throw new $TypeError("`obj` must be an object or a function`");if("string"!=typeof r&&"symbol"!=typeof r)throw new $TypeError("`property` must be a string or a symbol`");if(arguments.length>3&&"boolean"!=typeof arguments[3]&&null!==arguments[3])throw new $TypeError("`nonEnumerable`, if provided, must be a boolean or null");if(arguments.length>4&&"boolean"!=typeof arguments[4]&&null!==arguments[4])throw new $TypeError("`nonWritable`, if provided, must be a boolean or null");if(arguments.length>5&&"boolean"!=typeof arguments[5]&&null!==arguments[5])throw new $TypeError("`nonConfigurable`, if provided, must be a boolean or null");if(arguments.length>6&&"boolean"!=typeof arguments[6])throw new $TypeError("`loose`, if provided, must be a boolean");var n=arguments.length>3?arguments[3]:null,l=arguments.length>4?arguments[4]:null,t=arguments.length>5?arguments[5]:null,i=arguments.length>6&&arguments[6],a=!!gopd&&gopd(e,r);if($defineProperty)$defineProperty(e,r,{configurable:null===t&&a?a.configurable:!t,enumerable:null===n&&a?a.enumerable:!n,value:o,writable:null===l&&a?a.writable:!l});else{if(!i&&(n||l||t))throw new $SyntaxError("This environment does not support defining a property as non-configurable, non-writable, or non-enumerable.");e[r]=o}}; +},{}],12:[function(require,module,exports){ +"use strict";var GetIntrinsic=require(25),callBindBasic=require(10),$indexOf=callBindBasic([GetIntrinsic("%String.prototype.indexOf%")]);module.exports=function callBoundIntrinsic(i,n){var t=GetIntrinsic(i,!!n);return"function"==typeof t&&$indexOf(i,".prototype.")>-1?callBindBasic([t]):t}; -},{"10":10,"15":15,"16":16,"21":21}],15:[function(require,module,exports){ -"use strict";module.exports=SyntaxError; +},{"10":10,"25":25}],25:[function(require,module,exports){ +"use strict";var undefined,$Object=require(22),$Error=require(16),$EvalError=require(15),$RangeError=require(17),$ReferenceError=require(18),$SyntaxError=require(19),$TypeError=require(20),$URIError=require(21),abs=require(34),floor=require(35),max=require(37),min=require(38),pow=require(39),round=require(40),sign=require(41),$Function=Function,getEvalledConstructor=function(r){try{return $Function('"use strict"; return ('+r+").constructor;")()}catch(r){}},$gOPD=require(30),$defineProperty=require(14),throwTypeError=function(){throw new $TypeError},ThrowTypeError=$gOPD?function(){try{return throwTypeError}catch(r){try{return $gOPD(arguments,"callee").get}catch(r){return throwTypeError}}}():throwTypeError,hasSymbols=require(31)(),getProto=require(28),$ObjectGPO=require(26),$ReflectGPO=require(27),$apply=require(8),$call=require(9),needsEval={},TypedArray="undefined"!=typeof Uint8Array&&getProto?getProto(Uint8Array):undefined,INTRINSICS={__proto__:null,"%AggregateError%":"undefined"==typeof AggregateError?undefined:AggregateError,"%Array%":Array,"%ArrayBuffer%":"undefined"==typeof ArrayBuffer?undefined:ArrayBuffer,"%ArrayIteratorPrototype%":hasSymbols&&getProto?getProto([][Symbol.iterator]()):undefined,"%AsyncFromSyncIteratorPrototype%":undefined,"%AsyncFunction%":needsEval,"%AsyncGenerator%":needsEval,"%AsyncGeneratorFunction%":needsEval,"%AsyncIteratorPrototype%":needsEval,"%Atomics%":"undefined"==typeof Atomics?undefined:Atomics,"%BigInt%":"undefined"==typeof BigInt?undefined:BigInt,"%BigInt64Array%":"undefined"==typeof BigInt64Array?undefined:BigInt64Array,"%BigUint64Array%":"undefined"==typeof BigUint64Array?undefined:BigUint64Array,"%Boolean%":Boolean,"%DataView%":"undefined"==typeof DataView?undefined:DataView,"%Date%":Date,"%decodeURI%":decodeURI,"%decodeURIComponent%":decodeURIComponent,"%encodeURI%":encodeURI,"%encodeURIComponent%":encodeURIComponent,"%Error%":$Error,"%eval%":eval,"%EvalError%":$EvalError,"%Float32Array%":"undefined"==typeof Float32Array?undefined:Float32Array,"%Float64Array%":"undefined"==typeof Float64Array?undefined:Float64Array,"%FinalizationRegistry%":"undefined"==typeof FinalizationRegistry?undefined:FinalizationRegistry,"%Function%":$Function,"%GeneratorFunction%":needsEval,"%Int8Array%":"undefined"==typeof Int8Array?undefined:Int8Array,"%Int16Array%":"undefined"==typeof Int16Array?undefined:Int16Array,"%Int32Array%":"undefined"==typeof Int32Array?undefined:Int32Array,"%isFinite%":isFinite,"%isNaN%":isNaN,"%IteratorPrototype%":hasSymbols&&getProto?getProto(getProto([][Symbol.iterator]())):undefined,"%JSON%":"object"==typeof JSON?JSON:undefined,"%Map%":"undefined"==typeof Map?undefined:Map,"%MapIteratorPrototype%":"undefined"!=typeof Map&&hasSymbols&&getProto?getProto((new Map)[Symbol.iterator]()):undefined,"%Math%":Math,"%Number%":Number,"%Object%":$Object,"%Object.getOwnPropertyDescriptor%":$gOPD,"%parseFloat%":parseFloat,"%parseInt%":parseInt,"%Promise%":"undefined"==typeof Promise?undefined:Promise,"%Proxy%":"undefined"==typeof Proxy?undefined:Proxy,"%RangeError%":$RangeError,"%ReferenceError%":$ReferenceError,"%Reflect%":"undefined"==typeof Reflect?undefined:Reflect,"%RegExp%":RegExp,"%Set%":"undefined"==typeof Set?undefined:Set,"%SetIteratorPrototype%":"undefined"!=typeof Set&&hasSymbols&&getProto?getProto((new Set)[Symbol.iterator]()):undefined,"%SharedArrayBuffer%":"undefined"==typeof SharedArrayBuffer?undefined:SharedArrayBuffer,"%String%":String,"%StringIteratorPrototype%":hasSymbols&&getProto?getProto(""[Symbol.iterator]()):undefined,"%Symbol%":hasSymbols?Symbol:undefined,"%SyntaxError%":$SyntaxError,"%ThrowTypeError%":ThrowTypeError,"%TypedArray%":TypedArray,"%TypeError%":$TypeError,"%Uint8Array%":"undefined"==typeof Uint8Array?undefined:Uint8Array,"%Uint8ClampedArray%":"undefined"==typeof Uint8ClampedArray?undefined:Uint8ClampedArray,"%Uint16Array%":"undefined"==typeof Uint16Array?undefined:Uint16Array,"%Uint32Array%":"undefined"==typeof Uint32Array?undefined:Uint32Array,"%URIError%":$URIError,"%WeakMap%":"undefined"==typeof WeakMap?undefined:WeakMap,"%WeakRef%":"undefined"==typeof WeakRef?undefined:WeakRef,"%WeakSet%":"undefined"==typeof WeakSet?undefined:WeakSet,"%Function.prototype.call%":$call,"%Function.prototype.apply%":$apply,"%Object.defineProperty%":$defineProperty,"%Object.getPrototypeOf%":$ObjectGPO,"%Math.abs%":abs,"%Math.floor%":floor,"%Math.max%":max,"%Math.min%":min,"%Math.pow%":pow,"%Math.round%":round,"%Math.sign%":sign,"%Reflect.getPrototypeOf%":$ReflectGPO};if(getProto)try{null.error}catch(r){var errorProto=getProto(getProto(r));INTRINSICS["%Error.prototype%"]=errorProto}var doEval=function doEval(r){var e;if("%AsyncFunction%"===r)e=getEvalledConstructor("async function () {}");else if("%GeneratorFunction%"===r)e=getEvalledConstructor("function* () {}");else if("%AsyncGeneratorFunction%"===r)e=getEvalledConstructor("async function* () {}");else if("%AsyncGenerator%"===r){var t=doEval("%AsyncGeneratorFunction%");t&&(e=t.prototype)}else if("%AsyncIteratorPrototype%"===r){var o=doEval("%AsyncGenerator%");o&&getProto&&(e=getProto(o.prototype))}return INTRINSICS[r]=e,e},LEGACY_ALIASES={__proto__:null,"%ArrayBufferPrototype%":["ArrayBuffer","prototype"],"%ArrayPrototype%":["Array","prototype"],"%ArrayProto_entries%":["Array","prototype","entries"],"%ArrayProto_forEach%":["Array","prototype","forEach"],"%ArrayProto_keys%":["Array","prototype","keys"],"%ArrayProto_values%":["Array","prototype","values"],"%AsyncFunctionPrototype%":["AsyncFunction","prototype"],"%AsyncGenerator%":["AsyncGeneratorFunction","prototype"],"%AsyncGeneratorPrototype%":["AsyncGeneratorFunction","prototype","prototype"],"%BooleanPrototype%":["Boolean","prototype"],"%DataViewPrototype%":["DataView","prototype"],"%DatePrototype%":["Date","prototype"],"%ErrorPrototype%":["Error","prototype"],"%EvalErrorPrototype%":["EvalError","prototype"],"%Float32ArrayPrototype%":["Float32Array","prototype"],"%Float64ArrayPrototype%":["Float64Array","prototype"],"%FunctionPrototype%":["Function","prototype"],"%Generator%":["GeneratorFunction","prototype"],"%GeneratorPrototype%":["GeneratorFunction","prototype","prototype"],"%Int8ArrayPrototype%":["Int8Array","prototype"],"%Int16ArrayPrototype%":["Int16Array","prototype"],"%Int32ArrayPrototype%":["Int32Array","prototype"],"%JSONParse%":["JSON","parse"],"%JSONStringify%":["JSON","stringify"],"%MapPrototype%":["Map","prototype"],"%NumberPrototype%":["Number","prototype"],"%ObjectPrototype%":["Object","prototype"],"%ObjProto_toString%":["Object","prototype","toString"],"%ObjProto_valueOf%":["Object","prototype","valueOf"],"%PromisePrototype%":["Promise","prototype"],"%PromiseProto_then%":["Promise","prototype","then"],"%Promise_all%":["Promise","all"],"%Promise_reject%":["Promise","reject"],"%Promise_resolve%":["Promise","resolve"],"%RangeErrorPrototype%":["RangeError","prototype"],"%ReferenceErrorPrototype%":["ReferenceError","prototype"],"%RegExpPrototype%":["RegExp","prototype"],"%SetPrototype%":["Set","prototype"],"%SharedArrayBufferPrototype%":["SharedArrayBuffer","prototype"],"%StringPrototype%":["String","prototype"],"%SymbolPrototype%":["Symbol","prototype"],"%SyntaxErrorPrototype%":["SyntaxError","prototype"],"%TypedArrayPrototype%":["TypedArray","prototype"],"%TypeErrorPrototype%":["TypeError","prototype"],"%Uint8ArrayPrototype%":["Uint8Array","prototype"],"%Uint8ClampedArrayPrototype%":["Uint8ClampedArray","prototype"],"%Uint16ArrayPrototype%":["Uint16Array","prototype"],"%Uint32ArrayPrototype%":["Uint32Array","prototype"],"%URIErrorPrototype%":["URIError","prototype"],"%WeakMapPrototype%":["WeakMap","prototype"],"%WeakSetPrototype%":["WeakSet","prototype"]},bind=require(24),hasOwn=require(33),$concat=bind.call($call,Array.prototype.concat),$spliceApply=bind.call($apply,Array.prototype.splice),$replace=bind.call($call,String.prototype.replace),$strSlice=bind.call($call,String.prototype.slice),$exec=bind.call($call,RegExp.prototype.exec),rePropName=/[^%.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|%$))/g,reEscapeChar=/\\(\\)?/g,stringToPath=function stringToPath(r){var e=$strSlice(r,0,1),t=$strSlice(r,-1);if("%"===e&&"%"!==t)throw new $SyntaxError("invalid intrinsic syntax, expected closing `%`");if("%"===t&&"%"!==e)throw new $SyntaxError("invalid intrinsic syntax, expected opening `%`");var o=[];return $replace(r,rePropName,(function(r,e,t,n){o[o.length]=t?$replace(n,reEscapeChar,"$1"):e||r})),o},getBaseIntrinsic=function getBaseIntrinsic(r,e){var t,o=r;if(hasOwn(LEGACY_ALIASES,o)&&(o="%"+(t=LEGACY_ALIASES[o])[0]+"%"),hasOwn(INTRINSICS,o)){var n=INTRINSICS[o];if(n===needsEval&&(n=doEval(o)),void 0===n&&!e)throw new $TypeError("intrinsic "+r+" exists, but is not available. Please file an issue!");return{alias:t,name:o,value:n}}throw new $SyntaxError("intrinsic "+r+" does not exist!")};module.exports=function GetIntrinsic(r,e){if("string"!=typeof r||0===r.length)throw new $TypeError("intrinsic name must be a non-empty string");if(arguments.length>1&&"boolean"!=typeof e)throw new $TypeError('"allowMissing" argument must be a boolean');if(null===$exec(/^%?[^%]*%?$/,r))throw new $SyntaxError("`%` may not be present anywhere but at the beginning and end of the intrinsic name");var t=stringToPath(r),o=t.length>0?t[0]:"",n=getBaseIntrinsic("%"+o+"%",e),a=n.name,i=n.value,y=!1,p=n.alias;p&&(o=p[0],$spliceApply(t,$concat([0,1],p)));for(var s=1,d=!0;s=t.length){var c=$gOPD(i,f);i=(d=!!c)&&"get"in c&&!("originalValue"in c.get)?c.get:i[f]}else d=hasOwn(i,f),i=i[f];d&&!y&&(INTRINSICS[a]=i)}}return i}; -},{}],21:[function(require,module,exports){ -"use strict";var GetIntrinsic=require(20),$gOPD=GetIntrinsic("%Object.getOwnPropertyDescriptor%",!0);if($gOPD)try{$gOPD([],"length")}catch(t){$gOPD=null}module.exports=$gOPD; +},{"14":14,"15":15,"16":16,"17":17,"18":18,"19":19,"20":20,"21":21,"22":22,"24":24,"26":26,"27":27,"28":28,"30":30,"31":31,"33":33,"34":34,"35":35,"37":37,"38":38,"39":39,"40":40,"41":41,"8":8,"9":9}],13:[function(require,module,exports){ +"use strict";var hasProtoAccessor,callBind=require(10),gOPD=require(30);try{hasProtoAccessor=[].__proto__===Array.prototype}catch(t){if(!t||"object"!=typeof t||!("code"in t)||"ERR_PROTO_ACCESS"!==t.code)throw t}var desc=!!hasProtoAccessor&&gOPD&&gOPD(Object.prototype,"__proto__"),$Object=Object,$getPrototypeOf=$Object.getPrototypeOf;module.exports=desc&&"function"==typeof desc.get?callBind([desc.get]):"function"==typeof $getPrototypeOf&&function getDunder(t){return $getPrototypeOf(null==t?t:$Object(t))}; + +},{"10":10,"30":30}],30:[function(require,module,exports){ +"use strict";var $gOPD=require(29);if($gOPD)try{$gOPD([],"length")}catch(g){$gOPD=null}module.exports=$gOPD; -},{"20":20}],11:[function(require,module,exports){ +},{"29":29}],14:[function(require,module,exports){ +"use strict";var $defineProperty=Object.defineProperty||!1;if($defineProperty)try{$defineProperty({},"a",{value:1})}catch(e){$defineProperty=!1}module.exports=$defineProperty; + +},{}],15:[function(require,module,exports){ "use strict";module.exports=EvalError; -},{}],12:[function(require,module,exports){ +},{}],16:[function(require,module,exports){ "use strict";module.exports=Error; -},{}],13:[function(require,module,exports){ +},{}],17:[function(require,module,exports){ "use strict";module.exports=RangeError; -},{}],14:[function(require,module,exports){ +},{}],18:[function(require,module,exports){ "use strict";module.exports=ReferenceError; -},{}],17:[function(require,module,exports){ +},{}],19:[function(require,module,exports){ +"use strict";module.exports=SyntaxError; + +},{}],21:[function(require,module,exports){ "use strict";module.exports=URIError; -},{}],18:[function(require,module,exports){ -"use strict";var ERROR_MESSAGE="Function.prototype.bind called on incompatible ",toStr=Object.prototype.toString,max=Math.max,funcType="[object Function]",concatty=function concatty(t,n){for(var r=[],o=0;o-1e3&&t<1e3||$test.call(/e/,e))return e;var r=/[0-9](?=(?:[0-9]{3})+(?![0-9]))/g;if("number"==typeof t){var n=t<0?-$floor(-t):$floor(t);if(n!==t){var o=String(n),i=$slice.call(e,o.length+1);return $replace.call(o,r,"$&_")+"."+$replace.call($replace.call(i,/([0-9]{3})/g,"$&_"),/_$/,"")}}return $replace.call(e,r,"$&_")}var utilInspect=require(6),inspectCustom=utilInspect.custom,inspectSymbol=isSymbol(inspectCustom)?inspectCustom:null,quotes={__proto__:null,double:'"',single:"'"},quoteREs={__proto__:null,double:/(["\\])/g,single:/(['\\])/g};function wrapQuotes(t,e,r){var n=r.quoteStyle||e,o=quotes[n];return o+t+o}function quote(t){return $replace.call(String(t),/"/g,""")}function isArray(t){return!("[object Array]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isDate(t){return!("[object Date]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isRegExp(t){return!("[object RegExp]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isError(t){return!("[object Error]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isString(t){return!("[object String]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isNumber(t){return!("[object Number]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isBoolean(t){return!("[object Boolean]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isSymbol(t){if(hasShammedSymbols)return t&&"object"==typeof t&&t instanceof Symbol;if("symbol"==typeof t)return!0;if(!t||"object"!=typeof t||!symToString)return!1;try{return symToString.call(t),!0}catch(t){}return!1}function isBigInt(t){if(!t||"object"!=typeof t||!bigIntValueOf)return!1;try{return bigIntValueOf.call(t),!0}catch(t){}return!1}module.exports=function inspect_(t,e,r,n){var o=e||{};if(has(o,"quoteStyle")&&!has(quotes,o.quoteStyle))throw new TypeError('option "quoteStyle" must be "single" or "double"');if(has(o,"maxStringLength")&&("number"==typeof o.maxStringLength?o.maxStringLength<0&&o.maxStringLength!==1/0:null!==o.maxStringLength))throw new TypeError('option "maxStringLength", if provided, must be a positive integer, Infinity, or `null`');var i=!has(o,"customInspect")||o.customInspect;if("boolean"!=typeof i&&"symbol"!==i)throw new TypeError("option \"customInspect\", if provided, must be `true`, `false`, or `'symbol'`");if(has(o,"indent")&&null!==o.indent&&"\t"!==o.indent&&!(parseInt(o.indent,10)===o.indent&&o.indent>0))throw new TypeError('option "indent" must be "\\t", an integer > 0, or `null`');if(has(o,"numericSeparator")&&"boolean"!=typeof o.numericSeparator)throw new TypeError('option "numericSeparator", if provided, must be `true` or `false`');var a=o.numericSeparator;if(void 0===t)return"undefined";if(null===t)return"null";if("boolean"==typeof t)return t?"true":"false";if("string"==typeof t)return inspectString(t,o);if("number"==typeof t){if(0===t)return 1/0/t>0?"0":"-0";var c=String(t);return a?addNumericSeparator(t,c):c}if("bigint"==typeof t){var l=String(t)+"n";return a?addNumericSeparator(t,l):l}var p=void 0===o.depth?5:o.depth;if(void 0===r&&(r=0),r>=p&&p>0&&"object"==typeof t)return isArray(t)?"[Array]":"[Object]";var u=getIndent(o,r);if(void 0===n)n=[];else if(indexOf(n,t)>=0)return"[Circular]";function inspect(t,e,i){if(e&&(n=$arrSlice.call(n)).push(e),i){var a={depth:o.depth};return has(o,"quoteStyle")&&(a.quoteStyle=o.quoteStyle),inspect_(t,a,r+1,n)}return inspect_(t,o,r+1,n)}if("function"==typeof t&&!isRegExp(t)){var s=nameOf(t),f=arrObjKeys(t,inspect);return"[Function"+(s?": "+s:" (anonymous)")+"]"+(f.length>0?" { "+$join.call(f,", ")+" }":"")}if(isSymbol(t)){var y=hasShammedSymbols?$replace.call(String(t),/^(Symbol\(.*\))_[^)]*$/,"$1"):symToString.call(t);return"object"!=typeof t||hasShammedSymbols?y:markBoxed(y)}if(isElement(t)){for(var S="<"+$toLowerCase.call(String(t.nodeName)),g=t.attributes||[],b=0;b"}if(isArray(t)){if(0===t.length)return"[]";var m=arrObjKeys(t,inspect);return u&&!singleLineValues(m)?"["+indentedJoin(m,u)+"]":"[ "+$join.call(m,", ")+" ]"}if(isError(t)){var h=arrObjKeys(t,inspect);return"cause"in Error.prototype||!("cause"in t)||isEnumerable.call(t,"cause")?0===h.length?"["+String(t)+"]":"{ ["+String(t)+"] "+$join.call(h,", ")+" }":"{ ["+String(t)+"] "+$join.call($concat.call("[cause]: "+inspect(t.cause),h),", ")+" }"}if("object"==typeof t&&i){if(inspectSymbol&&"function"==typeof t[inspectSymbol]&&utilInspect)return utilInspect(t,{depth:p-r});if("symbol"!==i&&"function"==typeof t.inspect)return t.inspect()}if(isMap(t)){var d=[];return mapForEach&&mapForEach.call(t,(function(e,r){d.push(inspect(r,t,!0)+" => "+inspect(e,t))})),collectionOf("Map",mapSize.call(t),d,u)}if(isSet(t)){var j=[];return setForEach&&setForEach.call(t,(function(e){j.push(inspect(e,t))})),collectionOf("Set",setSize.call(t),j,u)}if(isWeakMap(t))return weakCollectionOf("WeakMap");if(isWeakSet(t))return weakCollectionOf("WeakSet");if(isWeakRef(t))return weakCollectionOf("WeakRef");if(isNumber(t))return markBoxed(inspect(Number(t)));if(isBigInt(t))return markBoxed(inspect(bigIntValueOf.call(t)));if(isBoolean(t))return markBoxed(booleanValueOf.call(t));if(isString(t))return markBoxed(inspect(String(t)));if("undefined"!=typeof window&&t===window)return"{ [object Window] }";if("undefined"!=typeof globalThis&&t===globalThis||"undefined"!=typeof global&&t===global)return"{ [object globalThis] }";if(!isDate(t)&&!isRegExp(t)){var O=arrObjKeys(t,inspect),w=gPO?gPO(t)===Object.prototype:t instanceof Object||t.constructor===Object,$=t instanceof Object?"":"null prototype",k=!w&&toStringTag&&Object(t)===t&&toStringTag in t?$slice.call(toStr(t),8,-1):$?"Object":"",v=(w||"function"!=typeof t.constructor?"":t.constructor.name?t.constructor.name+" ":"")+(k||$?"["+$join.call($concat.call([],k||[],$||[]),": ")+"] ":"");return 0===O.length?v+"{}":u?v+"{"+indentedJoin(O,u)+"}":v+"{ "+$join.call(O,", ")+" }"}return String(t)};var hasOwn=Object.prototype.hasOwnProperty||function(t){return t in this};function has(t,e){return hasOwn.call(t,e)}function toStr(t){return objectToString.call(t)}function nameOf(t){if(t.name)return t.name;var e=$match.call(functionToString.call(t),/^function\s*([\w$]+)/);return e?e[1]:null}function indexOf(t,e){if(t.indexOf)return t.indexOf(e);for(var r=0,n=t.length;re.maxStringLength){var r=t.length-e.maxStringLength,n="... "+r+" more character"+(r>1?"s":"");return inspectString($slice.call(t,0,e.maxStringLength),e)+n}var o=quoteREs[e.quoteStyle||"single"];return o.lastIndex=0,wrapQuotes($replace.call($replace.call(t,o,"\\$1"),/[\x00-\x1f]/g,lowbyte),"single",e)}function lowbyte(t){var e=t.charCodeAt(0),r={8:"b",9:"t",10:"n",12:"f",13:"r"}[e];return r?"\\"+r:"\\x"+(e<16?"0":"")+$toUpperCase.call(e.toString(16))}function markBoxed(t){return"Object("+t+")"}function weakCollectionOf(t){return t+" { ? }"}function collectionOf(t,e,r,n){return t+" ("+e+") {"+(n?indentedJoin(r,n):$join.call(r,", "))+"}"}function singleLineValues(t){for(var e=0;e=0)return!1;return!0}function getIndent(t,e){var r;if("\t"===t.indent)r="\t";else{if(!("number"==typeof t.indent&&t.indent>0))return null;r=$join.call(Array(t.indent+1)," ")}return{base:r,prev:$join.call(Array(e+1),r)}}function indentedJoin(t,e){if(0===t.length)return"";var r="\n"+e.prev+e.base;return r+$join.call(t,","+r)+"\n"+e.prev}function arrObjKeys(t,e){var r=isArray(t),n=[];if(r){n.length=t.length;for(var o=0;o Date: Tue, 14 Jan 2025 13:34:37 -0800 Subject: [PATCH 26/40] [Fix] `parse`: when a custom decoder returns `null` for a key, ignore that key --- lib/parse.js | 34 +++++++++++++++++++--------------- test/parse.js | 14 ++++++++++++++ 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/lib/parse.js b/lib/parse.js index d25be001..bfba0fe1 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -108,16 +108,18 @@ var parseValues = function parseQueryStringValues(str, options) { } else { key = options.decoder(part.slice(0, pos), defaults.decoder, charset, 'key'); - val = utils.maybeMap( - parseArrayValue( - part.slice(pos + 1), - options, - isArray(obj[key]) ? obj[key].length : 0 - ), - function (encodedVal) { - return options.decoder(encodedVal, defaults.decoder, charset, 'value'); - } - ); + if (key !== null) { + val = utils.maybeMap( + parseArrayValue( + part.slice(pos + 1), + options, + isArray(obj[key]) ? obj[key].length : 0 + ), + function (encodedVal) { + return options.decoder(encodedVal, defaults.decoder, charset, 'value'); + } + ); + } } if (val && options.interpretNumericEntities && charset === 'iso-8859-1') { @@ -128,11 +130,13 @@ var parseValues = function parseQueryStringValues(str, options) { val = isArray(val) ? [val] : val; } - var existing = has.call(obj, key); - if (existing && options.duplicates === 'combine') { - obj[key] = utils.combine(obj[key], val); - } else if (!existing || options.duplicates === 'last') { - obj[key] = val; + if (key !== null) { + var existing = has.call(obj, key); + if (existing && options.duplicates === 'combine') { + obj[key] = utils.combine(obj[key], val); + } else if (!existing || options.duplicates === 'last') { + obj[key] = val; + } } } diff --git a/test/parse.js b/test/parse.js index 32cdfd8e..7361356d 100644 --- a/test/parse.js +++ b/test/parse.js @@ -996,6 +996,20 @@ test('parse()', function (t) { st.end(); }); + t.test('handles a custom decoder returning `null`, with a string key of `null`', function (st) { + st.deepEqual( + qs.parse('null=1&ToNull=2', { + decoder: function (str, defaultDecoder, charset) { + return str === 'ToNull' ? null : defaultDecoder(str, defaultDecoder, charset); + } + }), + { 'null': '1' }, + '"null" key is not overridden by `null` decoder result' + ); + + st.end(); + }); + t.test('does not interpret numeric entities in iso-8859-1 when `interpretNumericEntities` is absent', function (st) { st.deepEqual(qs.parse('foo=' + urlEncodedNumSmiley, { charset: 'iso-8859-1' }), { foo: '☺' }); st.end(); From 4749e6b1494a8067a0f29d61513a83ffc5c7762d Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 14 Jan 2025 14:00:36 -0800 Subject: [PATCH 27/40] [Tests] `stringify`: increase coverage --- test/stringify.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/test/stringify.js b/test/stringify.js index 72531441..4d776947 100644 --- a/test/stringify.js +++ b/test/stringify.js @@ -1293,13 +1293,17 @@ test('stringifies empty keys', function (t) { }); t.test('stringifies non-string keys', function (st) { - var actual = qs.stringify({ a: 'b', 'false': {} }, { - filter: ['a', false, null], + var S = Object('abc'); + S.toString = function () { + return 'd'; + }; + var actual = qs.stringify({ a: 'b', 'false': {}, 1e+22: 'c', d: 'e' }, { + filter: ['a', false, null, 10000000000000000000000, S], allowDots: true, encodeDotInKeys: true }); - st.equal(actual, 'a=b', 'stringifies correctly'); + st.equal(actual, 'a=b&1e%2B22=c&d=e', 'stringifies correctly'); st.end(); }); From c4dbde37a9bb35a241281800166eee9e2bc7b6f0 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 13 Feb 2025 21:00:54 -0800 Subject: [PATCH 28/40] [Dev Deps] update `es-value-fixtures`, `for-each`, `object-inspect` --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index e4144d08..78bdae36 100644 --- a/package.json +++ b/package.json @@ -41,10 +41,10 @@ "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", "eclint": "^2.8.1", - "es-value-fixtures": "^1.7.0", + "es-value-fixtures": "^1.7.1", "eslint": "=8.8.0", "evalmd": "^0.0.19", - "for-each": "^0.3.3", + "for-each": "^0.3.5", "glob": "=10.3.7", "has-bigints": "^1.1.0", "has-override-mistake": "^1.0.1", @@ -59,7 +59,7 @@ "module-deps": "^6.2.3", "npmignore": "^0.3.1", "nyc": "^10.3.2", - "object-inspect": "^1.13.3", + "object-inspect": "^1.13.4", "qs-iconv": "^1.0.4", "safe-publish-latest": "^2.0.0", "safer-buffer": "^2.1.2", From 049a6b384eec48a6c563870c70057a4a3b81e7a7 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Tue, 24 Jun 2025 16:04:53 -0700 Subject: [PATCH 29/40] [meta] add threat model --- .github/SECURITY.md | 11 ++++++ .github/THREAT_MODEL.md | 78 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 .github/SECURITY.md create mode 100644 .github/THREAT_MODEL.