build(deps): bump qs, express, @cypress/request, node-red and body-parser

[dependabot]

Bumps qs to 6.15.2 and updates ancestor dependencies qs, express, @cypress/request, node-red and body-parser. These dependencies need to be updated together.

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates express from 4.22.1 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

• fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
  • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
• deps: qs@~6.15.1
• deps: body-parser@~1.20.5

New Contributors

• @​suuuuuuminnnnnn made their first contribution in expressjs/express#7021
• @​SAY-5 made their first contribution in expressjs/express#7181

Full Changelog: expressjs/express@v4.22.1...v4.22.2

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

• fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
  • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
• deps: qs@~6.15.1
• deps: body-parser@~1.20.5

Commits

• df0abc9 4.22.2
• 836d366 4.x update qs to 6.15.1, body-parser 1.20.5 (#7224)
• 8d09bfe fix: restore array parsing for req.query repeated keys (#7181)
• d39e8ad deps: body-parser@~1.20.4 (#7021)
• efe85d9 deps: qs@^6.14.1 (#6972)
• f62378e 📝 add note to history
• See full diff in compare view

Updates @cypress/request from 4.0.0 to 4.0.1

Release notes

Sourced from @​cypress/request's releases.

v4.0.1

4.0.1 (2026-05-28)

Bug Fixes

• deps: bump qs to ^6.15.2 (CVE-2026-8723) (#107) (c1d4c52)

Commits

• c1d4c52 fix(deps): bump qs to ^6.15.2 (CVE-2026-8723) (#107)
• See full diff in compare view

Updates node-red from 4.1.10 to 4.1.11

Release notes

Sourced from node-red's releases.

4.1.11: Maintenance Release

What's Changed

• Remove debug console.log from externalModules by @​Autre31415 in node-red/node-red#5737
• Ensure subsequent calls to the node editor can open by @​Steve-Mcl in node-red/node-red#5734
• Sanitize all args passed to projects/git api by @​knolleary in node-red/node-red#5768
• Typo fixes by @​bonanitech in node-red/node-red#5767
• Fix box-shadow property value by @​bonanitech in node-red/node-red#5764
• Add description tooltips to palette categories by @​knolleary in node-red/node-red#5769
• Allow theme plugin to override node categories by @​knolleary in node-red/node-red#5770
• Update dependencies by @​knolleary in node-red/node-red#5772
• Update mermaid in dev dependencies by @​knolleary in node-red/node-red#5775
• Add styles to prevent controls wrapping in find bar by @​Steve-Mcl in node-red/node-red#5779
• Bump for 4.1.11 release by @​knolleary in node-red/node-red#5781

New Contributors

• @​Autre31415 made their first contribution in node-red/node-red#5737

Full Changelog: node-red/node-red@4.1.10...4.1.11

Changelog

Sourced from node-red's changelog.

4.1.11: Maintenance Release

• Add styles to prevent controls wrapping in find bar (#5779) @​Steve-Mcl
• Update mermaid in dev dependencies (#5775) @​knolleary
• Update dependencies (#5772) @​knolleary
• Allow theme plugin to override node categories (#5770) @​knolleary
• Add description tooltips to palette categories (#5769) @​knolleary
• Fix box-shadow property value (#5764) @​bonanitech
• Typo fixes (#5767) @​bonanitech
• Sanitize all args passed to projects/git api (#5768) @​knolleary
• Ensure subsequent calls to the node editor can open (#5734) @​Steve-Mcl
• Remove debug console.log from externalModules (#5737) @​Autre31415

Commits

• 74a5cf8 Merge pull request #5781 from node-red/rel4111
• b6af72a Bump for 4.1.11 release
• 3957596 Merge pull request #5779 from node-red/5778-monaco-search-controls
• a8a224a Add styles to prevent controls wrapping in find bar
• 37f5719 Merge pull request #5775 from node-red/update-mermaid
• 3c4e315 Update mermaid
• 3b23e0a Merge pull request #5772 from node-red/update-deps
• 4cdc5b4 Update dependencies
• 872c0d2 Merge pull request #5770 from node-red/5766-palette-overrides
• a5bff63 Merge branch 'master' into 5766-palette-overrides
• Additional commits viewable in compare view

Updates body-parser from 1.20.4 to 1.20.5

Release notes

Sourced from body-parser's releases.

v1.20.5

What's Changed

The reason for this release is a fix to the extended urlencoded parser returning objects instead of arrays for large array inputs (> 100) on qs@6.14.2+. (expressjs/body-parser#716)

• refactor(json): simplify strict mode error string construction by @​jonchurch in expressjs/body-parser#692
• fix: correct off-by-one error in parameterCount by @​abhu85 in expressjs/body-parser#716
• deps(qs): bump qs to 6.15.1 by @​jonchurch in expressjs/body-parser#722
• Release: 1.20.5 by @​jonchurch in expressjs/body-parser#721

New Contributors

• @​abhu85 made their first contribution in expressjs/body-parser#716

Special thanks to triager @​krzysdz for keeping this on our radar and effectively triaging the specific issue!

Full Changelog: expressjs/body-parser@1.20.4...1.20.5

Changelog

Sourced from body-parser's changelog.

1.20.5 / 2026-04-24

• refactor(json): simplify strict mode error string construction
• fix: extended urlencoded parsing of arrays with >100 elements (#716)
• deps: qs@~6.15.1

Commits

• 0defdbe release(patch): 1.20.5
• cd0e7a0 deps(qs): bump qs to 6.15.1
• 6f24d7e fix: correct off-by-one error in parameterCount (#716)
• b849bd5 deps: qs@~6.14.1 (#690)
• 2c55e2f refactor(json): simplify strict mode error string construction (#692)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for body-parser since your current version.

[hardillb]

@dependabot rebase