Skip to content

Bump qs, express and firebase-tools#313

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-691708e10b
Open

Bump qs, express and firebase-tools#313
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-691708e10b

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 22, 2026

Bumps qs to 6.15.2 and updates ancestor dependencies qs, express and firebase-tools. These dependencies need to be updated together.

Updates qs from 6.13.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols

... (truncated)

Commits
  • 9aca407 v6.15.2
  • 5e33d33 [Dev Deps] update @ljharb/eslint-config
  • 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
  • a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
  • e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
  • 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
  • 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
  • 96755ab [readme] fix grammar
  • a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
  • 3f5e1c5 v6.15.1
  • Additional commits viewable in compare view

Updates express from 4.21.2 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

Commits

Updates firebase-tools from 8.20.0 to 15.18.0

Release notes

Sourced from firebase-tools's releases.

v15.18.0

  • Updated Pub/Sub emulator to version 0.8.31
  • Resolves undefined regions earlier, during the build to backend resolution phase (#10471)
  • Updated the Firebase Data Connect local toolkit to v3.4.8, which includes the following changes:
    • Fixed an issue in Dart code generation where nullable BigInt was not handled correctly.
    • Added support for nested 1:Many relational batch inserts.
    • Updated the Golang dependency version to 1.25.10.
  • Default timeout for Dart functions is now 60 seconds when not explicitly set (#10501)
  • Support secret environment variables for Cloud Run functions (#10489)
  • Set requiredProjectBindings in AI Logic services (#10503)

v15.17.0

  • Added support for creating search indexes for Firestore. (#10431)
  • Fixed an issue where some MCP tools would error with "Invalid input: expected record, received array". (#10437)
  • Fixed an issue causing errors when multiple Firestore databases were configured in firebase.json (#8114)
  • Updated the Firebase Data Connect local toolkit to v3.4.7, which includes the following changes: (#10461)
    • Fix emulator crash when using uuidv4() on operations.
    • Support for _Data input types as variables with @allow(fields, maxCount) to constraint the input JSON, enabling batch mutations in admin SDK. Client SDK support will come soon.
  • Increase supported range for Next.js to version 16.0 (#9463)
  • Updated Cloud Function default resource locations. This does not affect existing functions. (#10414)
  • Added warning for cross-region event triggers (#10408)

v15.16.0

  • Updated Firestore Emulator to v1.21.0, which adds support for subqueries and new stages like let(...), as well as allowing setting database-edition per-database.
  • Suppressed the 'punycode' deprecation warning during firebase deploy on Node 22. (#10385)
  • Fixed an issue where hosting deploy allowed publishing to a site in a different project. (#10376)
  • Added SSE mode support to firebase mcp. To use it, run firebase mcp --mode=sse --port=3000, and connect your client on http://localhost:3000.
  • Update the valid Python runtimes for functions. Default Python runtime is now Python 3.14.
  • Fix CLI non-interactive mode for dataconnect init (#10401)
  • Fixed issue where rules for non-default Firestore databases were not being deployed correctly.
  • Suppress SSR warning for non-SSR Angular projects on init hosting (#10364)
  • Updated the SQL Connect emulator to v3.4.6, including internal bug fixes (#10434)
  • Fix an issue where deploying multi-codebase functions failed due to a shared source token scraper (#10428)

v15.15.0

  • Add foundation for being smarter about where to place functions when the region is not specified (#10293)
  • Updated Pub/Sub emulator to version 0.8.30
  • Renamed Data Connect displayed text to SQL Connect (#10270)
  • Added support for the experimental Cloud Functions for Firebase Dart SDK behind the dartfunctions flag
  • Updated the SQL Connect emulator to v3.4.5, including internal bug fixes (#10336)

v15.14.0

  • Added Enterprise Edition support to the Firestore emulator. Configure it by setting firebase.json#firestore.edition or firebase.json#emulators.firestore.edition.
  • Fixed an issue where functions deployments would silently fail (#6989)
  • Fixed issue where the CLI isn't able to correctly parse command arguments on PowerShell (#7506)
  • Add support for Next.js 16 middleware (proxy.ts/proxy.js) (#9631)
  • Updates the default region for new App Hosting backends to us-east4 (#10271)
  • Fix Next.js image optimization detection in client components (#10228)
  • Updates Firebase Data Connect emulator to v3.4.1 (#10290)
    • Upgraded Go runtime to 1.25.9.

... (truncated)

Commits
  • 8af261a 15.18.0
  • 0e759e4 Add missing changelog entries (#10514)
  • 70e2771 fix: support secret environment variables for Cloud Run functions (#10489)
  • dae4e46 update FDC local toolkit to v3.4.8 (#10506)
  • 1a32765 Set requiredProjectBindings in AI Logic services (#10503)
  • 26ccd63 remove legacy localbuild path and remove @​apphosting/build dependency (#10512)
  • 6203955 Adding default timeout for dart functions (#10501)
  • 0b59f18 support nested .gitignore files in source deploys (#10498)
  • a605414 refactor: resolve function regions during build phase to fix VPC connectors (...
  • 205b5f8 feat: update Pub/Sub emulator to 0.8.31 (#10485)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump qs, express and firebase-tools
c1f0b1f 
Bumps [qs](https://github.com/ljharb/qs) to 6.15.2 and updates ancestor dependencies [qs](https://github.com/ljharb/qs), [express](https://github.com/expressjs/express) and [firebase-tools](https://github.com/firebase/firebase-tools). These dependencies need to be updated together.


Updates `qs` from 6.13.0 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.13.0...v6.15.2)

Updates `express` from 4.21.2 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@4.21.2...v4.22.2)

Updates `firebase-tools` from 8.20.0 to 15.18.0
- [Release notes](https://github.com/firebase/firebase-tools/releases)
- [Changelog](https://github.com/firebase/firebase-tools/blob/main/CHANGELOG.md)
- [Commits](firebase/firebase-tools@v8.20.0...v15.18.0)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: indirect
- dependency-name: firebase-tools
  dependency-version: 15.18.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 22, 2026
@dependabot dependabot Bot mentioned this pull request May 22, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gioboa gioboa gioboa approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gioboa @cabljac