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..b499cb68 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,11 @@ +# Security + +Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report. + +## Incident Response Plan + +Please see our [Incident Response Plan](https://github.com/ljharb/.github/blob/main/INCIDENT_RESPONSE_PLAN.md). + +## Threat Model + +Please see [THREAT_MODEL.md](./THREAT_MODEL.md). diff --git a/.github/THREAT_MODEL.md b/.github/THREAT_MODEL.md new file mode 100644 index 00000000..7e6fef1a --- /dev/null +++ b/.github/THREAT_MODEL.md @@ -0,0 +1,78 @@ +## Threat Model for qs (querystring parsing library) + +### 1. Library Overview + +- **Library Name:** qs +- **Brief Description:** A JavaScript library for parsing and stringifying URL query strings, supporting nested objects and arrays. It is widely used in Node.js and web applications for processing query parameters[2][6][8]. +- **Key Public APIs/Functions:** `qs.parse()`, `qs.stringify()` + +### 2. Define Scope + +This threat model focuses on the core parsing and stringifying functionality, specifically the handling of nested objects and arrays, option validation, and cycle management in stringification. + +### 3. Conceptual System Diagram + +``` +Caller Application → qs.parse(input, options) → Parsing Engine → Output Object + │ + └→ Options Handling + +Caller Application → qs.stringify(obj, options) → Stringifying Engine → Output String + │ + └→ Options Handling + └→ Cycle Tracking +``` + +**Trust Boundaries:** +- **Input string (parse):** May come from untrusted sources (e.g., user input, network requests) +- **Input object (stringify):** May contain cycles, which can lead to infinite loops during stringification +- **Options:** Provided by the caller +- **Cycle Tracking:** Used only during stringification to detect and handle circular references + +### 4. Identify Assets + +- **Integrity of parsed output:** Prevent malicious manipulation of the output object structure, especially ensuring builtins/globals are not modified as a result of parse[3][4][8]. +- **Confidentiality of processed data:** Avoid leaking sensitive information through errors or output. +- **Availability/performance for host application:** Prevent crashes or resource exhaustion in the consuming application. +- **Security of host application:** Prevent the library from being a vector for attacks (e.g., prototype pollution, DoS). +- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1]. + +### 5. Identify Threats + +| Component / API / Interaction | S | T | R | I | D | E | +|---------------------------------------|----|----|----|----|----|----| +| Public API Call (`parse`) | – | ✓ | – | ✓ | ✓ | ✓ | +| Public API Call (`stringify`) | – | ✓ | – | ✓ | ✓ | – | +| Options Handling | ✓ | ✓ | – | ✓ | – | ✓ | +| Dependency Interaction | – | – | – | – | ✓ | – | + +**Key Threats:** +- **Tampering:** Malicious input can, if not prevented, alter parsed output (e.g., prototype pollution via `__proto__`, modification of builtins/globals)[3][4][8]. +- **Information Disclosure:** Error messages may expose internal details or sensitive data. +- **Denial of Service:** Large or malformed input can exhaust memory or CPU. +- **Elevation of Privilege:** Prototype pollution can lead to unintended privilege escalation in the host application[3][4][8]. + +### 6. Mitigation/Countermeasures + +| Threat Identified | Proposed Mitigation | +|---------------------------------------------------|---------------------| +| Tampering (malicious input, prototype pollution) | Strict input validation; keep `allowPrototypes: false` by default; use `plainObjects` for output; ensure builtins/globals are never modified by parse[4][8]. | +| Information Disclosure (error messages) | Generic error messages without stack traces or internal paths. | +| Denial of Service (memory/CPU exhaustion) | Enforce `arrayLimit` and `parameterLimit` with safe defaults; enable `throwOnLimitExceeded`; limit nesting depth[7]. | +| Elevation of Privilege (prototype pollution) | Keep `allowPrototypes: false`; validate options against allowlist; use `plainObjects` to avoid prototype pollution[4][8]. | + +### 7. Risk Ranking + +- **High:** Denial of Service via array parsing or malformed input (historical vulnerability) +- **Medium:** Prototype pollution via options or input (if `allowPrototypes` enabled) +- **Low:** Information disclosure in errors + +### 8. Next Steps & Review + +1. **Audit option validation logic.** +2. **Add depth limiting to nested parsing and stringification.** +3. **Implement fuzz testing for parser and stringifier edge cases.** +4. **Regularly review dependencies for vulnerabilities.** +5. **Keep documentation and threat model up to date.** +6. **Ensure builtins/globals are never modified as a result of parse.** +7. **Support round-trip consistency between parse and stringify as a non-security goal, with the right options[5][9].** From e8b32388dd8d095def77f5f21d3fdb7ca0c49cbc Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Sat, 28 Jun 2025 20:48:36 +0800 Subject: [PATCH 30/40] [Dev Deps] update `@ljharb/eslint-config` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 78bdae36..5b09dc18 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "devDependencies": { "@browserify/envify": "^6.0.0", "@browserify/uglifyify": "^6.0.0", - "@ljharb/eslint-config": "^21.1.1", + "@ljharb/eslint-config": "^21.2.0", "browserify": "^16.5.2", "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", From 973dc3c51c86da9f4e30edeb4b1725158d439102 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 3 Dec 2025 08:51:43 -0800 Subject: [PATCH 31/40] [actions] add workflow permissions --- .github/workflows/rebase.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index b9e1712f..a7740531 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -2,6 +2,9 @@ name: Automatic Rebase on: [pull_request_target] +permissions: + contents: read + jobs: _: uses: ljharb/actions/.github/workflows/rebase.yml@main From 6e94d9596ca50dffafcef40a5f64eca89962cf34 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 3 Dec 2025 10:28:05 -0800 Subject: [PATCH 32/40] [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `npmignore` --- .eslintrc | 39 --------------------------------- eslint.config.mjs | 56 +++++++++++++++++++++++++++++++++++++++++++++++ package.json | 6 ++--- 3 files changed, 59 insertions(+), 42 deletions(-) delete mode 100644 .eslintrc create mode 100644 eslint.config.mjs diff --git a/.eslintrc b/.eslintrc deleted file mode 100644 index a89f60e6..00000000 --- a/.eslintrc +++ /dev/null @@ -1,39 +0,0 @@ -{ - "root": true, - - "extends": "@ljharb", - - "ignorePatterns": [ - "dist/", - ], - - "rules": { - "complexity": 0, - "consistent-return": 1, - "func-name-matching": 0, - "id-length": [2, { "min": 1, "max": 25, "properties": "never" }], - "indent": [2, 4], - "max-lines": 0, - "max-lines-per-function": [2, { "max": 150 }], - "max-params": [2, 18], - "max-statements": [2, 100], - "multiline-comment-style": 0, - "no-continue": 1, - "no-magic-numbers": 0, - "no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"], - }, - - "overrides": [ - { - "files": "test/**", - "rules": { - "function-paren-newline": 0, - "max-lines-per-function": 0, - "max-statements": 0, - "no-buffer-constructor": 0, - "no-extend-native": 0, - "no-throw-literal": 0, - }, - }, - ], -} diff --git a/eslint.config.mjs b/eslint.config.mjs new file mode 100644 index 00000000..bdde6e94 --- /dev/null +++ b/eslint.config.mjs @@ -0,0 +1,56 @@ +import ljharbConfig from '@ljharb/eslint-config/flat'; + +export default [ + { + ignores: ['dist/'], + }, + + ...ljharbConfig, + + { + rules: { + complexity: 'off', + 'consistent-return': 'warn', + 'func-name-matching': 'off', + 'id-length': [ + 'error', + { + max: 25, + min: 1, + properties: 'never', + }, + ], + indent: ['error', 4], + 'max-lines': 'off', + 'max-lines-per-function': [ + 'error', + { max: 150 }, + ], + 'max-params': ['error', 18], + 'max-statements': ['error', 100], + 'multiline-comment-style': 'off', + 'no-continue': 'warn', + 'no-magic-numbers': 'off', + 'no-restricted-syntax': [ + 'error', + 'BreakStatement', + 'DebuggerStatement', + 'ForInStatement', + 'LabeledStatement', + 'WithStatement', + ], + }, + }, + + { + files: ['test/**'], + rules: { + 'function-paren-newline': 'off', + 'max-lines-per-function': 'off', + 'max-statements': 'off', + 'no-buffer-constructor': 'off', + 'no-extend-native': 'off', + 'no-throw-literal': 'off', + }, + }, +]; diff --git a/package.json b/package.json index 5b09dc18..d4e70abf 100644 --- a/package.json +++ b/package.json @@ -36,13 +36,13 @@ "devDependencies": { "@browserify/envify": "^6.0.0", "@browserify/uglifyify": "^6.0.0", - "@ljharb/eslint-config": "^21.2.0", + "@ljharb/eslint-config": "^22.0.1", "browserify": "^16.5.2", "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", "eclint": "^2.8.1", "es-value-fixtures": "^1.7.1", - "eslint": "=8.8.0", + "eslint": "^9.39.1", "evalmd": "^0.0.19", "for-each": "^0.3.5", "glob": "=10.3.7", @@ -57,7 +57,7 @@ "mkdirp": "^0.5.5", "mock-property": "^1.1.0", "module-deps": "^6.2.3", - "npmignore": "^0.3.1", + "npmignore": "^0.3.2", "nyc": "^10.3.2", "object-inspect": "^1.13.4", "qs-iconv": "^1.0.4", From f4b3d39709fef6ddbd85128d1ba4c6b566c4902e Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 3 Dec 2025 14:19:43 -0800 Subject: [PATCH 33/40] [eslint] add eslint 9 optional peer dep --- dist/qs.js | 34 +++++++++++++++++----------------- package.json | 1 + 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/dist/qs.js b/dist/qs.js index f37989a5..05ed9a83 100644 --- a/dist/qs.js +++ b/dist/qs.js @@ -5,13 +5,13 @@ "use strict";var stringify=require(4),parse=require(3),formats=require(1);module.exports={formats:formats,parse:parse,stringify:stringify}; },{"1":1,"3":3,"4":4}],3:[function(require,module,exports){ -"use strict";var utils=require(5),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,defaults={allowDots:!1,allowEmptyArrays:!1,allowPrototypes:!1,allowSparse:!1,arrayLimit:20,charset:"utf-8",charsetSentinel:!1,comma:!1,decodeDotInKeys:!1,decoder:utils.decode,delimiter:"&",depth:5,duplicates:"combine",ignoreQueryPrefix:!1,interpretNumericEntities:!1,parameterLimit:1e3,parseArrays:!0,plainObjects:!1,strictDepth:!1,strictNullHandling:!1,throwOnLimitExceeded:!1},interpretNumericEntities=function(e){return e.replace(/&#(\d+);/g,(function(e,t){return String.fromCharCode(parseInt(t,10))}))},parseArrayValue=function(e,t,r){if(e&&"string"==typeof e&&t.comma&&e.indexOf(",")>-1)return e.split(",");if(t.throwOnLimitExceeded&&r>=t.arrayLimit)throw new RangeError("Array limit exceeded. Only "+t.arrayLimit+" element"+(1===t.arrayLimit?"":"s")+" allowed in an array.");return e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},i=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;i=i.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var a=t.parameterLimit===1/0?void 0:t.parameterLimit,o=i.split(t.delimiter,t.throwOnLimitExceeded?a+1:a);if(t.throwOnLimitExceeded&&o.length>a)throw new RangeError("Parameter limit exceeded. Only "+a+" parameter"+(1===a?"":"s")+" allowed.");var l,n=-1,s=t.charset;if(t.charsetSentinel)for(l=0;l-1&&(p=isArray(p)?[p]:p);var f=has.call(r,d);f&&"combine"===t.duplicates?r[d]=utils.combine(r[d],p):f&&"last"!==t.duplicates||(r[d]=p)}return r},parseObject=function(e,t,r,i){var a=0;if(e.length>0&&"[]"===e[e.length-1]){var o=e.slice(0,-1).join("");a=Array.isArray(t)&&t[o]?t[o].length:0}for(var l=i?t:parseArrayValue(t,r,a),n=e.length-1;n>=0;--n){var s,d=e[n];if("[]"===d&&r.parseArrays)s=r.allowEmptyArrays&&(""===l||r.strictNullHandling&&null===l)?[]:utils.combine([],l);else{s=r.plainObjects?{__proto__:null}:{};var p="["===d.charAt(0)&&"]"===d.charAt(d.length-1)?d.slice(1,-1):d,c=r.decodeDotInKeys?p.replace(/%2E/g,"."):p,u=parseInt(c,10);r.parseArrays||""!==c?!isNaN(u)&&d!==c&&String(u)===c&&u>=0&&r.parseArrays&&u<=r.arrayLimit?(s=[])[u]=l:"__proto__"!==c&&(s[c]=l):s={0:l}}l=s}return l},parseKeys=function parseQueryStringKeys(e,t,r,i){if(e){var a=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(a),n=l?a.slice(0,l.index):a,s=[];if(n){if(!r.plainObjects&&has.call(Object.prototype,n)&&!r.allowPrototypes)return;s.push(n)}for(var d=0;r.depth>0&&null!==(l=o.exec(a))&&d-1)return e.split(",");if(t.throwOnLimitExceeded&&r>=t.arrayLimit)throw new RangeError("Array limit exceeded. Only "+t.arrayLimit+" element"+(1===t.arrayLimit?"":"s")+" allowed in an array.");return e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},i=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;i=i.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var a=t.parameterLimit===1/0?void 0:t.parameterLimit,o=i.split(t.delimiter,t.throwOnLimitExceeded?a+1:a);if(t.throwOnLimitExceeded&&o.length>a)throw new RangeError("Parameter limit exceeded. Only "+a+" parameter"+(1===a?"":"s")+" allowed.");var l,n=-1,s=t.charset;if(t.charsetSentinel)for(l=0;l-1&&(p=isArray(p)?[p]:p),null!==d){var f=has.call(r,d);f&&"combine"===t.duplicates?r[d]=utils.combine(r[d],p):f&&"last"!==t.duplicates||(r[d]=p)}}return r},parseObject=function(e,t,r,i){var a=0;if(e.length>0&&"[]"===e[e.length-1]){var o=e.slice(0,-1).join("");a=Array.isArray(t)&&t[o]?t[o].length:0}for(var l=i?t:parseArrayValue(t,r,a),n=e.length-1;n>=0;--n){var s,d=e[n];if("[]"===d&&r.parseArrays)s=r.allowEmptyArrays&&(""===l||r.strictNullHandling&&null===l)?[]:utils.combine([],l);else{s=r.plainObjects?{__proto__:null}:{};var p="["===d.charAt(0)&&"]"===d.charAt(d.length-1)?d.slice(1,-1):d,c=r.decodeDotInKeys?p.replace(/%2E/g,"."):p,u=parseInt(c,10);r.parseArrays||""!==c?!isNaN(u)&&d!==c&&String(u)===c&&u>=0&&r.parseArrays&&u<=r.arrayLimit?(s=[])[u]=l:"__proto__"!==c&&(s[c]=l):s={0:l}}l=s}return l},parseKeys=function parseQueryStringKeys(e,t,r,i){if(e){var a=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(a),n=l?a.slice(0,l.index):a,s=[];if(n){if(!r.plainObjects&&has.call(Object.prototype,n)&&!r.allowPrototypes)return;s.push(n)}for(var d=0;r.depth>0&&null!==(l=o.exec(a))&&d0?g.join(",")||null:void 0}];else if(isArray(f))S=f;else{var N=Object.keys(g);S=u?N.sort(u):N}var T=l?String(r).replace(/\./g,"%2E"):String(r),O=o&&isArray(g)&&1===g.length?T+"[]":T;if(a&&isArray(g)&&0===g.length)return O+"[]";for(var k=0;k0?c+y:""}; +"use strict";var getSideChannel=require(46),utils=require(5),formats=require(1),has=Object.prototype.hasOwnProperty,arrayPrefixGenerators={brackets:function brackets(e){return e+"[]"},comma:"comma",indices:function indices(e,r){return e+"["+r+"]"},repeat:function repeat(e){return e}},isArray=Array.isArray,push=Array.prototype.push,pushToArray=function(e,r){push.apply(e,isArray(r)?r:[r])},toISO=Date.prototype.toISOString,defaultFormat=formats.default,defaults={addQueryPrefix:!1,allowDots:!1,allowEmptyArrays:!1,arrayFormat:"indices",charset:"utf-8",charsetSentinel:!1,commaRoundTrip:!1,delimiter:"&",encode:!0,encodeDotInKeys:!1,encoder:utils.encode,encodeValuesOnly:!1,filter:void 0,format:defaultFormat,formatter:formats.formatters[defaultFormat],indices:!1,serializeDate:function serializeDate(e){return toISO.call(e)},skipNulls:!1,strictNullHandling:!1},isNonNullishPrimitive=function isNonNullishPrimitive(e){return"string"==typeof e||"number"==typeof e||"boolean"==typeof e||"symbol"==typeof e||"bigint"==typeof e},sentinel={},stringify=function stringify(e,r,t,o,a,n,i,l,s,f,u,d,y,c,p,m,h,v){for(var g=e,w=v,b=0,A=!1;void 0!==(w=w.get(sentinel))&&!A;){var D=w.get(e);if(b+=1,void 0!==D){if(D===b)throw new RangeError("Cyclic object value");A=!0}void 0===w.get(sentinel)&&(b=0)}if("function"==typeof f?g=f(r,g):g instanceof Date?g=y(g):"comma"===t&&isArray(g)&&(g=utils.maybeMap(g,function(e){return e instanceof Date?y(e):e})),null===g){if(n)return s&&!m?s(r,defaults.encoder,h,"key",c):r;g=""}if(isNonNullishPrimitive(g)||utils.isBuffer(g))return s?[p(m?r:s(r,defaults.encoder,h,"key",c))+"="+p(s(g,defaults.encoder,h,"value",c))]:[p(r)+"="+p(String(g))];var S,E=[];if(void 0===g)return E;if("comma"===t&&isArray(g))m&&s&&(g=utils.maybeMap(g,s)),S=[{value:g.length>0?g.join(",")||null:void 0}];else if(isArray(f))S=f;else{var N=Object.keys(g);S=u?N.sort(u):N}var T=l?String(r).replace(/\./g,"%2E"):String(r),O=o&&isArray(g)&&1===g.length?T+"[]":T;if(a&&isArray(g)&&0===g.length)return O+"[]";for(var k=0;k0?c+y:""}; },{"1":1,"46":46,"5":5}],5:[function(require,module,exports){ -"use strict";var formats=require(1),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,hexTable=function(){for(var e=[],r=0;r<256;++r)e.push("%"+((r<16?"0":"")+r.toString(16)).toUpperCase());return e}(),compactQueue=function compactQueue(e){for(;e.length>1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,p=[],f=0;f=48&&s<=57||s>=65&&s<=90||s>=97&&s<=122||n===formats.RFC1738&&(40===s||41===s)?p[p.length]=u.charAt(f):s<128?p[p.length]=hexTable[s]:s<2048?p[p.length]=hexTable[192|s>>6]+hexTable[128|63&s]:s<55296||s>=57344?p[p.length]=hexTable[224|s>>12]+hexTable[128|s>>6&63]+hexTable[128|63&s]:(f+=1,s=65536+((1023&s)<<10|1023&u.charCodeAt(f)),p[p.length]=hexTable[240|s>>18]+hexTable[128|s>>12&63]+hexTable[128|s>>6&63]+hexTable[128|63&s])}c+=p.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;o1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,p=[],f=0;f=48&&s<=57||s>=65&&s<=90||s>=97&&s<=122||n===formats.RFC1738&&(40===s||41===s)?p[p.length]=u.charAt(f):s<128?p[p.length]=hexTable[s]:s<2048?p[p.length]=hexTable[192|s>>6]+hexTable[128|63&s]:s<55296||s>=57344?p[p.length]=hexTable[224|s>>12]+hexTable[128|s>>6&63]+hexTable[128|63&s]:(f+=1,s=65536+((1023&s)<<10|1023&u.charCodeAt(f)),p[p.length]=hexTable[240|s>>18]+hexTable[128|s>>12&63]+hexTable[128|s>>6&63]+hexTable[128|63&s])}c+=p.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;o-1?callBindBasic([t]):t}; },{"10":10,"25":25}],25:[function(require,module,exports){ -"use strict";var undefined,$Object=require(22),$Error=require(16),$EvalError=require(15),$RangeError=require(17),$ReferenceError=require(18),$SyntaxError=require(19),$TypeError=require(20),$URIError=require(21),abs=require(34),floor=require(35),max=require(37),min=require(38),pow=require(39),round=require(40),sign=require(41),$Function=Function,getEvalledConstructor=function(r){try{return $Function('"use strict"; return ('+r+").constructor;")()}catch(r){}},$gOPD=require(30),$defineProperty=require(14),throwTypeError=function(){throw new $TypeError},ThrowTypeError=$gOPD?function(){try{return throwTypeError}catch(r){try{return $gOPD(arguments,"callee").get}catch(r){return throwTypeError}}}():throwTypeError,hasSymbols=require(31)(),getProto=require(28),$ObjectGPO=require(26),$ReflectGPO=require(27),$apply=require(8),$call=require(9),needsEval={},TypedArray="undefined"!=typeof Uint8Array&&getProto?getProto(Uint8Array):undefined,INTRINSICS={__proto__:null,"%AggregateError%":"undefined"==typeof AggregateError?undefined:AggregateError,"%Array%":Array,"%ArrayBuffer%":"undefined"==typeof ArrayBuffer?undefined:ArrayBuffer,"%ArrayIteratorPrototype%":hasSymbols&&getProto?getProto([][Symbol.iterator]()):undefined,"%AsyncFromSyncIteratorPrototype%":undefined,"%AsyncFunction%":needsEval,"%AsyncGenerator%":needsEval,"%AsyncGeneratorFunction%":needsEval,"%AsyncIteratorPrototype%":needsEval,"%Atomics%":"undefined"==typeof Atomics?undefined:Atomics,"%BigInt%":"undefined"==typeof BigInt?undefined:BigInt,"%BigInt64Array%":"undefined"==typeof BigInt64Array?undefined:BigInt64Array,"%BigUint64Array%":"undefined"==typeof BigUint64Array?undefined:BigUint64Array,"%Boolean%":Boolean,"%DataView%":"undefined"==typeof DataView?undefined:DataView,"%Date%":Date,"%decodeURI%":decodeURI,"%decodeURIComponent%":decodeURIComponent,"%encodeURI%":encodeURI,"%encodeURIComponent%":encodeURIComponent,"%Error%":$Error,"%eval%":eval,"%EvalError%":$EvalError,"%Float32Array%":"undefined"==typeof Float32Array?undefined:Float32Array,"%Float64Array%":"undefined"==typeof Float64Array?undefined:Float64Array,"%FinalizationRegistry%":"undefined"==typeof FinalizationRegistry?undefined:FinalizationRegistry,"%Function%":$Function,"%GeneratorFunction%":needsEval,"%Int8Array%":"undefined"==typeof Int8Array?undefined:Int8Array,"%Int16Array%":"undefined"==typeof Int16Array?undefined:Int16Array,"%Int32Array%":"undefined"==typeof Int32Array?undefined:Int32Array,"%isFinite%":isFinite,"%isNaN%":isNaN,"%IteratorPrototype%":hasSymbols&&getProto?getProto(getProto([][Symbol.iterator]())):undefined,"%JSON%":"object"==typeof JSON?JSON:undefined,"%Map%":"undefined"==typeof Map?undefined:Map,"%MapIteratorPrototype%":"undefined"!=typeof Map&&hasSymbols&&getProto?getProto((new Map)[Symbol.iterator]()):undefined,"%Math%":Math,"%Number%":Number,"%Object%":$Object,"%Object.getOwnPropertyDescriptor%":$gOPD,"%parseFloat%":parseFloat,"%parseInt%":parseInt,"%Promise%":"undefined"==typeof Promise?undefined:Promise,"%Proxy%":"undefined"==typeof Proxy?undefined:Proxy,"%RangeError%":$RangeError,"%ReferenceError%":$ReferenceError,"%Reflect%":"undefined"==typeof Reflect?undefined:Reflect,"%RegExp%":RegExp,"%Set%":"undefined"==typeof Set?undefined:Set,"%SetIteratorPrototype%":"undefined"!=typeof Set&&hasSymbols&&getProto?getProto((new Set)[Symbol.iterator]()):undefined,"%SharedArrayBuffer%":"undefined"==typeof SharedArrayBuffer?undefined:SharedArrayBuffer,"%String%":String,"%StringIteratorPrototype%":hasSymbols&&getProto?getProto(""[Symbol.iterator]()):undefined,"%Symbol%":hasSymbols?Symbol:undefined,"%SyntaxError%":$SyntaxError,"%ThrowTypeError%":ThrowTypeError,"%TypedArray%":TypedArray,"%TypeError%":$TypeError,"%Uint8Array%":"undefined"==typeof Uint8Array?undefined:Uint8Array,"%Uint8ClampedArray%":"undefined"==typeof Uint8ClampedArray?undefined:Uint8ClampedArray,"%Uint16Array%":"undefined"==typeof Uint16Array?undefined:Uint16Array,"%Uint32Array%":"undefined"==typeof Uint32Array?undefined:Uint32Array,"%URIError%":$URIError,"%WeakMap%":"undefined"==typeof WeakMap?undefined:WeakMap,"%WeakRef%":"undefined"==typeof WeakRef?undefined:WeakRef,"%WeakSet%":"undefined"==typeof WeakSet?undefined:WeakSet,"%Function.prototype.call%":$call,"%Function.prototype.apply%":$apply,"%Object.defineProperty%":$defineProperty,"%Object.getPrototypeOf%":$ObjectGPO,"%Math.abs%":abs,"%Math.floor%":floor,"%Math.max%":max,"%Math.min%":min,"%Math.pow%":pow,"%Math.round%":round,"%Math.sign%":sign,"%Reflect.getPrototypeOf%":$ReflectGPO};if(getProto)try{null.error}catch(r){var errorProto=getProto(getProto(r));INTRINSICS["%Error.prototype%"]=errorProto}var doEval=function doEval(r){var e;if("%AsyncFunction%"===r)e=getEvalledConstructor("async function () {}");else if("%GeneratorFunction%"===r)e=getEvalledConstructor("function* () {}");else if("%AsyncGeneratorFunction%"===r)e=getEvalledConstructor("async function* () {}");else if("%AsyncGenerator%"===r){var t=doEval("%AsyncGeneratorFunction%");t&&(e=t.prototype)}else if("%AsyncIteratorPrototype%"===r){var o=doEval("%AsyncGenerator%");o&&getProto&&(e=getProto(o.prototype))}return INTRINSICS[r]=e,e},LEGACY_ALIASES={__proto__:null,"%ArrayBufferPrototype%":["ArrayBuffer","prototype"],"%ArrayPrototype%":["Array","prototype"],"%ArrayProto_entries%":["Array","prototype","entries"],"%ArrayProto_forEach%":["Array","prototype","forEach"],"%ArrayProto_keys%":["Array","prototype","keys"],"%ArrayProto_values%":["Array","prototype","values"],"%AsyncFunctionPrototype%":["AsyncFunction","prototype"],"%AsyncGenerator%":["AsyncGeneratorFunction","prototype"],"%AsyncGeneratorPrototype%":["AsyncGeneratorFunction","prototype","prototype"],"%BooleanPrototype%":["Boolean","prototype"],"%DataViewPrototype%":["DataView","prototype"],"%DatePrototype%":["Date","prototype"],"%ErrorPrototype%":["Error","prototype"],"%EvalErrorPrototype%":["EvalError","prototype"],"%Float32ArrayPrototype%":["Float32Array","prototype"],"%Float64ArrayPrototype%":["Float64Array","prototype"],"%FunctionPrototype%":["Function","prototype"],"%Generator%":["GeneratorFunction","prototype"],"%GeneratorPrototype%":["GeneratorFunction","prototype","prototype"],"%Int8ArrayPrototype%":["Int8Array","prototype"],"%Int16ArrayPrototype%":["Int16Array","prototype"],"%Int32ArrayPrototype%":["Int32Array","prototype"],"%JSONParse%":["JSON","parse"],"%JSONStringify%":["JSON","stringify"],"%MapPrototype%":["Map","prototype"],"%NumberPrototype%":["Number","prototype"],"%ObjectPrototype%":["Object","prototype"],"%ObjProto_toString%":["Object","prototype","toString"],"%ObjProto_valueOf%":["Object","prototype","valueOf"],"%PromisePrototype%":["Promise","prototype"],"%PromiseProto_then%":["Promise","prototype","then"],"%Promise_all%":["Promise","all"],"%Promise_reject%":["Promise","reject"],"%Promise_resolve%":["Promise","resolve"],"%RangeErrorPrototype%":["RangeError","prototype"],"%ReferenceErrorPrototype%":["ReferenceError","prototype"],"%RegExpPrototype%":["RegExp","prototype"],"%SetPrototype%":["Set","prototype"],"%SharedArrayBufferPrototype%":["SharedArrayBuffer","prototype"],"%StringPrototype%":["String","prototype"],"%SymbolPrototype%":["Symbol","prototype"],"%SyntaxErrorPrototype%":["SyntaxError","prototype"],"%TypedArrayPrototype%":["TypedArray","prototype"],"%TypeErrorPrototype%":["TypeError","prototype"],"%Uint8ArrayPrototype%":["Uint8Array","prototype"],"%Uint8ClampedArrayPrototype%":["Uint8ClampedArray","prototype"],"%Uint16ArrayPrototype%":["Uint16Array","prototype"],"%Uint32ArrayPrototype%":["Uint32Array","prototype"],"%URIErrorPrototype%":["URIError","prototype"],"%WeakMapPrototype%":["WeakMap","prototype"],"%WeakSetPrototype%":["WeakSet","prototype"]},bind=require(24),hasOwn=require(33),$concat=bind.call($call,Array.prototype.concat),$spliceApply=bind.call($apply,Array.prototype.splice),$replace=bind.call($call,String.prototype.replace),$strSlice=bind.call($call,String.prototype.slice),$exec=bind.call($call,RegExp.prototype.exec),rePropName=/[^%.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|%$))/g,reEscapeChar=/\\(\\)?/g,stringToPath=function stringToPath(r){var e=$strSlice(r,0,1),t=$strSlice(r,-1);if("%"===e&&"%"!==t)throw new $SyntaxError("invalid intrinsic syntax, expected closing `%`");if("%"===t&&"%"!==e)throw new $SyntaxError("invalid intrinsic syntax, expected opening `%`");var o=[];return $replace(r,rePropName,(function(r,e,t,n){o[o.length]=t?$replace(n,reEscapeChar,"$1"):e||r})),o},getBaseIntrinsic=function getBaseIntrinsic(r,e){var t,o=r;if(hasOwn(LEGACY_ALIASES,o)&&(o="%"+(t=LEGACY_ALIASES[o])[0]+"%"),hasOwn(INTRINSICS,o)){var n=INTRINSICS[o];if(n===needsEval&&(n=doEval(o)),void 0===n&&!e)throw new $TypeError("intrinsic "+r+" exists, but is not available. Please file an issue!");return{alias:t,name:o,value:n}}throw new $SyntaxError("intrinsic "+r+" does not exist!")};module.exports=function GetIntrinsic(r,e){if("string"!=typeof r||0===r.length)throw new $TypeError("intrinsic name must be a non-empty string");if(arguments.length>1&&"boolean"!=typeof e)throw new $TypeError('"allowMissing" argument must be a boolean');if(null===$exec(/^%?[^%]*%?$/,r))throw new $SyntaxError("`%` may not be present anywhere but at the beginning and end of the intrinsic name");var t=stringToPath(r),o=t.length>0?t[0]:"",n=getBaseIntrinsic("%"+o+"%",e),a=n.name,i=n.value,y=!1,p=n.alias;p&&(o=p[0],$spliceApply(t,$concat([0,1],p)));for(var s=1,d=!0;s=t.length){var c=$gOPD(i,f);i=(d=!!c)&&"get"in c&&!