[Snyk] Security upgrade qs from 6.5.1 to 6.5.3

[john-goldsmith]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	768/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-QS-3153490	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: qs

The new version differs by 31 commits.

• 298bfa5 v6.5.3
• ed0f5dc [Fix] `parse`: ignore `__proto__` keys (#428)
• 691e739 [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• f814a7f [Dev Deps] backport from main
• fd950b0 [Tests] always use `String(x)` over `x.toString()`
• 31bcb32 [Fix] `utils.merge`: avoid a crash with a null target and an array source
• 98c93d6 [Refactor] `utils`: reduce observable [[Get]]s
• 49ad67f [Fix]` `utils.merge`: avoid a crash with a null target and a truthy non-array source
• ef27de4 [Refactor] use cached `Array.isArray`
• 107c302 [Docs] Clarify the need for "arrayLimit" option
• fafc2d2 [Fix] correctly parse nested arrays
• 55d217b [refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance (#269)
• c1c2a9d [Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` (#279)
• d1d1a97 [Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
• b6956c9 [Tests] remove nonexistent tape option
• f85bce6 [Fix] when `parseArrays` is false, properly handle keys ending in `[]`
• eee72e3 [Tests] up to `node` `v10.1`, `v9.11`, `v8.11`, `v6.14`, `v4.9`; pin included builds to LTS
• 1bfe04c [Refactor] `parse`: only need to reassign the var once

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution