new qs module packaged to npm, rev to version 1.0.0

[altsang]

New version of qs published to npm. Includes fixes for security issue from old repo like - tj/node-querystring#114

[coveralls]

Coverage remained the same when pulling 818d9b1 on altsang:rev-pkgjson-qs into 88b5a98 on strongloop:master.

[dougwilson]

Will express 3.x be updated as well? Joyent still supports Node.js 0.8 and since express 4 does not work with Node.js 0.8 and req.query cannot easily be turned off, it would be nice to see a security fix there.

If not, can there be some official word somewhere that express 3 is EOL and express no longer works on Node.js 0.8?

[altsang]

sure, will take a look at what can be done on 3.x

[raymondfeng]

LGTM for master.

express 3.x depends on connect 2.x's query middleware, which in turn depends on [email protected]. See https://github.com/senchalabs/connect/blob/2.x/package.json.

If we want to fix the issue in express 3.x, we'll have to land a patch to connect 2.x first.

@altsang Do you want to create a patch for connect 2.x? Latest version connect doesn't seem to have a qs dependency.

[altsang]

@raymondfeng go for it, i'll merge this and let Tom know what the game plan

[altsang]

patched connect 2.x, sent to @dougwilson , hopefully someone will review, then can update 3.x afterwards

[dougwilson]

reference: senchalabs/connect#1048

[chadxz]

express 3.16.0 https://github.com/strongloop/express/tree/3.16.0 includes connect 2.25.0 which contains the qs fix

(just putting this here for reference since I was looking at this ticket for how to resolve the qs thing for my project)