("originalValue"in c.get)?c.get:i[f]}else d=hasOwn(i,f),i=i[f];d&&!y&&(INTRINSICS[a]=i)}}return i}; +"use strict";var undefined,$Object=require(22),$Error=require(16),$EvalError=require(15),$RangeError=require(17),$ReferenceError=require(18),$SyntaxError=require(19),$TypeError=require(20),$URIError=require(21),abs=require(34),floor=require(35),max=require(37),min=require(38),pow=require(39),round=require(40),sign=require(41),$Function=Function,getEvalledConstructor=function(r){try{return $Function('"use strict"; return ('+r+").constructor;")()}catch(r){}},$gOPD=require(30),$defineProperty=require(14),throwTypeError=function(){throw new $TypeError},ThrowTypeError=$gOPD?function(){try{return throwTypeError}catch(r){try{return $gOPD(arguments,"callee").get}catch(r){return throwTypeError}}}():throwTypeError,hasSymbols=require(31)(),getProto=require(28),$ObjectGPO=require(26),$ReflectGPO=require(27),$apply=require(8),$call=require(9),needsEval={},TypedArray="undefined"!=typeof Uint8Array&&getProto?getProto(Uint8Array):undefined,INTRINSICS={__proto__:null,"%AggregateError%":"undefined"==typeof AggregateError?undefined:AggregateError,"%Array%":Array,"%ArrayBuffer%":"undefined"==typeof ArrayBuffer?undefined:ArrayBuffer,"%ArrayIteratorPrototype%":hasSymbols&&getProto?getProto([][Symbol.iterator]()):undefined,"%AsyncFromSyncIteratorPrototype%":undefined,"%AsyncFunction%":needsEval,"%AsyncGenerator%":needsEval,"%AsyncGeneratorFunction%":needsEval,"%AsyncIteratorPrototype%":needsEval,"%Atomics%":"undefined"==typeof Atomics?undefined:Atomics,"%BigInt%":"undefined"==typeof BigInt?undefined:BigInt,"%BigInt64Array%":"undefined"==typeof BigInt64Array?undefined:BigInt64Array,"%BigUint64Array%":"undefined"==typeof BigUint64Array?undefined:BigUint64Array,"%Boolean%":Boolean,"%DataView%":"undefined"==typeof DataView?undefined:DataView,"%Date%":Date,"%decodeURI%":decodeURI,"%decodeURIComponent%":decodeURIComponent,"%encodeURI%":encodeURI,"%encodeURIComponent%":encodeURIComponent,"%Error%":$Error,"%eval%":eval,"%EvalError%":$EvalError,"%Float16Array%":"undefined"==typeof Float16Array?undefined:Float16Array,"%Float32Array%":"undefined"==typeof Float32Array?undefined:Float32Array,"%Float64Array%":"undefined"==typeof Float64Array?undefined:Float64Array,"%FinalizationRegistry%":"undefined"==typeof FinalizationRegistry?undefined:FinalizationRegistry,"%Function%":$Function,"%GeneratorFunction%":needsEval,"%Int8Array%":"undefined"==typeof Int8Array?undefined:Int8Array,"%Int16Array%":"undefined"==typeof Int16Array?undefined:Int16Array,"%Int32Array%":"undefined"==typeof Int32Array?undefined:Int32Array,"%isFinite%":isFinite,"%isNaN%":isNaN,"%IteratorPrototype%":hasSymbols&&getProto?getProto(getProto([][Symbol.iterator]())):undefined,"%JSON%":"object"==typeof JSON?JSON:undefined,"%Map%":"undefined"==typeof Map?undefined:Map,"%MapIteratorPrototype%":"undefined"!=typeof Map&&hasSymbols&&getProto?getProto((new Map)[Symbol.iterator]()):undefined,"%Math%":Math,"%Number%":Number,"%Object%":$Object,"%Object.getOwnPropertyDescriptor%":$gOPD,"%parseFloat%":parseFloat,"%parseInt%":parseInt,"%Promise%":"undefined"==typeof Promise?undefined:Promise,"%Proxy%":"undefined"==typeof Proxy?undefined:Proxy,"%RangeError%":$RangeError,"%ReferenceError%":$ReferenceError,"%Reflect%":"undefined"==typeof Reflect?undefined:Reflect,"%RegExp%":RegExp,"%Set%":"undefined"==typeof Set?undefined:Set,"%SetIteratorPrototype%":"undefined"!=typeof Set&&hasSymbols&&getProto?getProto((new Set)[Symbol.iterator]()):undefined,"%SharedArrayBuffer%":"undefined"==typeof SharedArrayBuffer?undefined:SharedArrayBuffer,"%String%":String,"%StringIteratorPrototype%":hasSymbols&&getProto?getProto(""[Symbol.iterator]()):undefined,"%Symbol%":hasSymbols?Symbol:undefined,"%SyntaxError%":$SyntaxError,"%ThrowTypeError%":ThrowTypeError,"%TypedArray%":TypedArray,"%TypeError%":$TypeError,"%Uint8Array%":"undefined"==typeof Uint8Array?undefined:Uint8Array,"%Uint8ClampedArray%":"undefined"==typeof Uint8ClampedArray?undefined:Uint8ClampedArray,"%Uint16Array%":"undefined"==typeof Uint16Array?undefined:Uint16Array,"%Uint32Array%":"undefined"==typeof Uint32Array?undefined:Uint32Array,"%URIError%":$URIError,"%WeakMap%":"undefined"==typeof WeakMap?undefined:WeakMap,"%WeakRef%":"undefined"==typeof WeakRef?undefined:WeakRef,"%WeakSet%":"undefined"==typeof WeakSet?undefined:WeakSet,"%Function.prototype.call%":$call,"%Function.prototype.apply%":$apply,"%Object.defineProperty%":$defineProperty,"%Object.getPrototypeOf%":$ObjectGPO,"%Math.abs%":abs,"%Math.floor%":floor,"%Math.max%":max,"%Math.min%":min,"%Math.pow%":pow,"%Math.round%":round,"%Math.sign%":sign,"%Reflect.getPrototypeOf%":$ReflectGPO};if(getProto)try{null.error}catch(r){var errorProto=getProto(getProto(r));INTRINSICS["%Error.prototype%"]=errorProto}var doEval=function doEval(r){var e;if("%AsyncFunction%"===r)e=getEvalledConstructor("async function () {}");else if("%GeneratorFunction%"===r)e=getEvalledConstructor("function* () {}");else if("%AsyncGeneratorFunction%"===r)e=getEvalledConstructor("async function* () {}");else if("%AsyncGenerator%"===r){var t=doEval("%AsyncGeneratorFunction%");t&&(e=t.prototype)}else if("%AsyncIteratorPrototype%"===r){var o=doEval("%AsyncGenerator%");o&&getProto&&(e=getProto(o.prototype))}return INTRINSICS[r]=e,e},LEGACY_ALIASES={__proto__:null,"%ArrayBufferPrototype%":["ArrayBuffer","prototype"],"%ArrayPrototype%":["Array","prototype"],"%ArrayProto_entries%":["Array","prototype","entries"],"%ArrayProto_forEach%":["Array","prototype","forEach"],"%ArrayProto_keys%":["Array","prototype","keys"],"%ArrayProto_values%":["Array","prototype","values"],"%AsyncFunctionPrototype%":["AsyncFunction","prototype"],"%AsyncGenerator%":["AsyncGeneratorFunction","prototype"],"%AsyncGeneratorPrototype%":["AsyncGeneratorFunction","prototype","prototype"],"%BooleanPrototype%":["Boolean","prototype"],"%DataViewPrototype%":["DataView","prototype"],"%DatePrototype%":["Date","prototype"],"%ErrorPrototype%":["Error","prototype"],"%EvalErrorPrototype%":["EvalError","prototype"],"%Float32ArrayPrototype%":["Float32Array","prototype"],"%Float64ArrayPrototype%":["Float64Array","prototype"],"%FunctionPrototype%":["Function","prototype"],"%Generator%":["GeneratorFunction","prototype"],"%GeneratorPrototype%":["GeneratorFunction","prototype","prototype"],"%Int8ArrayPrototype%":["Int8Array","prototype"],"%Int16ArrayPrototype%":["Int16Array","prototype"],"%Int32ArrayPrototype%":["Int32Array","prototype"],"%JSONParse%":["JSON","parse"],"%JSONStringify%":["JSON","stringify"],"%MapPrototype%":["Map","prototype"],"%NumberPrototype%":["Number","prototype"],"%ObjectPrototype%":["Object","prototype"],"%ObjProto_toString%":["Object","prototype","toString"],"%ObjProto_valueOf%":["Object","prototype","valueOf"],"%PromisePrototype%":["Promise","prototype"],"%PromiseProto_then%":["Promise","prototype","then"],"%Promise_all%":["Promise","all"],"%Promise_reject%":["Promise","reject"],"%Promise_resolve%":["Promise","resolve"],"%RangeErrorPrototype%":["RangeError","prototype"],"%ReferenceErrorPrototype%":["ReferenceError","prototype"],"%RegExpPrototype%":["RegExp","prototype"],"%SetPrototype%":["Set","prototype"],"%SharedArrayBufferPrototype%":["SharedArrayBuffer","prototype"],"%StringPrototype%":["String","prototype"],"%SymbolPrototype%":["Symbol","prototype"],"%SyntaxErrorPrototype%":["SyntaxError","prototype"],"%TypedArrayPrototype%":["TypedArray","prototype"],"%TypeErrorPrototype%":["TypeError","prototype"],"%Uint8ArrayPrototype%":["Uint8Array","prototype"],"%Uint8ClampedArrayPrototype%":["Uint8ClampedArray","prototype"],"%Uint16ArrayPrototype%":["Uint16Array","prototype"],"%Uint32ArrayPrototype%":["Uint32Array","prototype"],"%URIErrorPrototype%":["URIError","prototype"],"%WeakMapPrototype%":["WeakMap","prototype"],"%WeakSetPrototype%":["WeakSet","prototype"]},bind=require(24),hasOwn=require(33),$concat=bind.call($call,Array.prototype.concat),$spliceApply=bind.call($apply,Array.prototype.splice),$replace=bind.call($call,String.prototype.replace),$strSlice=bind.call($call,String.prototype.slice),$exec=bind.call($call,RegExp.prototype.exec),rePropName=/[^%.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|%$))/g,reEscapeChar=/\\(\\)?/g,stringToPath=function stringToPath(r){var e=$strSlice(r,0,1),t=$strSlice(r,-1);if("%"===e&&"%"!==t)throw new $SyntaxError("invalid intrinsic syntax, expected closing `%`");if("%"===t&&"%"!==e)throw new $SyntaxError("invalid intrinsic syntax, expected opening `%`");var o=[];return $replace(r,rePropName,function(r,e,t,n){o[o.length]=t?$replace(n,reEscapeChar,"$1"):e||r}),o},getBaseIntrinsic=function getBaseIntrinsic(r,e){var t,o=r;if(hasOwn(LEGACY_ALIASES,o)&&(o="%"+(t=LEGACY_ALIASES[o])[0]+"%"),hasOwn(INTRINSICS,o)){var n=INTRINSICS[o];if(n===needsEval&&(n=doEval(o)),void 0===n&&!e)throw new $TypeError("intrinsic "+r+" exists, but is not available. Please file an issue!");return{alias:t,name:o,value:n}}throw new $SyntaxError("intrinsic "+r+" does not exist!")};module.exports=function GetIntrinsic(r,e){if("string"!=typeof r||0===r.length)throw new $TypeError("intrinsic name must be a non-empty string");if(arguments.length>1&&"boolean"!=typeof e)throw new $TypeError('"allowMissing" argument must be a boolean');if(null===$exec(/^%?[^%]*%?$/,r))throw new $SyntaxError("`%` may not be present anywhere but at the beginning and end of the intrinsic name");var t=stringToPath(r),o=t.length>0?t[0]:"",n=getBaseIntrinsic("%"+o+"%",e),a=n.name,i=n.value,y=!1,p=n.alias;p&&(o=p[0],$spliceApply(t,$concat([0,1],p)));for(var d=1,s=!0;d=t.length){var c=$gOPD(i,f);i=(s=!!c)&&"get"in c&&!("originalValue"in c.get)?c.get:i[f]}else s=hasOwn(i,f),i=i[f];s&&!y&&(INTRINSICS[a]=i)}}return i}; },{"14":14,"15":15,"16":16,"17":17,"18":18,"19":19,"20":20,"21":21,"22":22,"24":24,"26":26,"27":27,"28":28,"30":30,"31":31,"33":33,"34":34,"35":35,"37":37,"38":38,"39":39,"40":40,"41":41,"8":8,"9":9}],13:[function(require,module,exports){ "use strict";var hasProtoAccessor,callBind=require(10),gOPD=require(30);try{hasProtoAccessor=[].__proto__===Array.prototype}catch(t){if(!t||"object"!=typeof t||!("code"in t)||"ERR_PROTO_ACCESS"!==t.code)throw t}var desc=!!hasProtoAccessor&&gOPD&&gOPD(Object.prototype,"__proto__"),$Object=Object,$getPrototypeOf=$Object.getPrototypeOf;module.exports=desc&&"function"==typeof desc.get?callBind([desc.get]):"function"==typeof $getPrototypeOf&&function getDunder(t){return $getPrototypeOf(null==t?t:$Object(t))}; @@ -76,7 +76,13 @@ "use strict";module.exports=Object; },{}],23:[function(require,module,exports){ -"use strict";var ERROR_MESSAGE="Function.prototype.bind called on incompatible ",toStr=Object.prototype.toString,max=Math.max,funcType="[object Function]",concatty=function concatty(t,n){for(var r=[],o=0;o-1e3&&t<1e3||$test.call(/e/,e))return e;var r=/[0-9](?=(?:[0-9]{3})+(?![0-9]))/g;if("number"==typeof t){var n=t<0?-$floor(-t):$floor(t);if(n!==t){var o=String(n),i=$slice.call(e,o.length+1);return $replace.call(o,r,"$&_")+"."+$replace.call($replace.call(i,/([0-9]{3})/g,"$&_"),/_$/,"")}}return $replace.call(e,r,"$&_")}var utilInspect=require(6),inspectCustom=utilInspect.custom,inspectSymbol=isSymbol(inspectCustom)?inspectCustom:null,quotes={__proto__:null,double:'"',single:"'"},quoteREs={__proto__:null,double:/(["\\])/g,single:/(['\\])/g};function wrapQuotes(t,e,r){var n=r.quoteStyle||e,o=quotes[n];return o+t+o}function quote(t){return $replace.call(String(t),/"/g,""")}function isArray(t){return!("[object Array]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isDate(t){return!("[object Date]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isRegExp(t){return!("[object RegExp]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isError(t){return!("[object Error]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isString(t){return!("[object String]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isNumber(t){return!("[object Number]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isBoolean(t){return!("[object Boolean]"!==toStr(t)||toStringTag&&"object"==typeof t&&toStringTag in t)}function isSymbol(t){if(hasShammedSymbols)return t&&"object"==typeof t&&t instanceof Symbol;if("symbol"==typeof t)return!0;if(!t||"object"!=typeof t||!symToString)return!1;try{return symToString.call(t),!0}catch(t){}return!1}function isBigInt(t){if(!t||"object"!=typeof t||!bigIntValueOf)return!1;try{return bigIntValueOf.call(t),!0}catch(t){}return!1}module.exports=function inspect_(t,e,r,n){var o=e||{};if(has(o,"quoteStyle")&&!has(quotes,o.quoteStyle))throw new TypeError('option "quoteStyle" must be "single" or "double"');if(has(o,"maxStringLength")&&("number"==typeof o.maxStringLength?o.maxStringLength<0&&o.maxStringLength!==1/0:null!==o.maxStringLength))throw new TypeError('option "maxStringLength", if provided, must be a positive integer, Infinity, or `null`');var i=!has(o,"customInspect")||o.customInspect;if("boolean"!=typeof i&&"symbol"!==i)throw new TypeError("option \"customInspect\", if provided, must be `true`, `false`, or `'symbol'`");if(has(o,"indent")&&null!==o.indent&&"\t"!==o.indent&&!(parseInt(o.indent,10)===o.indent&&o.indent>0))throw new TypeError('option "indent" must be "\\t", an integer > 0, or `null`');if(has(o,"numericSeparator")&&"boolean"!