diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index f10265b9ddd98a..02ce63d749efbd 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3453,7 +3453,7 @@ changes: description: Documentation-only deprecation. --> -Type: Documentation-only (supports [`--pending-deprecation`][]) +Type: Runtime [`url.parse()`][] behavior is not standardized and prone to errors that have security implications. Use the [WHATWG URL API][] instead. CVEs are not diff --git a/lib/url.js b/lib/url.js index 8fa8553c2b3f30..a736a1ccba8438 100644 --- a/lib/url.js +++ b/lib/url.js @@ -45,7 +45,7 @@ const { // This ensures setURLConstructor() is called before the native // URL::ToObject() method is used. -const { spliceOne } = require('internal/util'); +const { spliceOne, deprecate } = require('internal/util'); // WHATWG URL implementation provided by internal/url const { @@ -63,8 +63,6 @@ const { const bindingUrl = internalBinding('url'); -const { getOptionValue } = require('internal/options'); - // Original url.parse() API function Url() { @@ -122,20 +120,7 @@ const { CHAR_COLON, } = require('internal/constants'); -let urlParseWarned = false; - function urlParse(url, parseQueryString, slashesDenoteHost) { - if (!urlParseWarned && getOptionValue('--pending-deprecation')) { - urlParseWarned = true; - process.emitWarning( - '`url.parse()` behavior is not standardized and prone to ' + - 'errors that have security implications. Use the WHATWG URL API ' + - 'instead. CVEs are not issued for `url.parse()` vulnerabilities.', - 'DeprecationWarning', - 'DEP0169', - ); - } - if (url instanceof Url) return url; const urlObject = new Url(); @@ -1023,7 +1008,11 @@ function pathToFileURL(path, options) { module.exports = { // Original API Url, - parse: urlParse, + parse: deprecate( + urlParse, + 'url.parse() is deprecated and the behavior is prone to ' + + 'errors that have security implications. Use new URL() instead.', + 'DEP0169'), resolve: urlResolve, resolveObject: urlResolveObject, format: urlFormat,