deps: qs@6.11.2

[melikhov-dev]

Hi! v6.11.1 and v6.11.2 has some fixes:

[Fix] parse: Fix parsing when the global Object prototype is frozen
[Fix] stringify: encode comma values more consistently

https://github.com/ljharb/qs/blob/main/CHANGELOG.md#6112

[wesleytodd]

Hey @melikhov-dev, thanks for the PR. Any reason not to just jump to 6.12.1?

[melikhov-dev]

Hi, @wesleytodd. Just afraid of any new bugs in minor version :) Take a look at this fix last week ljharb/qs#501

[wesleytodd]

@ljharb any risk you can see with us pulling in the latest and pushing a release including this sometime this week?

[ljharb]

No; I'd also suggest using ^ since no npm that still can install from the registry is unaware of the carat.

@melikhov-dev bugs happen in all software occasionally; that's what overrides is for :-)

[melikhov-dev]

@ljharb from my point of view, ^ is better, but I see that all the deps in this package have a fixed or ~ version

[wesleytodd]

This is a historical thing. The policy in v4 is that express depends on explicit versions for pacakges not owned by the project. There were good reasons for this in the past but I think we will likely move to this for v5. we don't plan to change the existing policy for v4.

So sounds like we can update it, @melikhov-dev can you keep with the hard locked version but bump it to the latest?

[melikhov-dev]

@wesleytodd ok, i did it

[wesleytodd]

Ah this error has been happening in all these old CI setups. It isn't because of this PR's changes but because nyc broke in node 8/9. I have a few things I am doing today, but will try to find time to get the CI fixed on this before we merge. Ideally we can get this into the next planned express release we are looking to do this week.