Update querystringify to 2.1.1 to fix core bug with uncaught exception #175
Comments
|
Also see unshiftio/querystringify#26 |
|
Basically you can crash Node apps that use this package server-side in middleware by passing |
|
It's worth noting that the URL-parse library is designed to allow custom query string parsers instead of the bundled querystringify. So if the primary use-cases is usage on Node.js, and want better unescape fallback for the query strings it might be an option to do this. |
|
@3rd-Eden could you add a deprecation notice please? I just checked and there wasn't one there yet. npm deprecate url-parse@"<1.4.7" "Please upgrade to v1.4.7+ as an uncaught exception bug in querystringify has been fixed and may cause a vulnerability in server-side route middleware" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
v2.1.1 of querystringify was released which fixes an issue where it does not match Node's graceful fallback for decoding URI
unshiftio/querystringify@30e1d19
per Node's built-in:
https://nodejs.org/api/querystring.html#querystring_querystring_unescape_str
The text was updated successfully, but these errors were encountered: