fix(deps): update version lib qs

[gabrieel1007]

• Issue created about this dependency vulnerability:

• update to qs@^6.14.1 #6968

• The lib qs has a vulnerability.

• GHSA-6rw7-vpxm-498p
• https://nvd.nist.gov/vuln/detail/CVE-2025-15284

• what has been done:

• Update of lib qs to version 6.14.1 (fixed).
• creation of tests covering whether the failure has been remedied and whether functionality has been compromised

[UlisesGascon]

Hey @gabrieel1007! Thanks for contributing to Express.

We likely do not need to add additional tests here. This behavior is already well covered in qs (see: ljharb/qs@3086902), and Express does not define an arrayLimit by default.

As a result, customization is left to the user. Any related testing should ideally be handled at the application level, according to their specific configuration and requirements.

Additionally, we will probably want to open a separate PR targeting the 4.x branch to upgrade the qs version as well, since this PR is intended to apply only to the Express 5 line.

[gabrieel1007]

@UlisesGascon
Thank you for your response.
The requested adjustments have been made.

[UlisesGascon]

The tests are failing due the changes on qs (see discussion on body-parser too expressjs/body-parser#687 (comment)).

  1) express.urlencoded()
       with extended option
         when false
           should parse multiple key instances:
     Error: expected '{"user":["Tobi","Loki"]}' response body, got '{"user":{"0":"Tobi","1":"Loki"}}'
      at Context.<anonymous> (test/express.urlencoded.js:106:12)
      at process.processImmediate (node:internal/timers:476:21)
      at process.callbackTrampoline (node:internal/async_hooks:128:17)
  ----
      at error (node_modules/supertest/lib/test.js:335:15)
      at Test._assertBody (node_modules/supertest/lib/test.js:206:16)
      at /home/runner/work/express/express/node_modules/supertest/lib/test.js:308:13
      at Test._assertFunction (node_modules/supertest/lib/test.js:285:13)
      at Test.assert (node_modules/supertest/lib/test.js:164:23)
      at Server.localAssert (node_modules/supertest/lib/test.js:120:14)
      at Object.onceWrapper (node:events:631:28)
      at Server.emit (node:events:517:28)
      at emitCloseNT (node:net:2221:8)
      at process.processTicksAndRejections (node:internal/process/task_queues:81:21)

cc: @expressjs/express-tc

[gabrieel1007]

Os testes estão falhando devido às alterações no qs (veja também a discussão sobre body-parser expressjs/body-parser#687 (comentário) ).

  1) express.urlencoded()
       with extended option
         when false
           should parse multiple key instances:
     Error: expected '{"user":["Tobi","Loki"]}' response body, got '{"user":{"0":"Tobi","1":"Loki"}}'
      at Context.<anonymous> (test/express.urlencoded.js:106:12)
      at process.processImmediate (node:internal/timers:476:21)
      at process.callbackTrampoline (node:internal/async_hooks:128:17)
  ----
      at error (node_modules/supertest/lib/test.js:335:15)
      at Test._assertBody (node_modules/supertest/lib/test.js:206:16)
      at /home/runner/work/express/express/node_modules/supertest/lib/test.js:308:13
      at Test._assertFunction (node_modules/supertest/lib/test.js:285:13)
      at Test.assert (node_modules/supertest/lib/test.js:164:23)
      at Server.localAssert (node_modules/supertest/lib/test.js:120:14)
      at Object.onceWrapper (node:events:631:28)
      at Server.emit (node:events:517:28)
      at emitCloseNT (node:net:2221:8)
      at process.processTicksAndRejections (node:internal/process/task_queues:81:21)

cc: @expressjs/express-tc

@UlisesGascon
Okay, based on this test failure, should we:

• align the test with the new behavior?
• or maintain compatibility with the current behavior?

[jonchurch]

These tests are basically just asserting on body-parser behavior due to the pass through, so we fix it in body-parser and take both updates at the same time

we have a PR to update body-parser #6972

[gabrieel1007]

@jonchurch
All right, I'll be waiting,
Thanks for your response.

[UlisesGascon]

It is expected that Node@16 and/or Node@17 can fail (legacy). So far Node@18 and ahead are working as expected.

[bjohansebas]

It is expected that Node@16 and/or Node@17 can fail (legacy). So far Node@18 and ahead are working as expected.

I think it was due to caching issues that it kept failing; I reran the tests and now they pass.