From 834389afb51ac8cc03a22a0c76604c65776dc468 Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Sun, 9 Jan 2022 22:31:44 -0800
Subject: [PATCH] v6.7.3

---
 CHANGELOG.md   | 13 +++++++++++++
 component.json |  4 ++--
 dist/qs.js     | 23 +++++++++++++++++------
 package.json   |  2 +-
 4 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47e0e93a..083e220a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,16 @@
+## **6.7.3**
+- [Fix] `parse`: ignore `__proto__` keys (#428)
+- [Fix] `stringify`: avoid encoding arrayformat comma when `encodeValuesOnly = true` (#424)
+- [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
+- [readme] remove travis badge; add github actions/codecov badges; update URLs
+- [Docs] add note and links for coercing primitive values (#408)
+- [meta] fix README.md (#399)
+- [meta] do not publish workflow files
+- [actions] backport actions from main
+- [Dev Deps] backport updates from main
+- [Tests] use `nyc` for coverage
+- [Tests] clean up stringify tests slightly
+
 ## **6.7.2**
 - [Fix] proper comma parsing of URL-encoded commas (#361)
 - [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)
diff --git a/component.json b/component.json
index e686cd24..626dc74c 100644
--- a/component.json
+++ b/component.json
@@ -1,8 +1,8 @@
 {
     "name": "qs",
-    "repository": "hapijs/qs",
+    "repository": "ljharb/qs",
     "description": "query-string parser / stringifier with nesting support",
-    "version": "6.5.0",
+    "version": "6.7.3",
     "keywords": ["querystring", "query", "parser"],
     "main": "lib/index.js",
     "scripts": [
diff --git a/dist/qs.js b/dist/qs.js
index 48bf862f..9120f431 100644
--- a/dist/qs.js
+++ b/dist/qs.js
@@ -188,7 +188,7 @@ var parseObject = function (chain, val, options, valuesParsed) {
             ) {
                 obj = [];
                 obj[index] = leaf;
-            } else {
+            } else if (cleanRoot !== '__proto__') {
                 obj[cleanRoot] = leaf;
             }
         }
@@ -329,6 +329,7 @@ var arrayPrefixGenerators = {
 };
 
 var isArray = Array.isArray;
+var split = String.prototype.split;
 var push = Array.prototype.push;
 var pushToArray = function (arr, valueOrArray) {
     push.apply(arr, isArray(valueOrArray) ? valueOrArray : [valueOrArray]);
@@ -392,6 +393,14 @@ var stringify = function stringify(
     if (typeof obj === 'string' || typeof obj === 'number' || typeof obj === 'boolean' || utils.isBuffer(obj)) {
         if (encoder) {
             var keyValue = encodeValuesOnly ? prefix : encoder(prefix, defaults.encoder, charset);
+            if (generateArrayPrefix === 'comma' && encodeValuesOnly) {
+                var valuesArray = split.call(String(obj), ',');
+                var valuesJoined = '';
+                for (var i = 0; i < valuesArray.length; ++i) {
+                    valuesJoined += (i === 0 ? '' : ',') + formatter(encoder(valuesArray[i], defaults.encoder, charset));
+                }
+                return [formatter(keyValue) + '=' + valuesJoined];
+            }
             return [formatter(keyValue) + '=' + formatter(encoder(obj, defaults.encoder, charset))];
         }
         return [formatter(prefix) + '=' + formatter(String(obj))];
@@ -411,8 +420,9 @@ var stringify = function stringify(
         objKeys = sort ? keys.sort(sort) : keys;
     }
 
-    for (var i = 0; i < objKeys.length; ++i) {
-        var key = objKeys[i];
+    for (var j = 0; j < objKeys.length; ++j) {
+        var key = objKeys[j];
+        var value = typeof key === 'object' && typeof key.value !== 'undefined' ? key.value : obj[key];
 
         if (skipNulls && obj[key] === null) {
             continue;
@@ -420,7 +430,7 @@ var stringify = function stringify(
 
         if (isArray(obj)) {
             pushToArray(values, stringify(
-                obj[key],
+                value,
                 typeof generateArrayPrefix === 'function' ? generateArrayPrefix(prefix, key) : prefix,
                 generateArrayPrefix,
                 strictNullHandling,
@@ -436,7 +446,7 @@ var stringify = function stringify(
             ));
         } else {
             pushToArray(values, stringify(
-                obj[key],
+                value,
                 prefix + (allowDots ? '.' + key : '[' + key + ']'),
                 generateArrayPrefix,
                 strictNullHandling,
@@ -461,7 +471,7 @@ var normalizeStringifyOptions = function normalizeStringifyOptions(opts) {
         return defaults;
     }
 
-    if (opts.encoder !== null && opts.encoder !== undefined && typeof opts.encoder !== 'function') {
+    if (opts.encoder !== null && typeof opts.encoder !== 'undefined' && typeof opts.encoder !== 'function') {
         throw new TypeError('Encoder has to be a function.');
     }
 
@@ -752,6 +762,7 @@ var encode = function encode(str, defaultEncoder, charset) {
 
         i += 1;
         c = 0x10000 + (((c & 0x3FF) << 10) | (string.charCodeAt(i) & 0x3FF));
+        /* eslint operator-linebreak: [2, "before"] */
         out += hexTable[0xF0 | (c >> 18)]
             + hexTable[0x80 | ((c >> 12) & 0x3F)]
             + hexTable[0x80 | ((c >> 6) & 0x3F)]
diff --git a/package.json b/package.json
index e892df2d..58e44965 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.7.2",
+    "version": "6.7.3",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"