remove use of query-string package

lib/codeql.js

@@ -29,7 +29,6 @@ const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
 const yaml = __importStar(require("js-yaml"));
-const query_string_1 = __importDefault(require("query-string"));
 const semver = __importStar(require("semver"));
 const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
@@ -262,7 +261,6 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolca
                     codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, variant, logger);
                 }
                 const parsedCodeQLURL = new URL(codeqlURL);
-                const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
                 const headers = {
                     accept: "application/octet-stream",
                 };
@@ -271,7 +269,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolca
                 // This avoids leaking Enterprise tokens to dotcom.
                 // We also don't want to send an authorization header if there's already a token provided in the URL.
                 if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
-                    parsedQueryString["token"] === undefined) {
+                    new URLSearchParams(parsedCodeQLURL.search).get("token") === undefined) {
                     logger.debug("Downloading CodeQL bundle with token.");
                     headers.authorization = `token ${apiDetails.auth}`;
                 }