Fix high severity parseQueryString vulnerability in v1.1 too

[darynmitchell]

Mithril version:
1.1.6

Browser and OS:
Any

Context

Given that

1. Older versions of Mithril have a high severity security vulnerability due to a prototype pollution during query string parsing (npm advisory published 5 days ago)
2. The vulnerability was fixed in v2.0.3 by Prevent prototype pollution while parsing query strings #2494 Prevent prototype pollution while parsing query strings
3. Many projects are still on v1.1.6

I think the fix should be ported back to v1.1.6

Proposal

I propose that the same fix as #2494 be applied to the v1 branch, and a new version v1.1.7 be released.
Are there any blockers to doing this, or reasons to not do it?

[dead-claudia]

A PR would be appreciated, and then I'll cut a special release for it. The fix would be virtually copy/paste. (Read the comments in querystring/parse.js to know what precisely to copy over.) There are also tests that need copied over, too.

Be sure to check out and file the PR against v1_1_x and not next (as the contributing docs say), so it ends up in the right branch.

Are there any blockers to doing this, or reasons to not do it?

There's no real blockers per se, just it's a bit more involved to release because I also have to update the v2 docs at the same time. (It's not exactly streamlined in that respect.) And because of the circumstances, I'll also need to notify npm they need to update their advisory in light of the new version. To be fair, this is the first time any vulnerability has been disclosed in Mithril, so there's not any real pre-established process to this.

I do want to note: anything other than security fixes would be a no-go for v1.

[darynmitchell]

Sounds good, agreed I wouldn't have asked anything for v1 if it was a lesser issue.
We'll look into making a PR.

[dead-claudia]

Forgot to close - fix has been released in 1.1.7.