Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

url: runtime deprecate url.parse #55017

Merged
merged 2 commits into from
Oct 20, 2024

Conversation

anonrig
Copy link
Member

@anonrig anonrig commented Sep 19, 2024

We documentation-only deprecated URL.parse on v18, almost 2 years ago. Without a runtime deprecation people will continue to use it and be exposed to security flaws. This is a nudge on the direction for a possible EOL in 3-5 years?

cc @nodejs/tsc

@anonrig anonrig added the semver-major PRs that contain breaking changes and should be released in the next major version. label Sep 19, 2024
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/url

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. url Issues and PRs related to the legacy built-in url module. labels Sep 19, 2024
@anonrig anonrig force-pushed the runtime-deprecate-url-parse branch from 800bb15 to 0d329fc Compare September 19, 2024 19:40
@lpinca
Copy link
Member

lpinca commented Sep 19, 2024

I don't think this is used for new code and there are a lot of unmaintained but perfectly working and safe modules that will be affected by this for no good reason.

@anonrig
Copy link
Member Author

anonrig commented Sep 19, 2024

safe modules that will be affected by this for no good reason.

Even in the deprecation note says that it's not recommended and safe to use it. How can it be safe? url.parse() can result in unwanted/unexpected outputs.

@lpinca
Copy link
Member

lpinca commented Sep 19, 2024

It is perfectly safe when used on trusted and well defined inputs. For example, there is nothing wrong with url.parse() when used to parse URLs returned by a trusted server like the URLs in the Location and Link headers.

@avivkeller avivkeller added the deprecations Issues and PRs related to deprecations. label Sep 19, 2024
Copy link

codecov bot commented Sep 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.41%. Comparing base (7ae193d) to head (76c9793).
Report is 13 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff            @@
##             main   #55017    +/-   ##
========================================
  Coverage   88.40%   88.41%            
========================================
  Files         653      653            
  Lines      187600   187484   -116     
  Branches    36117    36091    -26     
========================================
- Hits       165854   165755    -99     
+ Misses      14974    14967     -7     
+ Partials     6772     6762    -10     
Files with missing lines Coverage Δ
lib/url.js 100.00% <100.00%> (ø)

... and 42 files with indirect coverage changes

@lemire
Copy link
Member

lemire commented Sep 19, 2024

perfectly working and safe modules that will be affected by this for no good reason.

I am neutral here, but can you elaborate what you mean by 'affected'?

@targos
Copy link
Member

targos commented Sep 20, 2024

For example, the mongodb module uses url.parse. It means that potentially all Node.js applications using it will print a warning, annoying many users who are not the ones that should care about it.

@mcollina
Copy link
Member

I think we should be doing what we have done for Buffer, emitting a warning only if the code is not inside node_modules.

@jasnell
Copy link
Member

jasnell commented Sep 21, 2024

I agree with Matteo here. This will be super disruptive. Let's limit the warning only to modules not inside node_modules.

@anonrig anonrig force-pushed the runtime-deprecate-url-parse branch 2 times, most recently from a023939 to 9a558bf Compare September 21, 2024 19:08
@anonrig
Copy link
Member Author

anonrig commented Sep 21, 2024

I think we should be doing what we have done for Buffer, emitting a warning only if the code is not inside node_modules.

I updated the code as recommended. Thank you for the reviews!

@anonrig anonrig force-pushed the runtime-deprecate-url-parse branch from 9a558bf to 4a2cce2 Compare September 21, 2024 19:12
@jasnell
Copy link
Member

jasnell commented Sep 21, 2024

Looks like there are some tests that need updating

doc/api/deprecations.md Outdated Show resolved Hide resolved
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

but CI is failing

@anonrig anonrig force-pushed the runtime-deprecate-url-parse branch from 4a2cce2 to 7edf095 Compare October 18, 2024 01:00
@targos
Copy link
Member

targos commented Oct 18, 2024

gyp ERR! configure error 
gyp ERR! stack TypeError: isInsideNodeModules is not a function
gyp ERR! stack at urlParse (node:url:126:27)
gyp ERR! stack at Object.urlResolve [as resolve] (node:url:717:10)

@anonrig anonrig force-pushed the runtime-deprecate-url-parse branch 2 times, most recently from d6d2410 to 1d1bcd9 Compare October 18, 2024 14:45
@anonrig anonrig force-pushed the runtime-deprecate-url-parse branch from 1d1bcd9 to 8c9989e Compare October 18, 2024 14:45
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still lgtm

@aduh95
Copy link
Contributor

aduh95 commented Oct 19, 2024

Related test failure:

=== release test-url-parse-invalid-input ===
Path: parallel/test-url-parse-invalid-input
Error: --- stderr ---
(node:174506) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
node:assert:90
  throw new AssertionError(obj);
  ^

AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected

+ '`url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.'
- 'The URL https://evil.com:.example.com/ is invalid. Future versions of Node.js will throw an error.'

