qs module need to be update

[myvyang]

see ljharb/qs#200

a DoS is there.

[dougwilson]

We already updated to 6.4.0; there is no newer version of qs to upgrade to. You can confirm in the npm registry what version of qs the latest version of Express depends on:

$ npm info express dependencies.qs
6.4.0

[dougwilson]

And here is a link to the Snyk report for the latest version of Express: https://snyk.io/test/npm/express

[dougwilson]

In the future, please follow the security policies of the module you are making an issue against. The standard signal is to have a Security.md file in the repo, and here is ours: https://github.com/expressjs/express/blob/master/Security.md

When you open issues in GitHub repositories, GitHub will show a yellow banner that you need to read our Contributing.md before filing an issue (https://github.com/expressjs/express/blob/master/Contributing.md). In that document, it also says:

The only exception is security dislosures which should be sent privately.