fix: replace deprecated url.parse() with WHATWG URL API#2091
fix: replace deprecated url.parse() with WHATWG URL API#2091rit3sh-x wants to merge 1 commit intoredis:mainfrom
Conversation
|
Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset. In case there are security findings, they will be communicated to you as a comment inside the PR. Hope you’ll enjoy using Jit. Questions? Comments? Want to learn more? Get in touch with us. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Replaces Node.js deprecated url.parse() with the WHATWG URL API in parseURL(), addressing redis#1747 (DEP0169 DeprecationWarning). - Removed import { parse as urllibParse } from 'url' - Uses new URL() with a dummy base for relative URLs and bare host:port - Handles decodeURIComponent for username/password (e.g. colons in passwords) - Strips IPv6 bracket notation from hostname to preserve net.connect compatibility - Preserves all existing behavior: redis://, rediss://, Unix socket paths, bare host:port, query params, and family parsing BREAKING CHANGE: none — all existing parseURL behavior is preserved.
rit3sh-x
force-pushed
the
fix/replace-url-parse-with-whatwg-url
branch
from
1f9e6e7 to
7283f45
Compare
|
Updated with IPv6 fix: |
|
This seems to be a duplicate of #2081 |
|
Thanks for pointing that out! I’ll take a look at the PR. If my changes overlap, I’m happy to close this and contribute there let me know what you’d prefer. |
2 participants
Summary
Replaces the deprecated Node.js
url.parse()with the WHATWGURLAPI in theparseURLfunction, fixing #1747.
Node.js 19.8+ emits
[DEP0169] DeprecationWarningbecauseurl.parse()is "prone to errorsthat have security implications. CVEs are not issued for url.parse() vulnerabilities."
Changes
lib/utils/index.ts: RewroteparseURLto usenew URL()instead ofurl.parse()import { parse as urllibParse } from "url"(URLis a global)Property mapping
url.parse()new URL().auth.username+.passworddecodeURIComponent()for percent-encoded chars.hostname.hostname.port.port''instead ofnull(both falsy).pathname.pathnameredis://scheme.query.searchParamsforEach.slashesisPathflagTest results
tsc --noEmit)Test plan
parseURLunit tests pass with identical outputpass:word) handled viadecodeURIComponent/tmp.sock) preserved127.0.0.1:6379) worksredis://andrediss://URLs parse db, auth, host, port correctlyCloses #1747
Note
Medium Risk
Changes Redis connection URL parsing logic, which can subtly affect how hosts, auth, paths, and query params are interpreted across schemes and edge cases. Risk is mitigated by limited scope but could impact connection configuration compatibility.
Overview
Rewrites
parseURLinlib/utils/index.tsto use the WHATWGURLAPI (and removes the deprecatedurl.parseimport), avoiding Node’s[DEP0169]deprecation warning.The new implementation explicitly distinguishes protocol URLs vs bare
host:portvs unix-socket paths, rebuilds query options fromsearchParams, decodesusername/password, and normalizes host parsing (including bracketed IPv6) before merging options into the returned result.Written by Cursor Bugbot for commit 7283f45. This will update automatically on new commits. Configure here.