Bump qs, express and firebase-tools

[dependabot]

Bumps qs to 6.15.2 and updates ancestor dependencies qs, express and firebase-tools. These dependencies need to be updated together.

Updates qs from 6.5.3 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols

... (truncated)

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates express from 4.21.2 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

• fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
  • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
• deps: qs@~6.15.1
• deps: body-parser@~1.20.5

New Contributors

• @​suuuuuuminnnnnn made their first contribution in expressjs/express#7021
• @​SAY-5 made their first contribution in expressjs/express#7181

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

• fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
  • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
• deps: qs@~6.15.1
• deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

Commits

• df0abc9 4.22.2
• 836d366 4.x update qs to 6.15.1, body-parser 1.20.5 (#7224)
• 8d09bfe fix: restore array parsing for req.query repeated keys (#7181)
• d39e8ad deps: body-parser@~1.20.4 (#7021)
• efe85d9 deps: qs@^6.14.1 (#6972)
• f62378e 📝 add note to history
• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• Additional commits viewable in compare view

Updates firebase-tools from 8.20.0 to 15.20.0

Release notes

Sourced from firebase-tools's releases.

v15.20.0

• Removed the prompt and backend deletion of Data Connect services during firebase deploy. (#10619)
• Fixes firebase init dataconnect failing with ENOEXEC when creating a new template app on some operating systems. (#10616)
• Support setting the Google Cloud Storage (GCS) test results bucket in apptesting:execute and appdistribution:distribute

v15.19.1

• Updated Firebase SQL Connect genAI features to use new Agent Service API
• Updated the Firebase Data Connect local toolkit to v3.4.10, which includes the following changes:
  • Extended client cache consistency validation to include conflicts with schema field names.

v15.19.0

• Updated Pub/Sub emulator to version 0.8.32
• Added support for 6 more iD providers in auth:import and auth:export commands
• Fixed issue where auth:export didn't escape double quotes for CSV format. (#3484)
• Fixes CloudSQLConnectorError: The connector was closed unhandled exception during Data Connect deployments. (#10555)
• Updated the Firebase Data Connect local toolkit to v3.4.9, which includes the following changes: (#10567)
  • Added support for nested mutations for literals and also variables that define an incomplete set of fields.
  • Fixed an issue in the JS Generated SDK where QueryFetchPolicy wasn't being respected.

v15.18.0

• Updated Pub/Sub emulator to version 0.8.31
• Resolves undefined regions earlier, during the build to backend resolution phase (#10471)
• Updated the Firebase Data Connect local toolkit to v3.4.8, which includes the following changes:
  • Fixed an issue in Dart code generation where nullable BigInt was not handled correctly.
  • Added support for nested 1:Many relational batch inserts.
  • Updated the Golang dependency version to 1.25.10.
• Default timeout for Dart functions is now 60 seconds when not explicitly set (#10501)
• Support secret environment variables for Cloud Run functions (#10489)
• Set requiredProjectBindings in AI Logic services (#10503)

v15.17.0

• Added support for creating search indexes for Firestore. (#10431)
• Fixed an issue where some MCP tools would error with "Invalid input: expected record, received array". (#10437)
• Fixed an issue causing errors when multiple Firestore databases were configured in firebase.json (#8114)
• Updated the Firebase Data Connect local toolkit to v3.4.7, which includes the following changes: (#10461)
  • Fix emulator crash when using uuidv4() on operations.
  • Support for _Data input types as variables with @allow(fields, maxCount) to constraint the input JSON, enabling batch mutations in admin SDK. Client SDK support will come soon.
• Increase supported range for Next.js to version 16.0 (#9463)
• Updated Cloud Function default resource locations. This does not affect existing functions. (#10414)
• Added warning for cross-region event triggers (#10408)

v15.16.0

• Updated Firestore Emulator to v1.21.0, which adds support for subqueries and new stages like let(...), as well as allowing setting database-edition per-database.
• Suppressed the 'punycode' deprecation warning during firebase deploy on Node 22. (#10385)
• Fixed an issue where hosting deploy allowed publishing to a site in a different project. (#10376)
• Added SSE mode support to firebase mcp. To use it, run firebase mcp --mode=sse --port=3000, and connect your client on http://localhost:3000.
• Update the valid Python runtimes for functions. Default Python runtime is now Python 3.14.
• Fix CLI non-interactive mode for dataconnect init (#10401)
• Fixed issue where rules for non-default Firestore databases were not being deployed correctly.
• Suppress SSR warning for non-SSR Angular projects on init hosting (#10364)

... (truncated)

Commits

• 978a2ef 15.20.0
• 74f62c6 Add changelog entry for PR #10619 (#10622)
• 5aff739 fix: update dependencies in integration script packages to remediate vulnerab...
• 6b9723e Remove Data Connect service deletion logic on deploy (#10619)
• 07931cf fix: update dependencies in standalone bundler to remediate vulnerabilities (...
• 073a953 fix: use cross-spawn to avoid exec format errors when creating dataconnect ap...
• 7657d15 Update version of telemetry admin api (#10617)
• 1657829 fix: update dependencies in firebase-vscode to remediate vulnerabilities (#10...
• 7f54806 fix mistake in class initialization for ailogic (#10570)
• b665c53 Add --results-bucket update to CHANGELOG.md (#10604)
• Additional commits viewable in compare view