gitwtfhub

wtf is qs?

ljharb/qs — explained in plain English

Analysis updated 2026-06-24

8,930JavaScriptAudience · developerComplexity · 1/5LicenseSetup · easy

TL;DR

qs parses and serializes URL query strings in JavaScript, with support for nested objects, arrays, and built-in safety limits that prevent abuse from oversized or deeply-nested inputs.

Mindmap

mindmap
  root((repo))
    What It Does
      Parse query strings
      Serialize to URL
      Nested object support
      Safety limits built in
    Tech Stack
      JavaScript
      Node.js
      Browser compatible
    Use Cases
      API request building
      Form data handling
      Legacy encoding support
    Features
      Bracket notation
      Array formatting
      Custom delimiters

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Parse a URL query string from user input into a nested JavaScript object, safely handling unexpected or malformed values.

REASON 2

Serialize a nested JavaScript object into a URL query string with bracket notation for use in an API request.

REASON 3

Handle arrays and nested structures in query strings that the built-in browser URLSearchParams cannot represent.

REASON 4

Enforce parsing limits in a server-side app to prevent abuse from oversized or deeply-nested query string inputs.

What's in the stack?

JavaScriptNode.js

How it stacks up

ljharb/qsaksonov/react-native-router-fluxnuknightlab/timelinejs
Stars8,9308,9318,938
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyeasymoderateeasy
Complexity1/52/51/5
Audiencedeveloperdeveloperwriter

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · easy Time to first run · 5min
Use freely for any purpose including commercial, keep the copyright notice and do not use the author's name to endorse your product.

Wtf does this do

qs is a small JavaScript library for reading and writing query strings, which are the key-value pairs that appear after the question mark in a URL. For example, in the address example.com/search?name=alice&age=30, the part after the question mark is a query string. qs gives you a clean way to convert that text into a JavaScript object and, in the other direction, to turn an object back into a query string. What sets qs apart from the basic query string tools built into browsers and Node.js is support for nesting. You can represent structured data like { user: { name: 'alice' } } in a URL using bracket notation (user[name]=alice), and qs will correctly parse it back into that nested shape. It also handles arrays, optional dot notation, and several edge cases around duplicate keys and special characters. The library includes a number of safety features designed for situations where the query string comes from untrusted input. By default it limits parsing to 1,000 parameters and five levels of nesting, which prevents certain kinds of abuse that can occur when an attacker sends an abnormally large or deeply nested input. These limits are configurable, and you can also set the library to throw an error rather than silently truncate when a limit is exceeded. The README is detailed and covers many options: ignoring the leading question mark, using custom delimiters, handling different character encodings (including older ISO-8859-1 encoding used by some legacy systems), controlling how arrays are formatted in the output, and more. Both parsing and stringifying have their own set of options. qs works in both Node.js and browsers, and is widely used as a dependency inside larger frameworks and tools. It is maintained under the BSD-3-Clause license.

Yoink these prompts

Prompt 1
Show me how to use qs to parse a query string with nested user data like user[name]=alice and user[age]=30 into a JavaScript object.
Prompt 2
Write a Node.js Express middleware that uses qs to parse request query strings with custom depth and parameter limits for security.
Prompt 3
How do I use qs.stringify to convert a JavaScript object with arrays into a URL-safe query string, controlling how arrays are formatted?
Prompt 4
Help me configure qs to use dot notation instead of bracket notation and handle ISO-8859-1 encoded legacy form data.

Frequently asked questions

wtf is qs?

qs parses and serializes URL query strings in JavaScript, with support for nested objects, arrays, and built-in safety limits that prevent abuse from oversized or deeply-nested inputs.

What language is qs written in?

Mainly JavaScript. The stack also includes JavaScript, Node.js.

What license does qs use?

Use freely for any purpose including commercial, keep the copyright notice and do not use the author's name to endorse your product.

How hard is qs to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is qs for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.