From 11fbdd8c9d7820f4812895bbaecad75bb80b2c55 Mon Sep 17 00:00:00 2001 From: Yagiz Nizipli Date: Sun, 20 Oct 2024 15:01:37 -0400 Subject: [PATCH] url: runtime deprecate url.parse PR-URL: https://github.com/nodejs/node/pull/55017 Reviewed-By: Matteo Collina Reviewed-By: Marco Ippolito Reviewed-By: James M Snell --- doc/api/deprecations.md | 6 +++++- lib/url.js | 5 ++--- test/parallel/test-url-parse-invalid-input.js | 10 +++++----- typings/internalBinding/util.d.ts | 1 + 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index c7160c17ba727d..9c5ded0dd3b9dc 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3453,6 +3453,10 @@ Node-API callbacks. -Type: Documentation-only (supports [`--pending-deprecation`][]) +Type: Application (non-`node_modules` code only) [`url.parse()`][] behavior is not standardized and prone to errors that have security implications. Use the [WHATWG URL API][] instead. CVEs are not diff --git a/lib/url.js b/lib/url.js index ef1b1a23d9a5c8..f4117a89e507e0 100644 --- a/lib/url.js +++ b/lib/url.js @@ -46,6 +46,7 @@ const { // This ensures setURLConstructor() is called before the native // URL::ToObject() method is used. const { spliceOne } = require('internal/util'); +const { isInsideNodeModules } = internalBinding('util'); // WHATWG URL implementation provided by internal/url const { @@ -63,8 +64,6 @@ const { const bindingUrl = internalBinding('url'); -const { getOptionValue } = require('internal/options'); - // Original url.parse() API function Url() { @@ -125,7 +124,7 @@ const { let urlParseWarned = false; function urlParse(url, parseQueryString, slashesDenoteHost) { - if (!urlParseWarned && getOptionValue('--pending-deprecation')) { + if (!urlParseWarned && !isInsideNodeModules(100, true)) { urlParseWarned = true; process.emitWarning( '`url.parse()` behavior is not standardized and prone to ' + diff --git a/test/parallel/test-url-parse-invalid-input.js b/test/parallel/test-url-parse-invalid-input.js index 6f655843e51ffd..b1124128af907b 100644 --- a/test/parallel/test-url-parse-invalid-input.js +++ b/test/parallel/test-url-parse-invalid-input.js @@ -90,12 +90,12 @@ if (common.hasIntl) { }); // Warning should only happen once per process. - const expectedWarning = [ - `The URL ${badURLs[0]} is invalid. Future versions of Node.js will throw an error.`, - 'DEP0170', - ]; common.expectWarning({ - DeprecationWarning: expectedWarning, + DeprecationWarning: { + // eslint-disable-next-line @stylistic/js/max-len + DEP0169: '`url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.', + DEP0170: `The URL ${badURLs[0]} is invalid. Future versions of Node.js will throw an error.`, + }, }); badURLs.forEach((badURL) => { url.parse(badURL); diff --git a/typings/internalBinding/util.d.ts b/typings/internalBinding/util.d.ts index 34b4b31c1d8abd..2cd52dc7b8f4b4 100644 --- a/typings/internalBinding/util.d.ts +++ b/typings/internalBinding/util.d.ts @@ -45,4 +45,5 @@ export interface UtilBinding { guessHandleType(fd: number): 'TCP' | 'TTY' | 'UDP' | 'FILE' | 'PIPE' | 'UNKNOWN'; parseEnv(content: string): Record; styleText(format: Array | string, text: string): string; + isInsideNodeModules(frameLimit: number, defaultValue: unknown): boolean; }