Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
By Kush Pandya - Jun 06, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
bms-query-string
Advanced tools
Parse and stringify URL query strings
Install
$ npm install query-string
Usage
const queryString = require('query-string');
console.log(location.search);
//=> '?foo=bar'
const parsed = queryString.parse(location.search);
console.log(parsed);
//=> {foo: 'bar'}
console.log(location.hash);
//=> '#token=bada55cafe'
const parsedHash = queryString.parse(location.hash);
console.log(parsedHash);
//=> {token: 'bada55cafe'}
parsed.foo = 'unicorn';
parsed.ilike = 'pizza';
const stringified = queryString.stringify(parsed);
//=> 'foo=unicorn&ilike=pizza'
location.search = stringified;
// note that `location.search` automatically prepends a question mark
console.log(location.search);
//=> '?foo=unicorn&ilike=pizza'
API
.parse(string, options?)
Parse a query string into an object. Leading ? or # are ignored, so you can pass location.search or location.hash directly.
The returned object is created with Object.create(null) and thus does not have a prototype.
options
Type: object
decode
Type: boolean
Default: true
Decode the keys and values. URL components are decoded with decode-uri-component.
arrayFormat
Type: string
Default: 'none'
'bracket': Parse arrays with bracket representation:
const queryString = require('query-string');
queryString.parse('foo[]=1&foo[]=2&foo[]=3', {arrayFormat: 'bracket'});
//=> {foo: ['1', '2', '3']}
'index': Parse arrays with index representation:
const queryString = require('query-string');
queryString.parse('foo[0]=1&foo[1]=2&foo[3]=3', {arrayFormat: 'index'});
//=> {foo: ['1', '2', '3']}
'comma': Parse arrays with elements separated by comma:
const queryString = require('query-string');
queryString.parse('foo=1,2,3', {arrayFormat: 'comma'});
//=> {foo: ['1', '2', '3']}
'none': Parse arrays with elements using duplicate keys:
const queryString = require('query-string');
queryString.parse('foo=1&foo=2&foo=3');
//=> {foo: ['1', '2', '3']}
sort
Type: Function | boolean
Default: true
Supports both Function as a custom sorting function or false to disable sorting.
parseNumbers
Type: boolean
Default: false
const queryString = require('query-string');
queryString.parse('foo=1', {parseNumbers: true});
//=> {foo: 1}
Parse the value as a number type instead of string type if it's a number.
parseBooleans
Type: boolean
Default: false
const queryString = require('query-string');
queryString.parse('foo=true', {parseBooleans: true});
//=> {foo: true}
Parse the value as a boolean type instead of string type if it's a boolean.
.stringify(object, options?)
Stringify an object into a query string and sorting the keys.
options
Type: object
strict
Type: boolean
Default: true
Strictly encode URI components with strict-uri-encode. It uses encodeURIComponent if set to false. You probably don't care about this option.
encode
Type: boolean
Default: true
URL encode the keys and values.
arrayFormat
Type: string
Default: 'none'
'bracket': Serialize arrays using bracket representation:
const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'bracket'});
//=> 'foo[]=1&foo[]=2&foo[]=3'
'index': Serialize arrays using index representation:
const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'index'});
//=> 'foo[0]=1&foo[1]=2&foo[2]=3'
'comma': Serialize arrays by separating elements with comma:
const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]}, {arrayFormat: 'comma'});
//=> 'foo=1,2,3'
'none': Serialize arrays by using duplicate keys:
const queryString = require('query-string');
queryString.stringify({foo: [1, 2, 3]});
//=> 'foo=1&foo=2&foo=3'
sort
Type: Function | boolean
Supports both Function as a custom sorting function or false to disable sorting.
const queryString = require('query-string');
const order = ['c', 'a', 'b'];
queryString.stringify({a: 1, b: 2, c: 3}, {
sort: (a, b) => order.indexOf(a) - order.indexOf(b)
});
//=> 'c=3&a=1&b=2'
const queryString = require('query-string');
queryString.stringify({b: 1, c: 2, a: 3}, {sort: false});
//=> 'b=1&c=2&a=3'
If omitted, keys are sorted using Array#sort(), which means, converting them to strings and comparing strings in Unicode code point order.
skipNull
Skip keys with null as the value.
Note that keys with undefined as the value are always skipped.
Type: boolean
Default: false
const queryString = require('query-string');
queryString.stringify({a: 1, b: undefined, c: null, d: 4}, {
skipNull: true
});
//=> 'a=1&d=4'
const queryString = require('query-string');
queryString.stringify({a: undefined, b: null}, {
skipNull: true
});
//=> ''
.extract(string)
Extract a query string from a URL that can be passed into .parse().
Note: This behaviour can be changed with the skipNull option.
.parseUrl(string, options?)
Extract the URL and the query string as an object.
The options are the same as for .parse().
Returns an object with a url and query property.
const queryString = require('query-string');
queryString.parseUrl('https://foo.bar?foo=bar');
//=> {url: 'https://foo.bar', query: {foo: 'bar'}}
Nesting
This module intentionally doesn't support nesting as it's not spec'd and varies between implementations, which causes a lot of edge cases.
You're much better off just converting the object to a JSON string:
const queryString = require('query-string');
queryString.stringify({
foo: 'bar',
nested: JSON.stringify({
unicorn: 'cake'
})
});
//=> 'foo=bar&nested=%7B%22unicorn%22%3A%22cake%22%7D'
However, there is support for multiple instances of the same key:
const queryString = require('query-string');
queryString.parse('likes=cake&name=bob&likes=icecream');
//=> {likes: ['cake', 'icecream'], name: 'bob'}
queryString.stringify({color: ['taupe', 'chartreuse'], id: '515'});
//=> 'color=taupe&color=chartreuse&id=515'
Falsy values
Sometimes you want to unset a key, or maybe just make it present without assigning a value to it. Here is how falsy values are stringified:
const queryString = require('query-string');
queryString.stringify({foo: false});
//=> 'foo=false'
queryString.stringify({foo: null});
//=> 'foo'
queryString.stringify({foo: undefined});
//=> ''
Note
Thanks to Sindresorhus (https://github.com/sindresorhus/query-string) for the repo
FAQs
Parse and stringify URL query strings
The npm package bms-query-string receives a total of 0 weekly downloads. As such, bms-query-string popularity was classified as not popular.
We found that bms-query-string demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 31 Dec 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Socket Now Supports pylock.toml Files
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
By Trevor Norris - Jun 05, 2025
Security News
Research
Destructive npm Packages Disguised as Utilities Enable Remote System Wipe
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.
By Kush Pandya - Jun 05, 2025