Bump qs from 6.13.1 to 6.14.1

[dependabot]

Bumps qs from 6.13.1 to 6.14.1.

Changelog

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

Commits

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore
• 3086902 [Fix] ensure arrayLength applies to [] notation as well
• fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
• 0b06aac [Dev Deps] update @ljharb/eslint-config
• 64951f6 [Refactor] parse: extract key segment splitting helper
• e1bd259 [Dev Deps] update @ljharb/eslint-config
• f4b3d39 [eslint] add eslint 9 optional peer dep
• 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
• 973dc3c [actions] add workflow permissions
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because qs is a transitive dependency used by the url package, not directly by this project. While the upgrade includes important security fixes for prototype pollution and DoS vulnerabilities, multiple CI test failures were detected that are unrelated to the qs upgrade itself - they stem from stale API snapshot data and changed external API responses from the Tiltify service. The breaking changes in qs do not affect this codebase since it only uses the built-in URL/URLSearchParams APIs directly. Before merging, the test snapshots should be updated to reflect current API state.

Fix Suggestions

We identified 4 fixable issues in this upgrade.

• Update Jest snapshots to match current API response data
  Run: npm test -- -u
  Files: test/snapshots/campaign.test.js.snap and 4 other files
• Update hardcoded expected value in campaign test from '220.00' to '425.00'
  Files: test/campaign.test.js
• Fix test resource leaks and timeout issues
  Files: test/campaign.test.js and 4 other files
• Consider mocking Tiltify API responses in tests to prevent future breakages
  Files: test/campaign.test.js and 4 other files

AI Assistant Prompt

Copy prompt for AI assistant

Please help me fix failing tests after upgrading the `qs` package from 6.13.1 to 6.14.1 in this repository.

## Context
This is the `tiltify-api-client` repository. The `qs` upgrade is a transitive dependency (used by `url` package) and doesn't directly affect this codebase. However, CI tests are failing due to:
1. Outdated test snapshots/assertions that no longer match live Tiltify API data
2. Test resource leaks causing Jest worker processes to not exit gracefully

## Primary Fix Needed

### Update hardcoded assertion in campaign test
File: `test/campaign.test.js`

The test has a hardcoded expected value that needs updating because the live API data has changed:
- Change expected value from `'220.00'` to `'425.00'`

Please locate this assertion and update it.

## Secondary Issues (Investigation Needed)

### Test resource leaks
Files: `test/campaign.test.js`, `test/cause.test.js`, `test/event.test.js`, `test/team.test.js`, `test/user.test.js`

Jest workers are not exiting gracefully, suggesting open handles (timers, connections, promises). Please:
1. Review the test files for any resources that aren't being properly cleaned up
2. Check if there are `afterAll` or `afterEach` hooks that should close connections
3. Look for any promises or timers that might not be resolved/cleared

## Recommendation
After fixing the immediate assertion issue, consider whether these tests should mock the Tiltify API responses instead of hitting live endpoints to prevent future breakages when API data changes.

What we checked

• qs is a transitive dependency of the 'url' package (version 0.11.4), which declares 'qs: ^6.12.3' as a dependency ^[1]
• Direct dependency 'url: ^0.11.4' is the only package requiring qs - this project does not import or use qs directly ^[2]
• Code uses native URLSearchParams API (urlObj.searchParams.set) instead of qs library for query parameter manipulation ^[3]
• CI test failure: hardcoded expected value '220.00' doesn't match actual API response '425.00' - unrelated to qs upgrade, caused by changed Tiltify API data ^[4]
• qs upgraded from 6.13.1 to 6.14.1, includes security fixes for CVE-2025-15284 (DoS via arrayLimit bypass) and prototype pollution vulnerabilities ^[5]
• Official changelog documents breaking changes in 6.14.0: stringify throws on cycles, allowDots defaults to false, drops Node <4 support - none affect this codebase since qs is not directly used ^[6]

Dependency Usage

• Code uses native URLSearchParams API (urlObj.searchParams.set) instead of qs library for query parameter manipulation
  

  tiltify-api-client/index.js

  Line 200 in 49c278f

  urlObj.searchParams.set('after', response.metadata.after) // Set the 'after' query parameter

• CI test failure: hardcoded expected value '220.00' doesn't match actual API response '425.00' - unrelated to qs upgrade, caused by changed Tiltify API data
  

  tiltify-api-client/test/campaign.test.js

  Line 12 in 49c278f

  expect(data.amount_raised.value).toBe("220.00")

Changes

The qs package update includes 4 critical security fixes addressing prototype pollution vulnerabilities, unsafe buffer usage, and __proto__ key handling, along with 4 breaking changes including throwing on cycles instead of infinite loops, dropping support for node < v4, changing allowDots default to false, and returning undefined/false instead of throwing TypeError.

