Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Concerns about parseurl and possibly replacing it with new URL() #160

Open
outslept opened this issue Feb 11, 2025 · 4 comments
Open

Concerns about parseurl and possibly replacing it with new URL() #160

outslept opened this issue Feb 11, 2025 · 4 comments

Comments

@outslept
Copy link

Repo doesn't seem to be active whole lot:
https://github.com/pillarjs/parseurl

Yet the url.parse() method (which is used in there) has known security vulnerabilities and is no longer recommended. The Node.js documentation suggests replacing it with the modern and more secure WHATWG URL API (new URL()).

References:

 npx github:Fuzzyma/e18e-tools parseurl -n 15 -q -o md -U https://npm.devminer.xyz/registry
# Downloads Traffic Version Package
1 119.93M 473.95 GB ~1.3.3 finalhandler
2 114.94M 454.25 GB ~1.3.3 express
3 109.37M 432.25 GB ~1.3.3 serve-static
4 37.31M 147.46 GB ~1.3.2 serve-index
5 23.10M 91.31 GB ~1.3.3 connect
6 11.03M 43.60 GB ^1.3.2 koa
7 6.04M 23.88 GB ~1.3.2 serve-favicon
8 5.89M 23.28 GB ~1.3.3 express-session
9 3.69M 14.57 GB ^1.3.3 node-mocks-http
10 3.08M 12.18 GB ~1.3.2 method-override
11 3.06M 12.09 GB ~1.3.3 router
12 2.15M 8.52 GB ^1.3.3 apollo-server-express
13 924.50k 3.65 GB ^1.3.3 gatsby
14 438.06k 1.73 GB ^1.3.3 @ui5/server
15 290.29k 1.15 GB ^1.3.3 express-static-gzip

Is there anything we can do about it?
@outslept outslept changed the title Concerns about parseurl and replacing it with new URL() Concerns about parseurl and possibly replacing it with new URL() Feb 11, 2025
@Fuzzyma
Copy link
Collaborator

Fuzzyma commented Feb 11, 2025

Are there packages that do the same and are secure?

@outslept
Copy link
Author

Are there packages that do the same and are secure?

Hey, to clarify a few things:

  1. Using url.parse() is still technically fine if you completely trust your input sources and yada yada.

  2. I looked around but couldn't find any direct replacements that provide the exact same API while using new URL() under the hood. This is likely because:

  • The deprecation is relatively recent
  • Changing the underlying implementation while maintaining the exact same API is tricky due to differences between url.parse() and new URL() behavior
  1. Possible implications:
  • For completely trusted environments where you control the input, continuing to use parseurl is likely fine
  • For new projects, using new URL() directly would be the better approach
  • For existing projects, careful testing would be needed before replacing parseurl since it's used by many major frameworks

That's why I'm asking - while we want people to use secure methods, given that this library seems somewhat inactive, I'm not sure what would be the best path forward here.

Saturate added a commit to Saturate/node-mocks-http that referenced this issue Feb 17, 2025
@Saturate
chore: Replace parseurl with WHATWG URL API
1a012a2 
More information here:

e18e/ecosystem-issues#160
@Saturate Saturate mentioned this issue Feb 17, 2025
Open
@Saturate
Copy link

As you can see from the history here, I took a very short time to replace it on one of the mentioned projects.

@43081j
Copy link
Collaborator

43081j commented Feb 18, 2025

i think it makes sense to do that - just move from parseurl to using URL directly

that should be fine for most projects

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Saturate @Fuzzyma @43081j @outslept