=typeof o.numericSeparator)throw new TypeError('option "numericSeparator", if provided, must be `true` or `false`');var a=o.numericSeparator;if(void 0===t)return"undefined";if(null===t)return"null";if("boolean"==typeof t)return t?"true":"false";if("string"==typeof t)return inspectString(t,o);if("number"==typeof t){if(0===t)return 1/0/t>0?"0":"-0";var c=String(t);return a?addNumericSeparator(t,c):c}if("bigint"==typeof t){var l=String(t)+"n";return a?addNumericSeparator(t,l):l}var p=void 0===o.depth?5:o.depth;if(void 0===r&&(r=0),r>=p&&p>0&&"object"==typeof t)return isArray(t)?"[Array]":"[Object]";var u=getIndent(o,r);if(void 0===n)n=[];else if(indexOf(n,t)>=0)return"[Circular]";function inspect(t,e,i){if(e&&(n=$arrSlice.call(n)).push(e),i){var a={depth:o.depth};return has(o,"quoteStyle")&&(a.quoteStyle=o.quoteStyle),inspect_(t,a,r+1,n)}return inspect_(t,o,r+1,n)}if("function"==typeof t&&!isRegExp(t)){var s=nameOf(t),f=arrObjKeys(t,inspect);return"[Function"+(s?": "+s:" (anonymous)")+"]"+(f.length>0?" { "+$join.call(f,", ")+" }":"")}if(isSymbol(t)){var y=hasShammedSymbols?$replace.call(String(t),/^(Symbol\(.*\))_[^)]*$/,"$1"):symToString.call(t);return"object"!=typeof t||hasShammedSymbols?y:markBoxed(y)}if(isElement(t)){for(var S="<"+$toLowerCase.call(String(t.nodeName)),g=t.attributes||[],b=0;b"}if(isArray(t)){if(0===t.length)return"[]";var m=arrObjKeys(t,inspect);return u&&!singleLineValues(m)?"["+indentedJoin(m,u)+"]":"[ "+$join.call(m,", ")+" ]"}if(isError(t)){var h=arrObjKeys(t,inspect);return"cause"in Error.prototype||!("cause"in t)||isEnumerable.call(t,"cause")?0===h.length?"["+String(t)+"]":"{ ["+String(t)+"] "+$join.call(h,", ")+" }":"{ ["+String(t)+"] "+$join.call($concat.call("[cause]: "+inspect(t.cause),h),", ")+" }"}if("object"==typeof t&&i){if(inspectSymbol&&"function"==typeof t[inspectSymbol]&&utilInspect)return utilInspect(t,{depth:p-r});if("symbol"!==i&&"function"==typeof t.inspect)return t.inspect()}if(isMap(t)){var d=[];return mapForEach&&mapForEach.call(t,(function(e,r){d.push(inspect(r,t,!0)+" => "+inspect(e,t))})),collectionOf("Map",mapSize.call(t),d,u)}if(isSet(t)){var j=[];return setForEach&&setForEach.call(t,(function(e){j.push(inspect(e,t))})),collectionOf("Set",setSize.call(t),j,u)}if(isWeakMap(t))return weakCollectionOf("WeakMap");if(isWeakSet(t))return weakCollectionOf("WeakSet");if(isWeakRef(t))return weakCollectionOf("WeakRef");if(isNumber(t))return markBoxed(inspect(Number(t)));if(isBigInt(t))return markBoxed(inspect(bigIntValueOf.call(t)));if(isBoolean(t))return markBoxed(booleanValueOf.call(t));if(isString(t))return markBoxed(inspect(String(t)));if("undefined"!=typeof window&&t===window)return"{ [object Window] }";if("undefined"!=typeof globalThis&&t===globalThis||"undefined"!=typeof global&&t===global)return"{ [object globalThis] }";if(!isDate(t)&&!isRegExp(t)){var O=arrObjKeys(t,inspect),w=gPO?gPO(t)===Object.prototype:t instanceof Object||t.constructor===Object,$=t instanceof Object?"":"null prototype",k=!w&&toStringTag&&Object(t)===t&&toStringTag in t?$slice.call(toStr(t),8,-1):$?"Object":"",v=(w||"function"!=typeof t.constructor?"":t.constructor.name?t.constructor.name+" ":"")+(k||$?"["+$join.call($concat.call([],k||[],$||[]),": ")+"] ":"");return 0===O.length?v+"{}":u?v+"{"+indentedJoin(O,u)+"}":v+"{ "+$join.call(O,", ")+" }"}return String(t)};var hasOwn=Object.prototype.hasOwnProperty||function(t){return t in this};function has(t,e){return hasOwn.call(t,e)}function toStr(t){return objectToString.call(t)}function nameOf(t){if(t.name)return t.name;var e=$match.call(functionToString.call(t),/^function\s*([\w$]+)/);return e?e[1]:null}function indexOf(t,e){if(t.indexOf)return t.indexOf(e);for(var r=0,n=t.length;re.maxStringLength){var r=t.length-e.maxStringLength,n="... "+r+" more character"+(r>1?"s":"");return inspectString($slice.call(t,0,e.maxStringLength),e)+n}var o=quoteREs[e.quoteStyle||"single"];return o.lastIndex=0,wrapQuotes($replace.call($replace.call(t,o,"\\$1"),/[\x00-\x1f]/g,lowbyte),"single",e)}function lowbyte(t){var e=t.charCodeAt(0),r={8:"b",9:"t",10:"n",12:"f",13:"r"}[e];return r?"\\"+r:"\\x"+(e<16?"0":"")+$toUpperCase.call(e.toString(16))}function markBoxed(t){return"Object("+t+")"}function weakCollectionOf(t){return t+" { ? }"}function collectionOf(t,e,r,n){return t+" ("+e+") {"+(n?indentedJoin(r,n):$join.call(r,", "))+"}"}function singleLineValues(t){for(var e=0;e=0)return!1;return!0}function getIndent(t,e){var r;if("\t"===t.indent)r="\t";else{if(!("number"==typeof t.indent&&t.indent>0))return null;r=$join.call(Array(t.indent+1)," ")}return{base:r,prev:$join.call(Array(e+1),r)}}function indentedJoin(t,e){if(0===t.length)return"";var r="\n"+e.prev+e.base;return r+$join.call(t,","+r)+"\n"+e.prev}function arrObjKeys(t,e){var r=isArray(t),n=[];if(r){n.length=t.length;for(var o=0;o-1e3&&t<1e3||$test.call(/e/,e))return e;var r=/[0-9](?=(?:[0-9]{3})+(?![0-9]))/g;if("number"==typeof t){var n=t<0?-$floor(-t):$floor(t);if(n!==t){var o=String(n),i=$slice.call(e,o.length+1);return $replace.call(o,r,"$&_")+"."+$replace.call($replace.call(i,/([0-9]{3})/g,"$&_"),/_$/,"")}}return $replace.call(e,r,"$&_")}var utilInspect=require(6),inspectCustom=utilInspect.custom,inspectSymbol=isSymbol(inspectCustom)?inspectCustom:null,quotes={__proto__:null,double:'"',single:"'"},quoteREs={__proto__:null,double:/(["\\])/g,single:/(['\\])/g};function wrapQuotes(t,e,r){var n=r.quoteStyle||e,o=quotes[n];return o+t+o}function quote(t){return $replace.call(String(t),/"/g,""")}function canTrustToString(t){return!toStringTag||!("object"==typeof t&&(toStringTag in t||void 0!==t[toStringTag]))}function isArray(t){return"[object Array]"===toStr(t)&&canTrustToString(t)}function isDate(t){return"[object Date]"===toStr(t)&&canTrustToString(t)}function isRegExp(t){return"[object RegExp]"===toStr(t)&&canTrustToString(t)}function isError(t){return"[object Error]"===toStr(t)&&canTrustToString(t)}function isString(t){return"[object String]"===toStr(t)&&canTrustToString(t)}function isNumber(t){return"[object Number]"===toStr(t)&&canTrustToString(t)}function isBoolean(t){return"[object Boolean]"===toStr(t)&&canTrustToString(t)}function isSymbol(t){if(hasShammedSymbols)return t&&"object"==typeof t&&t instanceof Symbol;if("symbol"==typeof t)return!0;if(!t||"object"!=typeof t||!symToString)return!1;try{return symToString.call(t),!0}catch(t){}return!1}function isBigInt(t){if(!t||"object"!=typeof t||!bigIntValueOf)return!1;try{return bigIntValueOf.call(t),!0}catch(t){}return!1}module.exports=function inspect_(t,e,r,n){var o=e||{};if(has(o,"quoteStyle")&&!has(quotes,o.quoteStyle))throw new TypeError('option "quoteStyle" must be "single" or "double"');if(has(o,"maxStringLength")&&("number"==typeof o.maxStringLength?o.maxStringLength<0&&o.maxStringLength!==1/0:null!==o.maxStringLength))throw new TypeError('option "maxStringLength", if provided, must be a positive integer, Infinity, or `null`');var i=!has(o,"customInspect")||o.customInspect;if("boolean"!=typeof i&&"symbol"!==i)throw new TypeError("option \"customInspect\", if provided, must be `true`, `false`, or `'symbol'`");if(has(o,"indent")&&null!==o.indent&&"\t"!==o.indent&&!(parseInt(o.indent,10)===o.indent&&o.indent>0))throw new TypeError('option "indent" must be "\\t", an integer > 0, or `null`');if(has(o,"numericSeparator")&&"boolean"!=typeof o.numericSeparator)throw new TypeError('option "numericSeparator", if provided, must be `true` or `false`');var a=o.numericSeparator;if(void 0===t)return"undefined";if(null===t)return"null";if("boolean"==typeof t)return t?"true":"false";if("string"==typeof t)return inspectString(t,o);if("number"==typeof t){if(0===t)return 1/0/t>0?"0":"-0";var c=String(t);return a?addNumericSeparator(t,c):c}if("bigint"==typeof t){var l=String(t)+"n";return a?addNumericSeparator(t,l):l}var u=void 0===o.depth?5:o.depth;if(void 0===r&&(r=0),r>=u&&u>0&&"object"==typeof t)return isArray(t)?"[Array]":"[Object]";var p=getIndent(o,r);if(void 0===n)n=[];else if(indexOf(n,t)>=0)return"[Circular]";function inspect(t,e,i){if(e&&(n=$arrSlice.call(n)).push(e),i){var a={depth:o.depth};return has(o,"quoteStyle")&&(a.quoteStyle=o.quoteStyle),inspect_(t,a,r+1,n)}return inspect_(t,o,r+1,n)}if("function"==typeof t&&!isRegExp(t)){var s=nameOf(t),f=arrObjKeys(t,inspect);return"[Function"+(s?": "+s:" (anonymous)")+"]"+(f.length>0?" { "+$join.call(f,", ")+" }":"")}if(isSymbol(t)){var y=hasShammedSymbols?$replace.call(String(t),/^(Symbol\(.*\))_[^)]*$/,"$1"):symToString.call(t);return"object"!=typeof t||hasShammedSymbols?y:markBoxed(y)}if(isElement(t)){for(var S="<"+$toLowerCase.call(String(t.nodeName)),g=t.attributes||[],m=0;m"}if(isArray(t)){if(0===t.length)return"[]";var b=arrObjKeys(t,inspect);return p&&!singleLineValues(b)?"["+indentedJoin(b,p)+"]":"[ "+$join.call(b,", ")+" ]"}if(isError(t)){var h=arrObjKeys(t,inspect);return"cause"in Error.prototype||!("cause"in t)||isEnumerable.call(t,"cause")?0===h.length?"["+String(t)+"]":"{ ["+String(t)+"] "+$join.call(h,", ")+" }":"{ ["+String(t)+"] "+$join.call($concat.call("[cause]: "+inspect(t.cause),h),", ")+" }"}if("object"==typeof t&&i){if(inspectSymbol&&"function"==typeof t[inspectSymbol]&&utilInspect)return utilInspect(t,{depth:u-r});if("symbol"!==i&&"function"==typeof t.inspect)return t.inspect()}if(isMap(t)){var d=[];return mapForEach&&mapForEach.call(t,function(e,r){d.push(inspect(r,t,!0)+" => "+inspect(e,t))}),collectionOf("Map",mapSize.call(t),d,p)}if(isSet(t)){var O=[];return setForEach&&setForEach.call(t,function(e){O.push(inspect(e,t))}),collectionOf("Set",setSize.call(t),O,p)}if(isWeakMap(t))return weakCollectionOf("WeakMap");if(isWeakSet(t))return weakCollectionOf("WeakSet");if(isWeakRef(t))return weakCollectionOf("WeakRef");if(isNumber(t))return markBoxed(inspect(Number(t)));if(isBigInt(t))return markBoxed(inspect(bigIntValueOf.call(t)));if(isBoolean(t))return markBoxed(booleanValueOf.call(t));if(isString(t))return markBoxed(inspect(String(t)));if("undefined"!=typeof window&&t===window)return"{ [object Window] }";if("undefined"!=typeof globalThis&&t===globalThis||"undefined"!=typeof global&&t===global)return"{ [object globalThis] }";if(!isDate(t)&&!isRegExp(t)){var j=arrObjKeys(t,inspect),w=gPO?gPO(t)===Object.prototype:t instanceof Object||t.constructor===Object,$=t instanceof Object?"":"null prototype",v=!w&&toStringTag&&Object(t)===t&&toStringTag in t?$slice.call(toStr(t),8,-1):$?"Object":"",k=(w||"function"!=typeof t.constructor?"":t.constructor.name?t.constructor.name+" ":"")+(v||$?"["+$join.call($concat.call([],v||[],$||[]),": ")+"] ":"");return 0===j.length?k+"{}":p?k+"{"+indentedJoin(j,p)+"}":k+"{ "+$join.call(j,", ")+" }"}return String(t)};var hasOwn=Object.prototype.hasOwnProperty||function(t){return t in this};function has(t,e){return hasOwn.call(t,e)}function toStr(t){return objectToString.call(t)}function nameOf(t){if(t.name)return t.name;var e=$match.call(functionToString.call(t),/^function\s*([\w$]+)/);return e?e[1]:null}function indexOf(t,e){if(t.indexOf)return t.indexOf(e);for(var r=0,n=t.length;re.maxStringLength){var r=t.length-e.maxStringLength,n="... "+r+" more character"+(r>1?"s":"");return inspectString($slice.call(t,0,e.maxStringLength),e)+n}var o=quoteREs[e.quoteStyle||"single"];return o.lastIndex=0,wrapQuotes($replace.call($replace.call(t,o,"\\$1"),/[\x00-\x1f]/g,lowbyte),"single",e)}function lowbyte(t){var e=t.charCodeAt(0),r={8:"b",9:"t",10:"n",12:"f",13:"r"}[e];return r?"\\"+r:"\\x"+(e<16?"0":"")+$toUpperCase.call(e.toString(16))}function markBoxed(t){return"Object("+t+")"}function weakCollectionOf(t){return t+" { ? }"}function collectionOf(t,e,r,n){return t+" ("+e+") {"+(n?indentedJoin(r,n):$join.call(r,", "))+"}"}function singleLineValues(t){for(var e=0;e=0)return!1;return!0}function getIndent(t,e){var r;if("\t"===t.indent)r="\t";else{if(!("number"==typeof t.indent&&t.indent>0))return null;r=$join.call(Array(t.indent+1)," ")}return{base:r,prev:$join.call(Array(e+1),r)}}function indentedJoin(t,e){if(0===t.length)return"";var r="\n"+e.prev+e.base;return r+$join.call(t,","+r)+"\n"+e.prev}function arrObjKeys(t,e){var r=isArray(t),n=[];if(r){n.length=t.length;for(var o=0;o Date: Wed, 3 Dec 2025 14:20:16 -0800 Subject: [PATCH 34/40] [Dev Deps] update `@ljharb/eslint-config` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b96b87e0..11924078 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "devDependencies": { "@browserify/envify": "^6.0.0", "@browserify/uglifyify": "^6.0.0", - "@ljharb/eslint-config": "^22.0.1", + "@ljharb/eslint-config": "^22.0.2", "browserify": "^16.5.2", "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", From 64951f6200a1fb72cc003c6e8226dde3d2ef591f Mon Sep 17 00:00:00 2001 From: Klemen Tusar Date: Tue, 4 Nov 2025 08:29:18 +0000 Subject: [PATCH 35/40] [Refactor] `parse`: extract key segment splitting helper --- lib/parse.js | 51 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/lib/parse.js b/lib/parse.js index bfba0fe1..9adad86e 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -187,29 +187,28 @@ var parseObject = function (chain, val, options, valuesParsed) { return leaf; }; -var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesParsed) { - if (!givenKey) { - return; - } - - // Transform dot notation to bracket notation +var splitKeyIntoSegments = function splitKeyIntoSegments(givenKey, options) { var key = options.allowDots ? givenKey.replace(/\.([^.[]+)/g, '[$1]') : givenKey; - // The regex chunks + if (options.depth <= 0) { + if (!options.plainObjects && has.call(Object.prototype, key)) { + if (!options.allowPrototypes) { + return; + } + } + + return [key]; + } var brackets = /(\[[^[\]]*])/; var child = /(\[[^[\]]*])/g; - // Get the parent - - var segment = options.depth > 0 && brackets.exec(key); + var segment = brackets.exec(key); var parent = segment ? key.slice(0, segment.index) : key; - // Stash the parent if it exists - var keys = []; + if (parent) { - // If we aren't using plain objects, optionally prefix keys that would overwrite object prototype properties if (!options.plainObjects && has.call(Object.prototype, parent)) { if (!options.allowPrototypes) { return; @@ -219,28 +218,42 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars keys.push(parent); } - // Loop through children appending to the array until we hit depth - var i = 0; - while (options.depth > 0 && (segment = child.exec(key)) !== null && i < options.depth) { + while ((segment = child.exec(key)) !== null && i < options.depth) { i += 1; - if (!options.plainObjects && has.call(Object.prototype, segment[1].slice(1, -1))) { + + var segmentContent = segment[1].slice(1, -1); + if (!options.plainObjects && has.call(Object.prototype, segmentContent)) { if (!options.allowPrototypes) { return; } } + keys.push(segment[1]); } - // If there's a remainder, check strictDepth option for throw, else just add whatever is left - if (segment) { if (options.strictDepth === true) { throw new RangeError('Input depth exceeded depth option of ' + options.depth + ' and strictDepth is true'); } + keys.push('[' + key.slice(segment.index) + ']'); } + return keys; +}; + +var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesParsed) { + if (!givenKey) { + return; + } + + var keys = splitKeyIntoSegments(givenKey, options); + + if (!keys) { + return; + } + return parseObject(keys, val, options, valuesParsed); }; From 0b06aac566abee45ef0327667a7cc89e7aed8b58 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Sun, 14 Dec 2025 23:00:14 -0800 Subject: [PATCH 36/40] [Dev Deps] update `@ljharb/eslint-config` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 11924078..23b9ff18 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "devDependencies": { "@browserify/envify": "^6.0.0", "@browserify/uglifyify": "^6.0.0", - "@ljharb/eslint-config": "^22.0.2", + "@ljharb/eslint-config": "^22.1.2", "browserify": "^16.5.2", "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", From fc7930e86c2264c1568c9f5606830e19b0bc2af2 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 18 Dec 2025 10:11:31 -0800 Subject: [PATCH 37/40] [Dev Deps] update `eslint`, `@ljharb/eslint-config` --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 23b9ff18..bc0dfa0e 100644 --- a/package.json +++ b/package.json @@ -36,13 +36,13 @@ "devDependencies": { "@browserify/envify": "^6.0.0", "@browserify/uglifyify": "^6.0.0", - "@ljharb/eslint-config": "^22.1.2", + "@ljharb/eslint-config": "^22.1.3", "browserify": "^16.5.2", "bundle-collapser": "^1.4.0", "common-shakeify": "~1.0.0", "eclint": "^2.8.1", "es-value-fixtures": "^1.7.1", - "eslint": "^9.39.1", + "eslint": "^9.39.2", "evalmd": "^0.0.19", "for-each": "^0.3.5", "glob": "=10.3.7", @@ -77,7 +77,7 @@ "posttest": "npx npm@'>=10.2' audit --production", "readme": "evalmd README.md", "postlint": "eclint check $(git ls-files | xargs find 2> /dev/null | grep -vE 'node_modules|\\.git' | grep -v dist/)", - "lint": "eslint --ext=js,mjs .", + "lint": "eslint .", "dist": "mkdirp dist && browserify --standalone Qs -g unassertify -g @browserify/envify -g [@browserify/uglifyify --mangle.keep_fnames --compress.keep_fnames --format.indent_level=1 --compress.arrows=false --compress.passes=4 --compress.typeofs=false] -p common-shakeify -p bundle-collapser/plugin lib/index.js > dist/qs.js" }, "license": "BSD-3-Clause", From 3086902ecf7f088d0d1803887643ac6c03d415b9 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Thu, 18 Dec 2025 12:48:40 -0800 Subject: [PATCH 38/40] [Fix] ensure arrayLength applies to `[]` notation as well --- lib/parse.js | 23 ++++++++-- lib/utils.js | 58 ++++++++++++++++++++++-- test/parse.js | 114 +++++++++++++++++++++++++++++++++++++++++++++-- test/utils.js | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 303 insertions(+), 11 deletions(-) diff --git a/lib/parse.js b/lib/parse.js index 9adad86e..621c41e8 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -133,7 +133,12 @@ var parseValues = function parseQueryStringValues(str, options) { if (key !== null) { var existing = has.call(obj, key); if (existing && options.duplicates === 'combine') { - obj[key] = utils.combine(obj[key], val); + obj[key] = utils.combine( + obj[key], + val, + options.arrayLimit, + options.plainObjects + ); } else if (!existing || options.duplicates === 'last') { obj[key] = val; } @@ -157,9 +162,19 @@ var parseObject = function (chain, val, options, valuesParsed) { var root = chain[i]; if (root === '[]' && options.parseArrays) { - obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null)) - ? [] - : utils.combine([], leaf); + if (utils.isOverflow(leaf)) { + // leaf is already an overflow object, preserve it + obj = leaf; + } else { + obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null)) + ? [] + : utils.combine( + [], + leaf, + options.arrayLimit, + options.plainObjects + ); + } } else { obj = options.plainObjects ? { __proto__: null } : {}; var cleanRoot = root.charAt(0) === '[' && root.charAt(root.length - 1) === ']' ? root.slice(1, -1) : root; diff --git a/lib/utils.js b/lib/utils.js index 2905ff01..91f555e4 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -1,10 +1,32 @@ 'use strict'; var formats = require('./formats'); +var getSideChannel = require('side-channel'); var has = Object.prototype.hasOwnProperty; var isArray = Array.isArray; +// Track objects created from arrayLimit overflow using side-channel +// Stores the current max numeric index for O(1) lookup +var overflowChannel = getSideChannel(); + +var markOverflow = function markOverflow(obj, maxIndex) { + overflowChannel.set(obj, maxIndex); + return obj; +}; + +var isOverflow = function isOverflow(obj) { + return overflowChannel.has(obj); +}; + +var getMaxIndex = function getMaxIndex(obj) { + return overflowChannel.get(obj); +}; + +var setMaxIndex = function setMaxIndex(obj, maxIndex) { + overflowChannel.set(obj, maxIndex); +}; + var hexTable = (function () { var array = []; for (var i = 0; i < 256; ++i) { @@ -54,7 +76,12 @@ var merge = function merge(target, source, options) { if (isArray(target)) { target.push(source); } else if (target && typeof target === 'object') { - if ( + if (isOverflow(target)) { + // Add at next numeric index for overflow objects + var newIndex = getMaxIndex(target) + 1; + target[newIndex] = source; + setMaxIndex(target, newIndex); + } else if ( (options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source) ) { @@ -68,6 +95,18 @@ var merge = function merge(target, source, options) { } if (!target || typeof target !== 'object') { + if (isOverflow(source)) { + // Create new object with target at 0, source values shifted by 1 + var sourceKeys = Object.keys(source); + var result = options && options.plainObjects + ? { __proto__: null, 0: target } + : { 0: target }; + for (var m = 0; m < sourceKeys.length; m++) { + var oldKey = parseInt(sourceKeys[m], 10); + result[oldKey + 1] = source[sourceKeys[m]]; + } + return markOverflow(result, getMaxIndex(source) + 1); + } return [target].concat(source); } @@ -239,8 +278,20 @@ var isBuffer = function isBuffer(obj) { return !!(obj.constructor && obj.constructor.isBuffer && obj.constructor.isBuffer(obj)); }; -var combine = function combine(a, b) { - return [].concat(a, b); +var combine = function combine(a, b, arrayLimit, plainObjects) { + // If 'a' is already an overflow object, add to it + if (isOverflow(a)) { + var newIndex = getMaxIndex(a) + 1; + a[newIndex] = b; + setMaxIndex(a, newIndex); + return a; + } + + var result = [].concat(a, b); + if (result.length > arrayLimit) { + return markOverflow(arrayToObject(result, { plainObjects: plainObjects }), result.length - 1); + } + return result; }; var maybeMap = function maybeMap(val, fn) { @@ -262,6 +313,7 @@ module.exports = { decode: decode, encode: encode, isBuffer: isBuffer, + isOverflow: isOverflow, isRegExp: isRegExp, maybeMap: maybeMap, merge: merge diff --git a/test/parse.js b/test/parse.js index 7361356d..7b353ffc 100644 --- a/test/parse.js +++ b/test/parse.js @@ -235,11 +235,11 @@ test('parse()', function (t) { st.deepEqual(qs.parse('a=b&a[0]=c'), { a: ['b', 'c'] }); st.deepEqual(qs.parse('a[1]=b&a=c', { arrayLimit: 20 }), { a: ['b', 'c'] }); - st.deepEqual(qs.parse('a[]=b&a=c', { arrayLimit: 0 }), { a: ['b', 'c'] }); + st.deepEqual(qs.parse('a[]=b&a=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } }); st.deepEqual(qs.parse('a[]=b&a=c'), { a: ['b', 'c'] }); st.deepEqual(qs.parse('a=b&a[1]=c', { arrayLimit: 20 }), { a: ['b', 'c'] }); - st.deepEqual(qs.parse('a=b&a[]=c', { arrayLimit: 0 }), { a: ['b', 'c'] }); + st.deepEqual(qs.parse('a=b&a[]=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } }); st.deepEqual(qs.parse('a=b&a[]=c'), { a: ['b', 'c'] }); st.end(); @@ -364,7 +364,7 @@ test('parse()', function (t) { ); st.deepEqual( qs.parse('a[]=b&a[]&a[]=c&a[]=', { strictNullHandling: true, arrayLimit: 0 }), - { a: ['b', null, 'c', ''] }, + { a: { 0: 'b', 1: null, 2: 'c', 3: '' } }, 'with arrayLimit 0 + array brackets: null then empty string works' ); @@ -375,7 +375,7 @@ test('parse()', function (t) { ); st.deepEqual( qs.parse('a[]=b&a[]=&a[]=c&a[]', { strictNullHandling: true, arrayLimit: 0 }), - { a: ['b', '', 'c', null] }, + { a: { 0: 'b', 1: '', 2: 'c', 3: null } }, 'with arrayLimit 0 + array brackets: empty string then null works' ); @@ -1288,3 +1288,109 @@ test('qs strictDepth option - non-throw cases', function (t) { st.end(); }); }); + +test('DOS', function (t) { + var arr = []; + for (var i = 0; i < 105; i++) { + arr[arr.length] = 'x'; + } + var attack = 'a[]=' + arr.join('&a[]='); + var result = qs.parse(attack, { arrayLimit: 100 }); + + t.notOk(Array.isArray(result.a), 'arrayLimit is respected: result is an object, not an array'); + t.equal(Object.keys(result.a).length, 105, 'all values are preserved'); + + t.end(); +}); + +test('arrayLimit boundary conditions', function (t) { + t.test('exactly at the limit stays as array', function (st) { + var result = qs.parse('a[]=1&a[]=2&a[]=3', { arrayLimit: 3 }); + st.ok(Array.isArray(result.a), 'result is an array when exactly at limit'); + st.deepEqual(result.a, ['1', '2', '3'], 'all values present'); + st.end(); + }); + + t.test('one over the limit converts to object', function (st) { + var result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3 }); + st.notOk(Array.isArray(result.a), 'result is not an array when over limit'); + st.deepEqual(result.a, { 0: '1', 1: '2', 2: '3', 3: '4' }, 'all values preserved as object'); + st.end(); + }); + + t.test('arrayLimit 1 with two values', function (st) { + var result = qs.parse('a[]=1&a[]=2', { arrayLimit: 1 }); + st.notOk(Array.isArray(result.a), 'result is not an array'); + st.deepEqual(result.a, { 0: '1', 1: '2' }, 'both values preserved'); + st.end(); + }); + + t.end(); +}); + +test('mixed array and object notation', function (t) { + t.test('array brackets with object key - under limit', function (st) { + st.deepEqual( + qs.parse('a[]=b&a[c]=d'), + { a: { 0: 'b', c: 'd' } }, + 'mixing [] and [key] converts to object' + ); + st.end(); + }); + + t.test('array index with object key - under limit', function (st) { + st.deepEqual( + qs.parse('a[0]=b&a[c]=d'), + { a: { 0: 'b', c: 'd' } }, + 'mixing [0] and [key] produces object' + ); + st.end(); + }); + + t.test('plain value with array brackets - under limit', function (st) { + st.deepEqual( + qs.parse('a=b&a[]=c', { arrayLimit: 20 }), + { a: ['b', 'c'] }, + 'plain value combined with [] stays as array under limit' + ); + st.end(); + }); + + t.test('array brackets with plain value - under limit', function (st) { + st.deepEqual( + qs.parse('a[]=b&a=c', { arrayLimit: 20 }), + { a: ['b', 'c'] }, + '[] combined with plain value stays as array under limit' + ); + st.end(); + }); + + t.test('plain value with array index - under limit', function (st) { + st.deepEqual( + qs.parse('a=b&a[0]=c', { arrayLimit: 20 }), + { a: ['b', 'c'] }, + 'plain value combined with [0] stays as array under limit' + ); + st.end(); + }); + + t.test('multiple plain values with duplicates combine', function (st) { + st.deepEqual( + qs.parse('a=b&a=c&a=d', { arrayLimit: 20 }), + { a: ['b', 'c', 'd'] }, + 'duplicate plain keys combine into array' + ); + st.end(); + }); + + t.test('multiple plain values exceeding limit', function (st) { + st.deepEqual( + qs.parse('a=b&a=c&a=d', { arrayLimit: 2 }), + { a: { 0: 'b', 1: 'c', 2: 'd' } }, + 'duplicate plain keys convert to object when exceeding limit' + ); + st.end(); + }); + + t.end(); +}); diff --git a/test/utils.js b/test/utils.js