Skip to content

chore(deps): bump qs, @wp-playground/cli and express#18

Merged
ph33nx merged 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4730e3f8e9
Jul 3, 2026
Merged

chore(deps): bump qs, @wp-playground/cli and express#18
ph33nx merged 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4730e3f8e9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps qs, @wp-playground/cli and express. These dependencies needed to be updated together.
Updates qs from 6.14.2 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)
Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Updates @wp-playground/cli from 3.1.20 to 3.1.43

Release notes

Sourced from @​wp-playground/cli's releases.

WordPress Playground v3.1.43

No changelog entries for this release.


Install via npm:

npm install @wp-playground/client@3.1.43

Or browse all packages on npm.

Stay up to date: Click Watch → Custom → Releases at the top of this repository to get notified of new releases.

WordPress Playground v3.1.42

No changelog entries for this release.


Install via npm:

npm install @wp-playground/client@3.1.42

Or browse all packages on npm.

Stay up to date: Click Watch → Custom → Releases at the top of this repository to get notified of new releases.

WordPress Playground v3.1.41

No changelog entries for this release.


Install via npm:

npm install @wp-playground/client@3.1.41

Or browse all packages on npm.

Stay up to date: Click Watch → Custom → Releases at the top of this repository to get notified of new releases.

WordPress Playground v3.1.40

No changelog entries for this release.


... (truncated)

Changelog

Sourced from @​wp-playground/cli's changelog.

[v3.1.43] (2026-06-29)

[v3.1.42] (2026-06-26)

[v3.1.41] (2026-06-22)

[v3.1.40] (2026-06-19)

[v3.1.39] (2026-06-15)

[v3.1.38] (2026-06-08)

[v3.1.37] (2026-06-08)

[v3.1.36] (2026-06-01)

[v3.1.35] (2026-05-25)

[v3.1.34] (2026-05-18)

PHP WebAssembly

  • [PHP.wasm] Fix sqlite_markdown extension loading. (#3650)
  • [PHP.wasm] Support web JSPI side module ABI exports. (#3647)
  • [codex] Use wp-extensions markdown editor release. (#3648)
  • [website] Add php-extension query parameter. (#3645)

Various

Personal Playground

  • Personal WP: Improve app install dialog. (#3652)

Contributors

... (truncated)

Commits

Updates express from 4.22.0 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 23, 2026
@ph33nx

ph33nx commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-4730e3f8e9 branch from 99c8c1d to e9f758e Compare July 3, 2026 15:17
@ph33nx

ph33nx commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps [qs](https://github.com/ljharb/qs), [@wp-playground/cli](https://github.com/WordPress/wordpress-playground) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together.

Updates `qs` from 6.14.2 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.2...v6.15.3)

Updates `@wp-playground/cli` from 3.1.20 to 3.1.43
- [Release notes](https://github.com/WordPress/wordpress-playground/releases)
- [Changelog](https://github.com/WordPress/wordpress-playground/blob/trunk/CHANGELOG.md)
- [Commits](WordPress/wordpress-playground@v3.1.20...v3.1.43)

Updates `express` from 4.22.0 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@4.22.0...v4.22.2)

---
updated-dependencies:
- dependency-name: "@wp-playground/cli"
  dependency-version: 3.1.41
  dependency-type: indirect
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: indirect
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-4730e3f8e9 branch from e9f758e to 02d342e Compare July 3, 2026 15:34
@ph33nx ph33nx merged commit 67a3c83 into main Jul 3, 2026
11 checks passed
@ph33nx ph33nx deleted the dependabot/npm_and_yarn/multi-4730e3f8e9 branch July 3, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant