-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node 19.1 breaks url.parse
#45514
Comments
Normally, the thing to do would be to find the culprit commit and revert it (and likely re-introduce it as a breaking change in a major release). However it's likely this is going to be a revert that will increase security liability, so another possibility is to create a carve-out for these kinds of URLs. |
Confirmed that the culprit is #45012. |
This comment was marked as resolved.
This comment was marked as resolved.
Unfortunately, I'm not seeing a non-terrible way to do a carve-out. Reluctantly, I think the approach I'd take is:
I'll open a revert now. |
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: #45514 Refs: #45012 PR-URL: #45517 Fixes: #45514 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: #45514 Refs: #45012 PR-URL: #45517 Fixes: #45514 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012 PR-URL: nodejs#45517 Fixes: nodejs#45514 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Version
v19.1.0
Platform
Darwin Jordans-MacBook-Pro-2.local 20.6.0 Darwin Kernel Version 20.6.0: Thu Sep 29 20:15:11 PDT 2022; root:xnu-7195.141.42~1/RELEASE_X86_64 x86_64
Subsystem
url
What steps will reproduce the bug?
url.parse('https://git@github.com:inspect-js/is-array-buffer.git')
How often does it reproduce? Is there a required condition?
node v19.1.0 always reproduces it; any earlier version does not.
What is the expected behavior?
What do you see instead?
Additional information
Specifically, this breaks https://npmjs.com/auto-changelog via https://npmjs.com/parse-github-url in node 19.1+.
The text was updated successfully, but these errors were encountered: