url: only emit DEP0169 on url.parse #61776
Conversation
|
Review requested:
|
Renegade334
left a comment
There was a problem hiding this comment.
On reflection, I'm not sure that this is the correct approach. These methods have been emitting DEP0169 warnings since v24.0.0, and they pass user input verbatim to a deprecated public method that we have labelled as unsafe. It doesn't seem consistent to warn on one use, but not another.
These methods definitely shouldn't throw from node_modules, but I would personally put my +1 behind just documenting the fact that url.resolve() has been effectively application-deprecated for the last nine months, as has already occurred for url.format() (0da120f).
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #61776 +/- ##
==========================================
+ Coverage 89.73% 89.75% +0.01%
==========================================
Files 675 675
Lines 204648 204652 +4
Branches 39330 39324 -6
==========================================
+ Hits 183651 183689 +38
+ Misses 13282 13255 -27
+ Partials 7715 7708 -7
🚀 New features to boost your workflow:
|
|
I think Also |
|
I think we should take this opportunity to deprecate url.resolve rather than fixing it like this. url.parse is deprecated because it is not secure, not fast etc. and we have a better alternative now. Hiding the fact that url.resolve is calling an unsafe AND deprecated method is not in the best interest of node.js users. |
|
I think we should start a proper deprecation cycle of url.resolve and fix url.parse. If we also want to deprecate url.parse then it should have its own deprecation cycle properly. Emitting warnings from node_modules probably doesn't help anyone other than forcing more people to use NO_WARNINGS to surpress it which can backfire. I am not sure if it's accurate to describe these APIs as insecure without context - AFAICT whether they are secure depends on whether you are relying on them to be a security boundary/feeding them malicious data. And relying on it in the wrong way turns bugs into your security risk, but it's not like using it alone in an empty script allows an attacker to execute remote code without pairing up with a bunch of other code that makes shaky assumptions. If your application doesn't do that and it's not in your hot path, it's not really something you have to worry about enough to deal with deprecation warnings coming out of a deep dependency, instead of spending that time on things that actually matter for your own code's performance and security). |
| // to clean up potentially wonky urls. | ||
| if (typeof urlObject === 'string') { | ||
| urlObject = urlParse(urlObject); | ||
| urlObject = internalUrlParse(urlObject); |
There was a problem hiding this comment.
This method is already documented as application-deprecated.
Fixes: #61724