• [New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393) (v6.14.0, changelog)
• #124 Use ES6 and drop support for node < v4 (v6.14.0, changelog)
• #114 default allowDots to false (v6.14.0, changelog)

View 277 more changes

• [actions] restrict action permissions (v6.14.0, changelog)
• [Fix] parse: ignore __proto__ keys (#428) (v6.14.0, changelog)
• [Fix] use safer-buffer instead of Buffer constructor (v6.14.0, changelog)
• [Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties (thanks, @​snyk!) (v6.14.0, changelog)
• #52 Return "undefined" and "false" instead of throwing "TypeError". (v6.14.0, changelog)
• [patch] parse: add explicit throwOnLimitExceeded default (v6.14.0, changelog)
• [Fix] stringify: avoid a crash when a filter key is null (v6.14.0, changelog)
• [Fix] utils.merge: functions should not be stringified into keys (v6.14.0, changelog)
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset (v6.14.0, changelog)
• [Fix] stringify: ensure a non-string filter does not crash (v6.14.0, changelog)
• [Fix] parse: properly account for strictNullHandling when allowEmptyArrays (v6.14.0, changelog)
• [Fix] parse: parse encoded square brackets (#506) (v6.14.0, changelog)
• [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501) (v6.14.0, changelog)
• [Fix] parse: Fix parsing when the global Object prototype is frozen (#473) (v6.14.0, changelog)
• [Fix] stringify: encode comma values more consistently (#463) (v6.14.0, changelog)
• [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434) (v6.14.0, changelog)
• [Robustness] stringify: avoid relying on a global undefined (#427) (v6.14.0, changelog)
• [Fix] stringify: actually fix cyclic references (#426) (v6.14.0, changelog)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424) (v6.14.0, changelog)
• [Fix] stringify: avoid exception on repeated object values (#402) (v6.14.0, changelog)
• [Fix] restore dist dir; mistakenly removed in d4f6c32 (v6.14.0, changelog)
• [Fix] stringify: do not encode parens for RFC1738 (v6.14.0, changelog)
• [Fix] stringify: fix arrayFormat comma with empty array/objects (#350) (v6.14.0, changelog)
• [Fix] stringify: when arrayFormat is comma, respect serializeDate (#364) (v6.14.0, changelog)
• [Fix] proper comma parsing of URL-encoded commas (#361) (v6.14.0, changelog)
• [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336) (v6.14.0, changelog)
• [Fix] parse: Fix parsing array from object with comma true (#359) (v6.14.0, changelog)
• [Fix] parse: throw a TypeError instead of an Error for bad charset (#349) (v6.14.0, changelog)
• [Fix] parse: with comma true, handle field that holds an array of arrays (#335) (v6.14.0, changelog)
• [Fix] parse: with comma true, do not split non-string values (#334) (v6.14.0, changelog)
• [New] [Fix] stringify symbols and bigints (v6.14.0, changelog)
• [Fix] ensure node 0.12 can stringify Symbols (v6.14.0, changelog)
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value (v6.14.0, changelog)
• [Fix] correctly parse nested arrays (#212) (v6.14.0, changelog)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source, also with an array source (v6.14.0, changelog)
• [Tests] fix Buffer tests to work in node < 4.5 and node < 5.10 (v6.14.0, changelog)
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279) (v6.14.0, changelog)
• [Fix] when parseArrays is false, properly handle keys ending in [] (#260) (v6.14.0, changelog)
• [Fix] stringify: do not crash in an obscure combo of interpretNumericEntities, a bad custom decoder, & iso-8859-1 (v6.14.0, changelog)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided (v6.14.0, changelog)
• [Refactor] parse/stringify: clean up charset options checking; fix defaults (v6.14.0, changelog)
• [Refactor] add missing defaults (v6.14.0, changelog)
• [Fix] Fix parsing & compacting very deep objects (#224) (v6.14.0, changelog)
• [Fix] Handle stringifying empty objects with addQueryPrefix (#217) (v6.14.0, changelog)
• [Fix] do not mutate options argument (#207) (v6.14.0, changelog)
• [Fix] follow allowPrototypes option during merge (#201, #201) (v6.14.0, changelog)
• [Fix] support keys starting with brackets (#202, #200) (v6.14.0, changelog)
• [Fix] chmod a-x (v6.14.0, changelog)
• [Refactor] stringify: throw faster with an invalid encoder (v6.14.0, changelog)
• [Fix] ensure utils.merge handles merging two arrays (v6.14.0, changelog)
• [Robustness] formats: cache String#replace (v6.14.0, changelog)
• [Fix] ensure key[]=x&key[]&key[]=y results in 3, not 2, values (v6.14.0, changelog)
• [Fix] fix compacting of nested sparse arrays (#150) (v6.14.0, changelog)
• [Fix] "sort" option should work at a depth of 3 or more (#151) (v6.14.0, changelog)
• [Fix] Restore dist directory; will be removed in v7 (#148) (v6.14.0, changelog)
• #127 Fix engines definition in package.json (v6.14.0, changelog)
• #80 qs.parse silently drops properties (v6.14.0, changelog)
• #74 Bad parse when turning array into object (v6.14.0, changelog)
• #68 Fixed issue with recursion and passing strings into objects. (v6.14.0, changelog)
• #76 RFC 3986 (v6.14.0, changelog)
• #85 No equal sign (v6.14.0, changelog)
• #73 Property 'hasOwnProperty' of object # is not a function (v6.14.0, changelog)
• #59 make sure array indexes are >= 0, closes #57 (v6.14.0, changelog)
• #49 refactor utils.merge, fixes #45 (v6.14.0, changelog)
• #41 avoid browserifying Buffer, for #39 (v6.14.0, changelog)
• #38 how to handle object keys beginning with a number (v6.14.0, changelog)
• #37 parser discards first empty value in array (v6.14.0, changelog)
• #33 Error when plain object in a value (v6.14.0, changelog)
• #34 use Object.prototype.hasOwnProperty.call instead of obj.hasOwnProperty (v6.14.0, changelog)
• #32 account for circular references properly, closes Modernize codebase and bump version to 3.0.0 #31 (v6.14.0, changelog)
• #31 qs.parse stackoverflow on circular objects (v6.14.0, changelog)
• #26 Don't use Buffer global if it's not present (v6.14.0, changelog)
• #30 Bug when merging non-object values into arrays (v6.14.0, changelog)
• #29 Don't call Utils.clone at the top of Utils.merge (v6.14.0, changelog)
• #19 Don't overwrite null values (v6.14.0, changelog)
• #16 ignore non-string delimiters (v6.14.0, changelog)
• #13 fix Bump browserslist from 4.16.3 to 4.16.6 #11: flattened keys in array are now correctly parsed (v6.14.0, changelog)
• #7 Empty values of a POST array disappear after being submitted (v6.14.0, changelog)
• #9 Should not omit equals signs (=) when value is null (v6.14.0, changelog)
• #5 array holes incorrectly copied into object on large index (v6.14.0, changelog)
• [Fix] ensure arrayLength applies to [] notation as well (v6.14.1, changelog)
• [Fix] parse: when a custom decoder returns null for a key, ignore that key (v6.14.1, changelog)
• [New] parse: add throwOnParameterLimitExceeded option (#517) (v6.14.0, changelog)
• [New] parse: add strictDepth option (#511) (v6.14.0, changelog)
• [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502) (v6.14.0, changelog)
• [New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#488) (v6.14.0, changelog)
• [New] parse: add duplicates option (v6.14.0, changelog)
• [New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#487) (v6.14.0, changelog)
• [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442) (v6.14.0, changelog)
• [New] parse: add allowSparse option for collapsing arrays with missing indices (#312) (v6.14.0, changelog)
• [actions] add automatic rebasing / merge commit blocking (v6.14.0, changelog)
• [New] parse/stringify: Pass extra key/value argument to decoder (#333) (v6.14.0, changelog)
• [New] add depth=false to preserve the original key; [Fix] depth=0 should preserve the original key (#326) (v6.14.0, changelog)
• [New] stringify/parse: add comma as an arrayFormat option (#276, #219) (v6.14.0, changelog)
• [New] Add support for iso-8859-1, utf8 "sentinel" and numeric entities (#268) (v6.14.0, changelog)
• [New] add utils.assign (v6.14.0, changelog)
• [New] pass default encoder/decoder to custom encoder/decoder functions (#206) (v6.14.0, changelog)

View 180 more changes in the full analysis

References (6)

[1]: qs is a transitive dependency of the 'url' package (version 0.11.4), which declares 'qs: ^6.12.3' as a dependency


tiltify-api-client/package-lock.json

Line 6893 in 49c278f

"qs": "^6.12.3"

[2]: Direct dependency 'url: ^0.11.4' is the only package requiring qs - this project does not import or use qs directly


tiltify-api-client/package.json

Line 25 in 49c278f

"url": "^0.11.4"

[3]: Code uses native URLSearchParams API (urlObj.searchParams.set) instead of qs library for query parameter manipulation


tiltify-api-client/index.js

Line 200 in 49c278f

urlObj.searchParams.set('after', response.metadata.after) // Set the 'after' query parameter

[4]: CI test failure: hardcoded expected value '220.00' doesn't match actual API response '425.00' - unrelated to qs upgrade, caused by changed Tiltify API data


tiltify-api-client/test/campaign.test.js

Line 12 in 49c278f

expect(data.amount_raised.value).toBe("220.00")

[5]: qs upgraded from 6.13.1 to 6.14.1, includes security fixes for CVE-2025-15284 (DoS via arrayLimit bypass) and prototype pollution vulnerabilities


tiltify-api-client/package-lock.json

Line 11287 in 49c278f

"version": "6.14.1",

[6]: Official changelog documents breaking changes in 6.14.0: stringify throws on cycles, allowDots defaults to false, drops Node <4 support - none affect this codebase since qs is not directly used (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web