Skip to content

Bump qs, express and cypress#3804

Draft
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-bf3b27cf59
Draft

Bump qs, express and cypress#3804
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-bf3b27cf59

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps qs to 6.15.3 and updates ancestor dependencies qs, express and cypress. These dependencies need to be updated together.

Updates qs from 6.15.1 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text
Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Updates express from 4.22.0 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
Commits

Updates cypress from 14.5.3 to 15.18.0

Release notes

Sourced from cypress's releases.

v15.18.0

Changelog: https://docs.cypress.io/app/references/changelog#15-18-0

v15.17.0

Changelog: https://docs.cypress.io/app/references/changelog#15-17-0

v15.16.0

Changelog: https://docs.cypress.io/app/references/changelog#15-16-0

v15.15.0

Changelog: https://docs.cypress.io/app/references/changelog#15-15-0

v15.14.2

Changelog: https://docs.cypress.io/app/references/changelog#15-14-2

v15.14.1

Changelog: https://docs.cypress.io/app/references/changelog#15-14-1

v15.14.0

Changelog: https://docs.cypress.io/app/references/changelog#15-14-0

v15.13.1

Changelog: https://docs.cypress.io/app/references/changelog#15-13-1

v15.13.0

Changelog: https://docs.cypress.io/app/references/changelog#15-13-0

v15.12.0

Changelog: https://docs.cypress.io/app/references/changelog#15-12-0

v15.11.0

Changelog: https://docs.cypress.io/app/references/changelog#15-11-0

v15.10.0

Changelog: https://docs.cypress.io/app/references/changelog#15-10-0

v15.9.0

Changelog: https://docs.cypress.io/app/references/changelog#15-9-0

v15.8.2

Changelog: https://docs.cypress.io/app/references/changelog#15-8-2

v15.8.1

Changelog: https://docs.cypress.io/app/references/changelog#15-8-1

v15.8.0

Changelog: https://docs.cypress.io/app/references/changelog#15-8-0

v15.7.1

Changelog: https://docs.cypress.io/app/references/changelog#15-7-1

... (truncated)

Commits
  • fa083db fix: prevent proxy crash on IPv6 literal hosts in cy.visit (#34146)
  • 063636c chore(ci): only install firefox in UI test jobs that target it (#34142)
  • 02aa75d feat: add removeSRIAttributes config option to strip SRI from first-party res...
  • 2d6b11e chore(deps): bump undici to 6.27.0 for SNYK-JS-UNDICI-17372658 (#34121)
  • 56759ea misc: remove the global install warning from cypress install (#34139)
  • d47b81d chore: resync yarn.lock (shell-quote) (#34145)
  • 19ac719 chore(ci): remove duplicate test run in npm-webpack-dev-server job (#34141)
  • 6f96dac docs: document PR title prefixes, changelog, and template requirements (#34128)
  • d706175 chore: correct misleading WebKit browser debug log message (#34135)
  • fb76794 chore: remove no-op CYPRESS_DOWNLOAD_USE_CA environment variable (#34131)
  • Additional commits viewable in compare view
Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.


Bumps [qs](https://github.com/ljharb/qs) to 6.15.3 and updates ancestor dependencies [qs](https://github.com/ljharb/qs), [express](https://github.com/expressjs/express) and [cypress](https://github.com/cypress-io/cypress). These dependencies need to be updated together.


Updates `qs` from 6.15.1 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.1...v6.15.3)

Updates `express` from 4.22.0 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@4.22.0...v4.22.2)

Updates `cypress` from 14.5.3 to 15.18.0
- [Release notes](https://github.com/cypress-io/cypress/releases)
- [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md)
- [Commits](cypress-io/cypress@v14.5.3...v15.18.0)

---
updated-dependencies:
- dependency-name: cypress
  dependency-version: 15.17.0
  dependency-type: direct:development
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: indirect
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-bf3b27cf59 branch from d70b7e4 to 3ee24f1 Compare July 1, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants