Update querystringify to 2.1.1 to fix core bug with uncaught exception

[niftylettuce]

v2.1.1 of querystringify was released which fixes an issue where it does not match Node's graceful fallback for decoding URI

unshiftio/querystringify@30e1d19

per Node's built-in:

By default, the querystring.unescape() method will attempt to use the JavaScript built-in decodeURIComponent() method to decode. If that fails, a safer equivalent that does not throw on malformed URLs will be used.

https://nodejs.org/api/querystring.html#querystring_querystring_unescape_str

[niftylettuce]

Also see unshiftio/querystringify#26

[niftylettuce]

Basically you can crash Node apps that use this package server-side in middleware by passing %%%% percent signs to the URL...

[3rd-Eden]

It's worth noting that the URL-parse library is designed to allow custom query string parsers instead of the bundled querystringify. So if the primary use-cases is usage on Node.js, and want better unescape fallback for the query strings it might be an option to do this.

[niftylettuce]

@3rd-Eden could you add a deprecation notice please? I just checked and there wasn't one there yet.

npm deprecate url-parse@"<1.4.7" "Please upgrade to v1.4.7+ as an uncaught exception bug in querystringify has been fixed and may cause a vulnerability in server-side route middleware"