spectacle patch security update: update query-string to fix decode-uri-component vulnerability in 0.2.0