From 3d644c51e77c12c1405793a16b0d37d562d50609 Mon Sep 17 00:00:00 2001
From: Gabriel Alves <ga654066@gmail.com>
Date: Fri, 2 Jan 2026 13:09:37 -0300
Subject: [PATCH 1/4] chore(dependecies): update version lib qs to 6.14.1

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 8f358830d97..aa2afbcb543 100644
--- a/package.json
+++ b/package.json
@@ -52,7 +52,7 @@
     "once": "^1.4.0",
     "parseurl": "^1.3.3",
     "proxy-addr": "^2.0.7",
-    "qs": "^6.14.0",
+    "qs": "^6.14.1",
     "range-parser": "^1.2.1",
     "router": "^2.2.0",
     "send": "^1.1.0",

From 767282862200620701fa47ec294c8a1d35faaad6 Mon Sep 17 00:00:00 2001
From: Gabriel Alves <ga654066@gmail.com>
Date: Fri, 2 Jan 2026 13:38:21 -0300
Subject: [PATCH 2/4] test: add tests for query parser arrayLimit in bracket
 notation

---
 test/req.query.js | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/test/req.query.js b/test/req.query.js
index c0d3c8376e9..6e907094213 100644
--- a/test/req.query.js
+++ b/test/req.query.js
@@ -88,6 +88,44 @@ describe('req', function(){
           /unknown value.*query parser/)
       });
     });
+
+    var qs = require('qs');
+
+    describe('when "query parser" enforces arrayLimit on bracket notation', function () {
+      it('should returns 500 when throwOnLimitExceeded is enabled and limit is surpassed', function (done) {
+        var app = createApp(
+          function (str) {
+            return qs.parse(str, { allowPrototypes: true, arrayLimit: 2, throwOnLimitExceeded: true } );
+          }
+        );
+
+        request(app)
+          .get('/?a[]=1&a[]=2&a[]=3')
+          .expect(function (res) {
+            if (Array.isArray(res.body.a) && res.body.a.length > 2) {
+              throw new Error('arrayLimit ignored for bracket notation');
+            }
+          })
+          .expect(500, done);
+      });
+
+      it('allows arrays up to the arrayLimit without error', function (done) {
+        var app = createApp(
+          function (str) {
+            return qs.parse(str, { allowPrototypes: true, arrayLimit: 2 } );
+          }
+        );
+
+        request(app)
+          .get('/?a[]=1&a[]=2&a[]=3')
+          .expect(function (res) {
+            if (Array.isArray(res.body.a) && res.body.a.length > 2) {
+              throw new Error('arrayLimit ignored for bracket notation');
+            }
+          })
+          .expect(200, done);
+      });
+    });
   })
 })
 

From ffeab4f00e591859c8321f38bf1b76f106f1571f Mon Sep 17 00:00:00 2001
From: Gabriel Alves <ga654066@gmail.com>
Date: Fri, 2 Jan 2026 13:59:28 -0300
Subject: [PATCH 3/4] refactor(dependencies): reorganize imports at top of file

---
 test/req.query.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/test/req.query.js b/test/req.query.js
index 6e907094213..56de086d591 100644
--- a/test/req.query.js
+++ b/test/req.query.js
@@ -3,6 +3,7 @@
 var assert = require('node:assert')
 var express = require('../')
   , request = require('supertest');
+var qs = require('qs');
 
 describe('req', function(){
   describe('.query', function(){
@@ -89,8 +90,6 @@ describe('req', function(){
       });
     });
 
-    var qs = require('qs');
-
     describe('when "query parser" enforces arrayLimit on bracket notation', function () {
       it('should returns 500 when throwOnLimitExceeded is enabled and limit is surpassed', function (done) {
         var app = createApp(

From 5c563591186d3a8c57404b019f352e71c71e2e06 Mon Sep 17 00:00:00 2001
From: Gabriel Alves <ga654066@gmail.com>
Date: Sat, 3 Jan 2026 15:42:29 -0300
Subject: [PATCH 4/4] chore(tests): remove unnecessary test suite

---
 test/req.query.js | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/test/req.query.js b/test/req.query.js
index 56de086d591..c0d3c8376e9 100644
--- a/test/req.query.js
+++ b/test/req.query.js
@@ -3,7 +3,6 @@
 var assert = require('node:assert')
 var express = require('../')
   , request = require('supertest');
-var qs = require('qs');
 
 describe('req', function(){
   describe('.query', function(){
@@ -89,42 +88,6 @@ describe('req', function(){
           /unknown value.*query parser/)
       });
     });
-
-    describe('when "query parser" enforces arrayLimit on bracket notation', function () {
-      it('should returns 500 when throwOnLimitExceeded is enabled and limit is surpassed', function (done) {
-        var app = createApp(
-          function (str) {
-            return qs.parse(str, { allowPrototypes: true, arrayLimit: 2, throwOnLimitExceeded: true } );
-          }
-        );
-
-        request(app)
-          .get('/?a[]=1&a[]=2&a[]=3')
-          .expect(function (res) {
-            if (Array.isArray(res.body.a) && res.body.a.length > 2) {
-              throw new Error('arrayLimit ignored for bracket notation');
-            }
-          })
-          .expect(500, done);
-      });
-
-      it('allows arrays up to the arrayLimit without error', function (done) {
-        var app = createApp(
-          function (str) {
-            return qs.parse(str, { allowPrototypes: true, arrayLimit: 2 } );
-          }
-        );
-
-        request(app)
-          .get('/?a[]=1&a[]=2&a[]=3')
-          .expect(function (res) {
-            if (Array.isArray(res.body.a) && res.body.a.length > 2) {
-              throw new Error('arrayLimit ignored for bracket notation');
-            }
-          })
-          .expect(200, done);
-      });
-    });
   })
 })