Phase 0: prepare 1.0.0 baseline with CVE patches and CI

.github/workflows/ci.yml

@@ -0,0 +1,46 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  test:
+    name: Node ${{ matrix.node }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: ['18', '20', '22', '24']
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+      - run: npm install --legacy-peer-deps --no-audit --no-fund
+      - run: node ./node_modules/mocha/bin/_mocha test
+      - run: node test/smoke-floor.js
+
+  floor:
+    name: Engines floor (Node ${{ matrix.node }} via Docker)
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: ['0.10', '0.12', '4', '6', '8', '10', '12', '14', '16']
+    steps:
+      - uses: actions/checkout@v4
+      - name: Smoke test on Node ${{ matrix.node }}
+        run: docker run --rm -v "$PWD":/app -w /app node:${{ matrix.node }} sh -c 'node test/smoke-floor.js'
+
+  audit:
+    name: npm audit (runtime only)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      - run: npm audit --omit=dev || echo "audit reports issues; review required"

.gitignore

@@ -1 +1,13 @@
 node_modules
+coverage/
+dist/
+.nyc_output/
+
+CLAUDE.md
+.claude/
+*.claude-plan.md
+.tool-versions
+
+.DS_Store
+*.swp
+*.swo

MIT-LICENSE.txt → LICENSE

@@ -1,3 +1,5 @@
+The MIT License (MIT)
+
 Copyright 2014 Edward Smit and other contributors
 https://github.com/edwardsmit/
 
@@ -19,3 +21,21 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+---
+
+Portions of this software are derived from:
+
+jQuery (`lib/param.js` is adapted from jQuery's `$.param`)
+Copyright 2014 jQuery Foundation and other contributors
+http://jquery.com/
+
+Licensed under the MIT License (text identical to the above).
+
+---
+
+jquery-bbq (`lib/deparam.js` is adapted from Ben Alman's jquery-bbq)
+Copyright (c) 2013 AceMetrix
+Copyright (c) 2010 "Cowboy" Ben Alman
+
+Licensed under the MIT License (text identical to the above).

README.md

@@ -29,9 +29,11 @@ deparam(paramStr).should.deep.equal(paramsObj);
 Install
 ==============
 ```
-npm install git://github.com/edwardsmit/node-qs-serialization.git
+npm install node-qs-serialization
 ```
 
+(Or from source: `npm install github:edwardsmit/node-qs-serialization`.)
+
 Usage
 ===============
 ```
@@ -41,6 +43,15 @@ var paramsObj = deparam(querystring);
 var querystring = param(paramsObj);
 ```
 
+### `deparam(querystring, coerce = true, maxDepth = 5)`
+
+- `coerce` — when `true` (default), strings `"true"`, `"false"`, `"null"`, `"undefined"` and numeric values are converted to their JS equivalents.
+- `maxDepth` — caps nested bracket depth (default `5`). Parameters whose key path exceeds this depth are silently dropped. Keys equal to `__proto__`, `constructor`, or `prototype` are always rejected to prevent prototype pollution.
+
+Security
+===============
+See [SECURITY.md](./SECURITY.md) for disclosure policy.
+
 License
 ===============
-MIT
+MIT — see [LICENSE](./LICENSE) for full text including the attributions to jQuery and jquery-bbq from which `param` and `deparam` are adapted.

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| 1.x     | yes       |
+| 0.0.x   | no — legacy, please upgrade |
+
+## Reporting a Vulnerability
+
+Report security issues privately via GitHub Security Advisories:
+https://github.com/edwardsmit/node-qs-serialization/security/advisories/new
+
+Or by email: edwardsmit@xs4all.nl
+
+Please do not open public issues for security reports. Expect an initial response within 14 days.

lib/deparam.js

@@ -1,6 +1,10 @@
 /* global unescape */
 'use strict';
-exports.deparam = function(params, coerce) {
+
+var DANGEROUS_KEYS = ['__proto__', 'constructor', 'prototype'];
+var DEFAULT_MAX_DEPTH = 5;
+
+exports.deparam = function(params, coerce, maxDepth) {
   var obj = {};
   var coerceTypes = {
     true: !0,
@@ -14,6 +18,9 @@ exports.deparam = function(params, coerce) {
   if (typeof coerce === 'undefined') {
     coerce = true;
   }
+  if (typeof maxDepth !== 'number' || maxDepth < 1) {
+    maxDepth = DEFAULT_MAX_DEPTH;
+  }
 
   function safeDecodeURIComponent(component) {
     var returnvalue = '';
@@ -51,6 +58,14 @@ exports.deparam = function(params, coerce) {
       // Basic 'foo' style key.
       keysLast = 0;
     }
+    if (keys.length > maxDepth) {
+      return;
+    }
+    for (var dk = 0; dk <= keysLast; dk++) {
+      if (DANGEROUS_KEYS.indexOf(keys[dk]) !== -1) {
+        return;
+      }
+    }
     // Are we dealing with a name=value pair, or just a name?
     if (param.length === 2) {
       val = safeDecodeURIComponent(param[1]);