Remove direct qs dependency

[lukaselmer]

• As suggested here: Investigate replacing `qs` #5783 (comment)
• See also Dependency graph improvements (via npmgraph.js.org) #6647, Investigate replacing qs #5723, fix(deps): qs@^6.14.0 #6374, qs package security flaw #3230, qs module need to be update #3272, https://github.com/expressjs/express/pulls?q=is%3Apr+qs+is%3Aclosed
• This doesn't remove qs from body-parser

---

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

[Copilot]

Pull Request Overview

This PR removes the built-in 'extended' query parser option from Express and moves the qs package from dependencies to devDependencies. Users must now provide a custom parser function to replicate the previous 'extended' behavior.

Key changes:

• Removed qs as a production dependency and added it as a devDependency
• Replaced the 'extended' query parser option with a helpful error message directing users to use a custom parser function
• Updated tests to use qs.parse directly instead of the deprecated 'extended' string option

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
package.json	Moved qs from dependencies to devDependencies
lib/utils.js	Removed qs import, removed parseExtendedQueryString function, and replaced 'extended' case with an error throw
test/req.query.js	Added qs import, updated tests to use qs.parse directly, and added test for new error behavior
History.md	Documented the breaking change with migration instructions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Qodo-Free-For-OSS]

Hi, The updated tests describe qs.parse as “formerly extended”, but they pass qs.parse directly (no options), which does not match the removed built-in extended parser behavior and can mislead users/maintainers about the intended migration path. This also drops prior prototype-property-related assertions, reducing coverage for a historically sensitive area.

Severity: remediation recommended | Category: correctness

How to fix: Align tests with migration

Agent prompt to fix - you can give this to your LLM of choice:

Issue description

Tests label qs.parse as the former extended parser, but configure it without options, which is not guaranteed to match the removed built-in extended behavior. Prototype-property related checks were also removed, reducing regression detection in a sensitive area.

Issue Context

req.query returns the parser output directly.

Fix Focus Areas

• test/req.query.js[26-50]
• lib/request.js[217-228]

What to change

• Either adjust the test description to avoid claiming equivalence with the removed extended behavior, or configure the test parser as a wrapper function that matches the intended legacy-compatible options.
• If applicable, reintroduce a focused safety-oriented test for the recommended migration configuration (whichever options you document as the safe compatibility path).

---

Found by Qodo code review