ljharb

ljharb/qs

JavaScript BSD-3-Clause Web Dev Single maintainer risk

A querystring parser and serializer with nesting support

8.9k stars
888 forks
active
GitHub +1 / week

8.9k

Stars

888

Forks

72

Open issues

30

Contributors

AI Analysis

qs is a mature querystring parser and serializer with nesting support for Node.js and browsers. It specializes in parsing complex nested query parameters with security-focused features like prototype pollution protection. Used widely by web frameworks and HTTP clients that need robust URL parameter handling.

Web Dev Library Discovery value: 2/10
Documentation 8/10
Activity 9/10
Community 9/10
Code quality 8/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

querystring-parsing url-encoding security-hardened node-ecosystem browser-compatible
Actively maintained Popular Well documented Niche/specialized use case Beginner friendly Production ready
Deep Analysis · Based on README and public signals
2w ago

qs: The battle-tested querystring parser powering Node.js ecosystems at massive scale

qs is a querystring parsing and serializing library for JavaScript/Node.js with first-class support for nested objects via bracket notation. It is the direct dependency of Express, body-parser, and many other foundational Node.js packages, making it one of the most downloaded npm packages globally (consistently >100M downloads/week). Built for server-side Node.js developers who need reliable, safe handling of user-supplied query strings — including protection against prototype pollution and DoS via nesting depth limits. Currently maintained by Jordan Harband, a prominent TC39/open-source steward.

Origin

Originally created by TJ Holowaychuk around 2010 as part of the node-querystring project, qs was later moved to the `hapijs` organization and then to `ljharb`. It predates and heavily influenced how Express and the broader Node.js ecosystem handle query strings.

Growth

Growth is not star-driven — it is dependency-driven. qs became embedded in Express and body-parser early in Node.js history, which means virtually every Express application on npm depends on it transitively. Star count (~8,940) massively underrepresents actual usage. Download volume has remained at hundreds of millions per week for years, sustained entirely by the npm dependency graph rather than active discovery.

In production

qs is a transitive dependency of Express.js, body-parser, and dozens of other foundational npm packages. npm download statistics consistently place it among the top 20 most downloaded packages globally, typically exceeding 100M downloads per week. Production usage at scale is extensively verified through the npm dependency graph.

Code analysis
Architecture

Appears to be a pure JavaScript library with no runtime dependencies, exposing a simple parse/stringify API. Likely implemented as a single-pass tokenizer with recursive object construction. Security features (depth limiting, parameter count limiting, prototype pollution protection) are explicitly documented in the README, suggesting they are first-class concerns in the implementation.

Tests

README references a CodeCov badge, indicating automated coverage tracking is in place. The CII Best Practices badge suggests the project meets formal open-source security and quality criteria, which typically includes test coverage requirements. Exact coverage percentage not stated in the README excerpt.

Maintenance

Last push was 2026-06-23 — the same day as the evaluation date — indicating active, continuous maintenance. The project is maintained by Jordan Harband, who has a strong track record of long-term stewardship of foundational JavaScript libraries. Active GitHub Actions CI is referenced. This is a mature, actively maintained project, not merely stagnant.

Honest verdict

ADOPT IF: you are building Node.js/Express applications or any server-side JavaScript that requires parsing nested query strings with bracket notation, or if you need explicit control over depth limits and prototype pollution protection. AVOID IF: you only need flat key-value query string parsing in a browser-first or ESM-only project where URLSearchParams or query-string would suffice with fewer bytes. MONITOR IF: you are evaluating whether native URLSearchParams improvements in future Node.js/browser versions might eliminate the need for this dependency in your specific use case.

Independent dimensions

Mainstream potential

4/10

Technical importance

7/10

Adoption evidence

10/10

Risks
  • The library is deeply embedded in the npm dependency graph, meaning any security vulnerability (e.g., prototype pollution bypass) would have very high blast radius across the ecosystem — though the maintainer has historically responded quickly to such issues.
  • Maintenance currently depends heavily on a single maintainer (Jordan Harband). Bus-factor risk exists, though his track record is strong and the library is stable enough that maintenance burden is low.
  • Native URLSearchParams continues to improve and may eventually cover enough use cases to reduce qs adoption at the margins, particularly for simpler use cases.
  • The bracket-notation nesting format is not a web standard, which may cause interoperability issues with non-Node.js backends or strict URL parsers.
  • As Express.js itself matures and competes with newer frameworks (Fastify, Hono, etc.) that may use different query string approaches, the indirect dependency pull from Express could gradually diminish over a long time horizon.
Prediction

qs will remain a critical piece of npm infrastructure for the foreseeable future. Its fate is tied to Express.js adoption, which remains vast. Gradual, slow decline in net-new adoption is plausible as modern frameworks and native APIs mature, but displacement within the next 5 years appears unlikely.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

JavaScript
100%

Information

Language
JavaScript
License
BSD-3-Clause
Last updated
1w ago
Created
146mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Recent releases

No releases published yet.

Similar repos

sindresorhus

sindresorhus/query-string

query-string is a mature, well-adopted npm package for parsing and stringifying...

6.9k JavaScript Web Dev
47ng

47ng/nuqs

nuqs is a type-safe state manager for React that stores component state in URL...

10.7k TypeScript Web Dev
yahoo

yahoo/serialize-javascript

Serialize JavaScript to an extended JSON format that includes functions,...

2.9k JavaScript Web Dev
hiddentao

hiddentao/squel

Squel is a SQL query string builder for JavaScript and TypeScript that...

1.6k TypeScript Dev Tools
vs. alternatives
sindresorhus/query-string

query-string is ESM-first, more opinionated, and aims for strict URL spec compliance. It lacks bracket-notation nesting support by default, making it a different tradeoff. Better for browser-first or ESM projects; qs is better for Express/Node.js server-side use or where bracket nesting is required.

URLSearchParams (built-in)

Native URLSearchParams is available in modern Node.js and browsers without any dependency. It handles flat key-value pairs well but does not support nested object notation. qs remains necessary when bracket-notation nesting or advanced serialization options are required.

47ng/nuqs

nuqs is a React/Next.js-specific library for type-safe URL state management — a fundamentally different problem (UI state in URLs) vs. raw query string parsing. Not a direct competitor.

yahoo/serialize-javascript

serialize-javascript serializes arbitrary JavaScript values to a string safe for embedding in HTML/JS contexts — a different problem domain entirely. Not a direct competitor to qs.