Skip to content

Bump qs and juice#313

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-bd056b899d
Open

Bump qs and juice#313
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-bd056b899d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown

Bumps qs to 6.15.2 and updates ancestor dependency juice. These dependencies need to be updated together.

Updates qs from 6.5.5 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols

... (truncated)

Commits
  • 9aca407 v6.15.2
  • 5e33d33 [Dev Deps] update @ljharb/eslint-config
  • 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
  • a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
  • e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
  • 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
  • 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
  • 96755ab [readme] fix grammar
  • a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
  • 3f5e1c5 v6.15.1
  • Additional commits viewable in compare view

Updates juice from 5.2.0 to 12.1.0

Release notes

Sourced from juice's releases.

v12.1.0

  • feat: add data-juice-important attribute 7cb46ac

Automattic/juice@v12.0.0...v12.1.0

v12.0.0

Juice 12

Modernizes the entire stack: ESM-only, PostCSS-based parsers to support CSS Nesting + spec-correct selector specificity, Node 22.12+ floor, Vitest 4.

Breaking changes

  • Juice is now ESM-only. CJS consumers on Node ≥ 22.12 keep working transparently via Node's built-in require(esm) interop. Older Node versions need to upgrade.
  • Node ≥ 22.12.0 required. Drops support for Node 18 and Node 20. CI matrix is now Node 22, 24, 26.
  • Browser: client.js is ESM. Modern bundlers (Vite, webpack 5, esbuild, Rollup, Parcel 2+) handle it via the "browser" condition in the exports map. Browserify is no longer supported, it cannot parse ESM. README updated to point at modern bundlers.
  • CSS parser swapped: menschpostcss + postcss-safe-parser. Selector parser swapped: slickpostcss-selector-parser. Both old libs were unmaintained since 2022. Inlining semantics unchanged; preserved-CSS output inside <style> blocks is now canonically formatted (mensch had quirks like ;} squashed onto one line). 4 fixture .out files refreshed to match.
  • Spec-correct selector specificity for :is(), :where(), :has(), :not() per CSS Selectors Level 4: :where(...) contributes 0, the others contribute max(spec(args)). Previously juice treated all four as a generic :pseudo and :not used "first arg only" (a slick legacy). Any cascade resolution that depended on the old quirks will produce different inlined styles.
  • commander upgraded to v14, entities upgraded to v8 (ESM-only), cheerio pinned to 1.2.0.
  • TypeScript declarations renamed juice.d.ts → index.d.ts and restructured for ESM default-export resolution. Import as import juice from 'juice'.

New features

  • CSS Nesting (Level 1) is supported. Nested rules (.card { &:hover { ... } }), nested at-rules (.card { @media (...) { ... } }), the & parent selector, and bare nested selectors (per the 2023 CSSWG resolution) are flattened via postcss-nesting before inlining. Previously these were silently dropped. No behavior change for already-flat CSS.
  • @container and @layer at-rules are preserved through inlining (mirrors how @media/@font-face/@keyframes already worked). New options preserveContainerQueries and preserveLayers default to true.
  • Long-standing crashes/hangs in :not(a, b, …) are gone as a side effect of the parser swap — the underlying causes of #390, #471, and #398 were quirks in mensch/slick that don't exist in postcss.
  • TypeScript types ship via the types condition in exports and resolve correctly under nodenext module resolution.

Tooling

  • Test runner: Mocha → Vitest 4 with @vitest/coverage-v8. New scripts: npm test, npm run test:watch, npm run coverage. The previously broken testcover script is gone.
  • CLI extraction: bin/juice's logic moved into lib/cli.js as a testable cli.run(argv, deps) with dependency injection. The bin itself is now a 3-line ESM shim.
  • Test files renamed: cli.js → cli.test.js, test.js → integration.test.js, run.js → cases.test.js. TypeScript test now uses a dedicated test/typescript/tsconfig.json with nodenext resolution.
  • Test assertions migrated from Node's assert to Vitest's expect: better failure diffs, more matchers, idiomatic.
  • Removed devDependencies: mocha, should, batch, browserify. Added: vitest, @vitest/coverage-v8, postcss, postcss-safe-parser, postcss-selector-parser, postcss-nesting.

Migration notes

Scenario Action needed
Node 18 or 20 user Upgrade to Node 22.12+
const juice = require('juice') on Node ≥22.12 None, require(esm) handles it
const juice = require('juice') on older Node Upgrade Node, or switch to import juice from 'juice'
TypeScript import juice = require('juice') Switch to import juice from 'juice'
juice/client via Browserify Switch bundler (Vite, webpack 5, esbuild, Rollup, Parcel 2+)
Using :is/:where/:has in email CSS Specificity is now per-spec; cascade may resolve differently
Using @container or @layer They now pass through inlining instead of being silently dropped
Using CSS Nesting Was silently dropped — now flattened and inlined correctly

... (truncated)

Changelog

Sourced from juice's changelog.