index 39335165..defb7f26 100644 --- a/test/utils.js +++ b/test/utils.js @@ -68,6 +68,60 @@ test('merge()', function (t) { } ); + t.test('with overflow objects (from arrayLimit)', function (st) { + st.test('merges primitive into overflow object at next index', function (s2t) { + // Create an overflow object via combine + var overflow = utils.combine(['a'], 'b', 1, false); + s2t.ok(utils.isOverflow(overflow), 'overflow object is marked'); + var merged = utils.merge(overflow, 'c'); + s2t.deepEqual(merged, { 0: 'a', 1: 'b', 2: 'c' }, 'adds primitive at next numeric index'); + s2t.end(); + }); + + st.test('merges primitive into regular object with numeric keys normally', function (s2t) { + var obj = { 0: 'a', 1: 'b' }; + s2t.notOk(utils.isOverflow(obj), 'plain object is not marked as overflow'); + var merged = utils.merge(obj, 'c'); + s2t.deepEqual(merged, { 0: 'a', 1: 'b', c: true }, 'adds primitive as key (not at next index)'); + s2t.end(); + }); + + st.test('merges primitive into object with non-numeric keys normally', function (s2t) { + var obj = { foo: 'bar' }; + var merged = utils.merge(obj, 'baz'); + s2t.deepEqual(merged, { foo: 'bar', baz: true }, 'adds primitive as key with value true'); + s2t.end(); + }); + + st.test('merges overflow object into primitive', function (s2t) { + // Create an overflow object via combine + var overflow = utils.combine([], 'b', 0, false); + s2t.ok(utils.isOverflow(overflow), 'overflow object is marked'); + var merged = utils.merge('a', overflow); + s2t.ok(utils.isOverflow(merged), 'result is also marked as overflow'); + s2t.deepEqual(merged, { 0: 'a', 1: 'b' }, 'creates object with primitive at 0, source values shifted'); + s2t.end(); + }); + + st.test('merges overflow object with multiple values into primitive', function (s2t) { + // Create an overflow object via combine + var overflow = utils.combine(['b'], 'c', 1, false); + s2t.ok(utils.isOverflow(overflow), 'overflow object is marked'); + var merged = utils.merge('a', overflow); + s2t.deepEqual(merged, { 0: 'a', 1: 'b', 2: 'c' }, 'shifts all source indices by 1'); + s2t.end(); + }); + + st.test('merges regular object into primitive as array', function (s2t) { + var obj = { foo: 'bar' }; + var merged = utils.merge('a', obj); + s2t.deepEqual(merged, ['a', { foo: 'bar' }], 'creates array with primitive and object'); + s2t.end(); + }); + + st.end(); + }); + t.end(); }); @@ -132,6 +186,71 @@ test('combine()', function (t) { st.end(); }); + t.test('with arrayLimit', function (st) { + st.test('under the limit', function (s2t) { + var combined = utils.combine(['a', 'b'], 'c', 10, false); + s2t.deepEqual(combined, ['a', 'b', 'c'], 'returns array when under limit'); + s2t.ok(Array.isArray(combined), 'result is an array'); + s2t.end(); + }); + + st.test('exactly at the limit stays as array', function (s2t) { + var combined = utils.combine(['a', 'b'], 'c', 3, false); + s2t.deepEqual(combined, ['a', 'b', 'c'], 'stays as array when exactly at limit'); + s2t.ok(Array.isArray(combined), 'result is an array'); + s2t.end(); + }); + + st.test('over the limit', function (s2t) { + var combined = utils.combine(['a', 'b', 'c'], 'd', 3, false); + s2t.deepEqual(combined, { 0: 'a', 1: 'b', 2: 'c', 3: 'd' }, 'converts to object when over limit'); + s2t.notOk(Array.isArray(combined), 'result is not an array'); + s2t.end(); + }); + + st.test('with arrayLimit 0', function (s2t) { + var combined = utils.combine([], 'a', 0, false); + s2t.deepEqual(combined, { 0: 'a' }, 'converts single element to object with arrayLimit 0'); + s2t.notOk(Array.isArray(combined), 'result is not an array'); + s2t.end(); + }); + + st.test('with plainObjects option', function (s2t) { + var combined = utils.combine(['a'], 'b', 1, true); + var expected = { __proto__: null, 0: 'a', 1: 'b' }; + s2t.deepEqual(combined, expected, 'converts to object with null prototype'); + s2t.equal(Object.getPrototypeOf(combined), null, 'result has null prototype when plainObjects is true'); + s2t.end(); + }); + + st.end(); + }); + + t.test('with existing overflow object', function (st) { + st.test('adds to existing overflow object at next index', function (s2t) { + // Create overflow object first via combine + var overflow = utils.combine(['a'], 'b', 1, false); + s2t.ok(utils.isOverflow(overflow), 'initial object is marked as overflow'); + + var combined = utils.combine(overflow, 'c', 10, false); + s2t.equal(combined, overflow, 'returns the same object (mutated)'); + s2t.deepEqual(combined, { 0: 'a', 1: 'b', 2: 'c' }, 'adds value at next numeric index'); + s2t.end(); + }); + + st.test('does not treat plain object with numeric keys as overflow', function (s2t) { + var plainObj = { 0: 'a', 1: 'b' }; + s2t.notOk(utils.isOverflow(plainObj), 'plain object is not marked as overflow'); + + // combine treats this as a regular value, not an overflow object to append to + var combined = utils.combine(plainObj, 'c', 10, false); + s2t.deepEqual(combined, [{ 0: 'a', 1: 'b' }, 'c'], 'concatenates as regular values'); + s2t.end(); + }); + + st.end(); + }); + t.end(); }); From a62670423c1ccab0dd83c621bfb98c7c024e314d Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Mon, 29 Dec 2025 13:33:45 -0800 Subject: [PATCH 39/40] [Dev Deps] update `npmignore` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bc0dfa0e..2508c867 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,7 @@ "mkdirp": "^0.5.5", "mock-property": "^1.1.0", "module-deps": "^6.2.3", - "npmignore": "^0.3.2", + "npmignore": "^0.3.5", "nyc": "^10.3.2", "object-inspect": "^1.13.4", "qs-iconv": "^1.0.4", From 3fa11a5f643c76896387bd2d86904a2d0141fdf7 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Mon, 29 Dec 2025 14:00:42 -0800 Subject: [PATCH 40/40] v6.14.1 --- CHANGELOG.md | 9 +++++++++ dist/qs.js | 32 ++++++++++++++++---------------- package.json | 2 +- 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc8e8794..35828d51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +## **6.14.1** +- [Fix] ensure arrayLength applies to `[]` notation as well +- [Fix] `parse`: when a custom decoder returns `null` for a key, ignore that key +- [Refactor] `parse`: extract key segment splitting helper +- [meta] add threat model +- [actions] add workflow permissions +- [Tests] `stringify`: increase coverage +- [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `npmignore`, `es-value-fixtures`, `for-each`, `object-inspect` + ## **6.14.0** - [New] `parse`: add `throwOnParameterLimitExceeded` option (#517) - [Refactor] `parse`: use `utils.combine` more diff --git a/dist/qs.js b/dist/qs.js index 05ed9a83..ffb80a24 100644 --- a/dist/qs.js +++ b/dist/qs.js @@ -5,15 +5,15 @@ "use strict";var stringify=require(4),parse=require(3),formats=require(1);module.exports={formats:formats,parse:parse,stringify:stringify}; },{"1":1,"3":3,"4":4}],3:[function(require,module,exports){ -"use strict";var utils=require(5),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,defaults={allowDots:!1,allowEmptyArrays:!1,allowPrototypes:!1,allowSparse:!1,arrayLimit:20,charset:"utf-8",charsetSentinel:!1,comma:!1,decodeDotInKeys:!1,decoder:utils.decode,delimiter:"&",depth:5,duplicates:"combine",ignoreQueryPrefix:!1,interpretNumericEntities:!1,parameterLimit:1e3,parseArrays:!0,plainObjects:!1,strictDepth:!1,strictNullHandling:!1,throwOnLimitExceeded:!1},interpretNumericEntities=function(e){return e.replace(/&#(\d+);/g,function(e,t){return String.fromCharCode(parseInt(t,10))})},parseArrayValue=function(e,t,r){if(e&&"string"==typeof e&&t.comma&&e.indexOf(",")>-1)return e.split(",");if(t.throwOnLimitExceeded&&r>=t.arrayLimit)throw new RangeError("Array limit exceeded. Only "+t.arrayLimit+" element"+(1===t.arrayLimit?"":"s")+" allowed in an array.");return e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},i=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;i=i.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var a=t.parameterLimit===1/0?void 0:t.parameterLimit,o=i.split(t.delimiter,t.throwOnLimitExceeded?a+1:a);if(t.throwOnLimitExceeded&&o.length>a)throw new RangeError("Parameter limit exceeded. Only "+a+" parameter"+(1===a?"":"s")+" allowed.");var l,n=-1,s=t.charset;if(t.charsetSentinel)for(l=0;l-1&&(p=isArray(p)?[p]:p),null!==d){var f=has.call(r,d);f&&"combine"===t.duplicates?r[d]=utils.combine(r[d],p):f&&"last"!==t.duplicates||(r[d]=p)}}return r},parseObject=function(e,t,r,i){var a=0;if(e.length>0&&"[]"===e[e.length-1]){var o=e.slice(0,-1).join("");a=Array.isArray(t)&&t[o]?t[o].length:0}for(var l=i?t:parseArrayValue(t,r,a),n=e.length-1;n>=0;--n){var s,d=e[n];if("[]"===d&&r.parseArrays)s=r.allowEmptyArrays&&(""===l||r.strictNullHandling&&null===l)?[]:utils.combine([],l);else{s=r.plainObjects?{__proto__:null}:{};var p="["===d.charAt(0)&&"]"===d.charAt(d.length-1)?d.slice(1,-1):d,c=r.decodeDotInKeys?p.replace(/%2E/g,"."):p,u=parseInt(c,10);r.parseArrays||""!==c?!isNaN(u)&&d!==c&&String(u)===c&&u>=0&&r.parseArrays&&u<=r.arrayLimit?(s=[])[u]=l:"__proto__"!==c&&(s[c]=l):s={0:l}}l=s}return l},parseKeys=function parseQueryStringKeys(e,t,r,i){if(e){var a=r.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e,o=/(\[[^[\]]*])/g,l=r.depth>0&&/(\[[^[\]]*])/.exec(a),n=l?a.slice(0,l.index):a,s=[];if(n){if(!r.plainObjects&&has.call(Object.prototype,n)&&!r.allowPrototypes)return;s.push(n)}for(var d=0;r.depth>0&&null!==(l=o.exec(a))&&d-1)return e.split(",");if(t.throwOnLimitExceeded&&r>=t.arrayLimit)throw new RangeError("Array limit exceeded. Only "+t.arrayLimit+" element"+(1===t.arrayLimit?"":"s")+" allowed in an array.");return e},isoSentinel="utf8=%26%2310003%3B",charsetSentinel="utf8=%E2%9C%93",parseValues=function parseQueryStringValues(e,t){var r={__proto__:null},i=t.ignoreQueryPrefix?e.replace(/^\?/,""):e;i=i.replace(/%5B/gi,"[").replace(/%5D/gi,"]");var a=t.parameterLimit===1/0?void 0:t.parameterLimit,o=i.split(t.delimiter,t.throwOnLimitExceeded?a+1:a);if(t.throwOnLimitExceeded&&o.length>a)throw new RangeError("Parameter limit exceeded. Only "+a+" parameter"+(1===a?"":"s")+" allowed.");var l,n=-1,s=t.charset;if(t.charsetSentinel)for(l=0;l-1&&(d=isArray(d)?[d]:d),null!==p){var f=has.call(r,p);f&&"combine"===t.duplicates?r[p]=utils.combine(r[p],d,t.arrayLimit,t.plainObjects):f&&"last"!==t.duplicates||(r[p]=d)}}return r},parseObject=function(e,t,r,i){var a=0;if(e.length>0&&"[]"===e[e.length-1]){var o=e.slice(0,-1).join("");a=Array.isArray(t)&&t[o]?t[o].length:0}for(var l=i?t:parseArrayValue(t,r,a),n=e.length-1;n>=0;--n){var s,p=e[n];if("[]"===p&&r.parseArrays)s=utils.isOverflow(l)?l:r.allowEmptyArrays&&(""===l||r.strictNullHandling&&null===l)?[]:utils.combine([],l,r.arrayLimit,r.plainObjects);else{s=r.plainObjects?{__proto__:null}:{};var d="["===p.charAt(0)&&"]"===p.charAt(p.length-1)?p.slice(1,-1):p,c=r.decodeDotInKeys?d.replace(/%2E/g,"."):d,u=parseInt(c,10);r.parseArrays||""!==c?!isNaN(u)&&p!==c&&String(u)===c&&u>=0&&r.parseArrays&&u<=r.arrayLimit?(s=[])[u]=l:"__proto__"!==c&&(s[c]=l):s={0:l}}l=s}return l},splitKeyIntoSegments=function splitKeyIntoSegments(e,t){var r=t.allowDots?e.replace(/\.([^.[]+)/g,"[$1]"):e;if(t.depth<=0){if(!t.plainObjects&&has.call(Object.prototype,r)&&!t.allowPrototypes)return;return[r]}var i=/(\[[^[\]]*])/g,a=/(\[[^[\]]*])/.exec(r),o=a?r.slice(0,a.index):r,l=[];if(o){if(!t.plainObjects&&has.call(Object.prototype,o)&&!t.allowPrototypes)return;l.push(o)}for(var n=0;null!==(a=i.exec(r))&&n0?g.join(",")||null:void 0}];else if(isArray(f))S=f;else{var N=Object.keys(g);S=u?N.sort(u):N}var T=l?String(r).replace(/\./g,"%2E"):String(r),O=o&&isArray(g)&&1===g.length?T+"[]":T;if(a&&isArray(g)&&0===g.length)return O+"[]";for(var k=0;k0?c+y:""}; },{"1":1,"46":46,"5":5}],5:[function(require,module,exports){ -"use strict";var formats=require(1),has=Object.prototype.hasOwnProperty,isArray=Array.isArray,hexTable=function(){for(var e=[],r=0;r<256;++r)e.push("%"+((r<16?"0":"")+r.toString(16)).toUpperCase());return e}(),compactQueue=function compactQueue(e){for(;e.length>1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,p=[],f=0;f=48&&s<=57||s>=65&&s<=90||s>=97&&s<=122||n===formats.RFC1738&&(40===s||41===s)?p[p.length]=u.charAt(f):s<128?p[p.length]=hexTable[s]:s<2048?p[p.length]=hexTable[192|s>>6]+hexTable[128|63&s]:s<55296||s>=57344?p[p.length]=hexTable[224|s>>12]+hexTable[128|s>>6&63]+hexTable[128|63&s]:(f+=1,s=65536+((1023&s)<<10|1023&u.charCodeAt(f)),p[p.length]=hexTable[240|s>>18]+hexTable[128|s>>12&63]+hexTable[128|s>>6&63]+hexTable[128|63&s])}c+=p.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;o1;){var r=e.pop(),t=r.obj[r.prop];if(isArray(t)){for(var o=[],n=0;n=limit?a.slice(i,i+limit):a,f=[],s=0;s=48&&u<=57||u>=65&&u<=90||u>=97&&u<=122||n===formats.RFC1738&&(40===u||41===u)?f[f.length]=l.charAt(s):u<128?f[f.length]=hexTable[u]:u<2048?f[f.length]=hexTable[192|u>>6]+hexTable[128|63&u]:u<55296||u>=57344?f[f.length]=hexTable[224|u>>12]+hexTable[128|u>>6&63]+hexTable[128|63&u]:(s+=1,u=65536+((1023&u)<<10|1023&l.charCodeAt(s)),f[f.length]=hexTable[240|u>>18]+hexTable[128|u>>12&63]+hexTable[128|u>>6&63]+hexTable[128|63&u])}c+=f.join("")}return c},compact=function compact(e){for(var r=[{obj:{o:e},prop:"o"}],t=[],o=0;ot?markOverflow(arrayToObject(a,{plainObjects:o}),a.length-1):a},maybeMap=function maybeMap(e,r){if(isArray(e)){for(var t=[],o=0;o