    at Object.<anonymous> (/home/runner/work/node/node/test/common/index.js:684:14)
    at Object.DeprecationWarning (/home/runner/work/node/node/test/common/index.js:491:15)
    at process.<anonymous> (/home/runner/work/node/node/test/common/index.js:708:33)
    at process.emit (node:events:519:35)
    at doEmitWarning (node:internal/process/warning:85:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:89:21) {
  generatedMessage: true,
  code: 'ERR_ASSERTION',
  actual: '`url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.',
  expected: 'The URL https://evil.com:.example.com/ is invalid. Future versions of Node.js will throw an error.',
  operator: 'strictEqual'
}

Node.js v24.0.0-pre
Command: out/Release/node --test-reporter=spec --test-reporter-destination=stdout --test-reporter=./tools/github_reporter/index.js --test-reporter-destination=stdout /home/runner/work/node/node/test/parallel/test-url-parse-invalid-input.js

===
=== 1 tests failed
===

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@anonrig anonrig added the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 20, 2024
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Oct 20, 2024
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/55017
✔  Done loading data for nodejs/node/pull/55017
----------------------------------- PR info ------------------------------------
Title      url: runtime deprecate url.parse (#55017)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     anonrig:runtime-deprecate-url-parse -> nodejs:main
Labels     url, semver-major, deprecations, needs-ci
Commits    2
 - url: runtime deprecate url.parse
 - fix test
Committers 1
 - Yagiz Nizipli <[email protected]>
PR-URL: https://github.com/nodejs/node/pull/55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Thu, 19 Sep 2024 19:40:10 GMT
   ✔  Approvals: 3
   ✔  - Matteo Collina (@mcollina) (TSC): https://github.com/nodejs/node/pull/55017#pullrequestreview-2378667703
   ✔  - Marco Ippolito (@marco-ippolito) (TSC): https://github.com/nodejs/node/pull/55017#pullrequestreview-2379246574
   ✔  - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/55017#pullrequestreview-2380649916
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2024-10-20T16:41:32Z: https://ci.nodejs.org/job/node-test-pull-request/63220/
- Querying data for job/node-test-pull-request/63220/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  No git cherry-pick in progress
   ✔  No git am in progress
   ✔  No git rebase in progress
--------------------------------------------------------------------------------
- Bringing origin/main up to date...
From https://github.com/nodejs/node
 * branch                  main       -> FETCH_HEAD
✔  origin/main is now up-to-date
- Downloading patch for 55017
From https://github.com/nodejs/node
 * branch                  refs/pull/55017/merge -> FETCH_HEAD
✔  Fetched commits as c124cfb4facb..76c97932e55b
--------------------------------------------------------------------------------
[main dff1620ae5] url: runtime deprecate url.parse
 Author: Yagiz Nizipli <[email protected]>
 Date: Thu Sep 19 15:38:25 2024 -0400
 3 files changed, 8 insertions(+), 4 deletions(-)
[main fb8ddd6cdc] fix test
 Author: Yagiz Nizipli <[email protected]>
 Date: Sat Oct 19 12:54:22 2024 -0400
 1 file changed, 5 insertions(+), 5 deletions(-)
   ✔  Patches applied
There are 2 commits in the PR. Attempting autorebase.
Rebasing (2/4)
Executing: git node land --amend --yes
--------------------------------- New Message ----------------------------------
url: runtime deprecate url.parse

PR-URL: #55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>

[detached HEAD dc82eebff2] url: runtime deprecate url.parse
Author: Yagiz Nizipli <[email protected]>
Date: Thu Sep 19 15:38:25 2024 -0400
3 files changed, 8 insertions(+), 4 deletions(-)
Rebasing (3/4)
Rebasing (4/4)
Executing: git node land --amend --yes
--------------------------------- New Message ----------------------------------
fix test

PR-URL: #55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>

[detached HEAD d8affe05b8] fix test
Author: Yagiz Nizipli <[email protected]>
Date: Sat Oct 19 12:54:22 2024 -0400
1 file changed, 5 insertions(+), 5 deletions(-)
Successfully rebased and updated refs/heads/main.

ℹ Add commit-queue-squash label to land the PR as one commit, or commit-queue-rebase to land as separate commits.

https://github.com/nodejs/node/actions/runs/11428689062

@anonrig anonrig added commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Oct 20, 2024
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 20, 2024
@nodejs-github-bot nodejs-github-bot merged commit 11fbdd8 into nodejs:main Oct 20, 2024
67 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 11fbdd8

marco-ippolito pushed a commit to marco-ippolito/node that referenced this pull request Oct 20, 2024
PR-URL: nodejs#55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>
louwers pushed a commit to louwers/node that referenced this pull request Nov 2, 2024
PR-URL: nodejs#55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>
tpoisseau pushed a commit to tpoisseau/node that referenced this pull request Nov 21, 2024
PR-URL: nodejs#55017
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. deprecations Issues and PRs related to deprecations. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version. url Issues and PRs related to the legacy built-in url module.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants