Hi,

I was going through my project dependencies and noticed I had a duplicate qs. qs@6.9.4 is out and most of my dependencies use it. However, express and body-parser have a hard dependency on qs@6.7.0. Express says it does it because body-parser does it. I looked through body-parser (code search and issues) and there doesn't seem to be an obvious reason for it.

So my questions are:

• Why does body-parser use qs@6.7.0 instead of qs@^6.7.0 (caret)?
• Is there anything that can be done to unlock it?

Thanks.

expressjs/express#4171 (comment)
expressjs/express#4172 (comment)

I have just noticed the commit to push it to qs@6.9.3, which isn't latest nor using carets so will still cause duplicates. So I guess my questions still stand. The latest release of express@4.17.1 uses a locked version of body-parser@1.19.0 that's locked on qs@6.7.0. Why is it so strict?

a0ac3e9

The issue is that qs makes accidental breaking changes or otherwise undesirable changes we need to work around before bumping. We also just generally fix deps we do not own to a specific version to address the security attack when a dep is compromised and a new version published to do something malicious.

Good to know. I was wondering if qs had any version differences that I wasn't aware of but in this case it's a matter of having full control over stability. Which makes sense considering Express' popularity.

Right. And apologies on the 6.9.3 not being released; it seemed all the changes were related to serialization and not to parsing (which is the only part body-parser & express uses), so it didn't end up as any sort of "need to make a release" task. But if you would like 6.9.3 (or 6.9.4, also looks like just stringify changes) in a released version, we can always make that happen.

No worries on pushing a release if no one else wants it. I can easily use the resolutions field in my package.json to bump the qs version express/body-parser uses to dedupe it (and take responsibility for any issues I encounter by doing so).