Unreleased

Breaking changes

  • Juice is now ESM-only. Consumers using require('juice') from CJS on Node ≥ 22.12 will continue to work via Node's built-in require(esm) interop. CJS consumers on older Node versions will need to migrate to import or upgrade Node.
  • Node ≥ 22.12.0 required. Dropped support for Node 18 and Node 20. CI now runs on Node 22, 24, and 26.
  • Browser: the package's client.js entry is now ESM. Modern bundlers (Vite, webpack 5, esbuild, Rollup, Parcel 2+) handle it transparently via the "browser" condition in exports. Browserify is no longer supported — it cannot parse ESM.
  • CSS parser replaced: menschpostcss + postcss-safe-parser. Selector parser replaced: slickpostcss-selector-parser. Both old libs were unmaintained since 2022 and mis-handled modern CSS. Inlining behaviour is unchanged; preserved-CSS output inside <style> blocks is now canonically formatted (fixes mensch quirks like ;} squashed on one line and 0%,\n100% selector splits).
  • Specificity is now spec-correct for :is(), :where(), :has(), and :not() (CSS Selectors Level 4). :where(...) contributes 0; :is(...), :has(...), and :not(...) contribute the maximum specificity across their arguments. Previously juice treated all four as a generic :pseudo and :not used "first argument only" (a slick legacy). Any cascade resolution that depended on the old quirks will produce different inlined styles.
  • @container and @layer at-rules are now preserved through inlining (mirroring @media / @font-face / @keyframes). New options preserveContainerQueries and preserveLayers default to true; pass false to drop them. Note: @layer is preserved verbatim only — layer-aware cascade resolution is not implemented (email clients don't support layers anyway).
  • CSS Nesting is now supported. Nested rules (.card { &:hover { ... } }), nested at-rules (.card { @media (min-width: 600px) { ... } }), and the & parent selector are flattened via postcss-nesting before inlining. Previously, nested rules were silently dropped during parsing. No behaviour change for already-flat CSS.
  • commander upgraded to v14. Positional CLI arguments are now declared explicitly via .argument() (commander v14 errors on excess undeclared args).
  • entities upgraded to v8 (ESM-only).
  • cheerio pinned to 1.2.0.
  • TypeScript declarations renamed juice.d.ts → index.d.ts and restructured for ESM default-export resolution (import juice from 'juice').
  • Test runner migrated from Mocha to Vitest 4.

Tooling

  • npm test now runs vitest run --coverage && npm run test-typescript.
  • New npm run coverage script using @vitest/coverage-v8 (replaces the previously broken testcover script).
  • New npm run test:watch for interactive development.
  • Test files renamed: test/cli.js → test/cli.test.js, test/test.js → test/integration.test.js, test/run.js → test/cases.test.js.
  • bin/juice extracted: the CLI logic now lives in lib/cli.js as a testable cli.run(argv, deps) function with dependency injection. The bin itself is a 3-line ESM shim.
  • TypeScript test now uses a dedicated test/typescript/tsconfig.json with nodenext module resolution.
  • Removed devDependencies: mocha, should, batch, browserify. Added: vitest, @vitest/coverage-v8.
  • package.json now declares "type": "module" and an "exports" map with types / browser / default conditions.

11.1.1 / 2026-02-04

  • fix: data-embed style tags db64a51
  • build(deps): bump entities from 7.0.0 to 7.0.1 476d286
  • build(deps-dev): bump @​types/node from 25.0.10 to 25.2.0 306ceb7

11.1.0 / 2026-01-05

New features

  • juice ignore CSS comments ce49f21
  • removeInlinedSelectors 130184e
  • inline duplicate properties c5b78ae
  • preservedSelectors option fbd82ca

11.0.3 / 2025-09-30

We are now pinning the cheerio dependency to v1.0.0 so that we can keep supporting Node 18.

To anyone affected by the cheerio breaking change that should have been a major version release, sorry! Moving forward, for as long as we rely on cheerio we will pin it to a fixed version that we make sure does not silently introduce breaking changes in patch releases.

11.0.2 / 2025-09-29

... (truncated)

Commits
  • 54c05d2 12.1.0
  • 2018277 Merge pull request #620 from Automattic/feat/data-juice-important
  • 7cb46ac feat: add data-juice-important attribute
  • 5afeb21 12.0.0
  • aafcd94 Merge pull request #612 from Automattic/juice-12
  • ac5f477 12.0.0-beta.2
  • 7c4e394 feat: add data-juice-duplicates attribute
  • 826aa05 Merge branch 'master' into juice-12
  • 40744f4 Merge pull request #617 from Automattic/dependabot/npm_and_yarn/qs-6.15.2
  • f668dba Merge pull request #616 from Automattic/dependabot/npm_and_yarn/js-yaml-4.2.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by cossssmin, a new releaser for juice since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump qs and juice
685e0b9 
Bumps [qs](https://github.com/ljharb/qs) to 6.15.2 and updates ancestor dependency [juice](https://github.com/Automattic/juice). These dependencies need to be updated together.


Updates `qs` from 6.5.5 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.5.5...v6.15.2)

Updates `juice` from 5.2.0 to 12.1.0
- [Release notes](https://github.com/Automattic/juice/releases)
- [Changelog](https://github.com/Automattic/juice/blob/master/CHANGELOG.md)
- [Commits](Automattic/juice@v5.2.0...v12.1.0)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
- dependency-name: juice
  dependency-version: 12.1.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot dependabot Bot requested a review from alexwforsythe as a code owner June 10, 2026 20:52
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexwforsythe alexwforsythe Awaiting requested review from alexwforsythe alexwforsythe is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants