url: move bad port deprecation in legacy url to end-of-life

jasnell · jasnell · commit 3aaa2ebe1971 · 2025-06-09T10:16:41.000-07:00
Calling `url.parse()` with a URL that has a bad port will now throw an error instead of emitting a deprecation warning. It's been deprecated for ~ 3 years now. PR-URL: #58617 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md
@@ -3548,6 +3548,9 @@ issued for `url.parse()` vulnerabilities.
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/58617
+    description: End-of-Life.
   - version:
     - v20.0.0
     pr-url: https://github.com/nodejs/node/pull/45526
@@ -3559,11 +3562,11 @@ changes:
     description: Documentation-only deprecation.
 -->
 
-Type: Runtime
+Type: End-of-Life
 
-[`url.parse()`][] accepts URLs with ports that are not numbers. This behavior
-might result in host name spoofing with unexpected input. These URLs will throw
-an error in future versions of Node.js, as the [WHATWG URL API][] does already.
+[`url.parse()`][] used to accept URLs with ports that are not numbers. This
+behavior might result in host name spoofing with unexpected input. These URLs
+will throw an error (which the [WHATWG URL API][] also does).
 
 ### DEP0171: Setters for `http.IncomingMessage` headers and trailers
 
diff --git a/lib/url.js b/lib/url.js
@@ -41,6 +41,7 @@ const querystring = require('querystring');
 const {
   ERR_INVALID_ARG_TYPE,
   ERR_INVALID_URL,
+  ERR_INVALID_ARG_VALUE,
 } = require('internal/errors').codes;
 const {
   validateString,
@@ -501,7 +502,6 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
   return this;
 };
 
-let warnInvalidPort = true;
 function getHostname(self, rest, hostname, url) {
   for (let i = 0; i < hostname.length; ++i) {
     const code = hostname.charCodeAt(i);
@@ -513,12 +513,8 @@ function getHostname(self, rest, hostname, url) {
 
     if (!isValid) {
       // If leftover starts with :, then it represents an invalid port.
-      // But url.parse() is lenient about it for now.
-      // Issue a warning and continue.
-      if (warnInvalidPort && code === CHAR_COLON) {
-        const detail = `The URL ${url} is invalid. Future versions of Node.js will throw an error.`;
-        process.emitWarning(detail, 'DeprecationWarning', 'DEP0170');
-        warnInvalidPort = false;
+      if (code === CHAR_COLON) {
+        throw new ERR_INVALID_ARG_VALUE('url', 'Invalid port in url', url);
       }
       self.hostname = hostname.slice(0, i);
       return `/${hostname.slice(i)}${rest}`;
diff --git a/test/parallel/test-url-parse-format.js b/test/parallel/test-url-parse-format.js
@@ -862,22 +862,6 @@ const parseTests = {
     href: 'http://a%22%20%3C\'b:b@cd/e?f'
   },
 
-  // Git urls used by npm
-  'git+ssh://git@github.com:npm/npm': {
-    protocol: 'git+ssh:',
-    slashes: true,
-    auth: 'git',
-    host: 'github.com',
-    port: null,
-    hostname: 'github.com',
-    hash: null,
-    search: null,
-    query: null,
-    pathname: '/:npm/npm',
-    path: '/:npm/npm',
-    href: 'git+ssh://git@github.com/:npm/npm'
-  },
-
   'https://*': {
     protocol: 'https:',
     slashes: true,
diff --git a/test/parallel/test-url-parse-invalid-input.js b/test/parallel/test-url-parse-invalid-input.js
@@ -83,9 +83,7 @@ if (common.hasIntl) {
   badURLs.forEach((badURL) => {
     common.spawnPromisified(process.execPath, ['-e', `url.parse(${JSON.stringify(badURL)})`])
       .then(common.mustCall(({ code, stdout, stderr }) => {
-        assert.strictEqual(code, 0);
-        assert.strictEqual(stdout, '');
-        assert.match(stderr, /\[DEP0170\] DeprecationWarning:/);
+        assert.strictEqual(code, 1);
       }));
   });
 
@@ -94,10 +92,11 @@ if (common.hasIntl) {
     DeprecationWarning: {
       // eslint-disable-next-line @stylistic/js/max-len
       DEP0169: '`url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.',
-      DEP0170: `The URL ${badURLs[0]} is invalid. Future versions of Node.js will throw an error.`,
     },
   });
   badURLs.forEach((badURL) => {
-    url.parse(badURL);
+    assert.throws(() => url.parse(badURL), {
+      code: 'ERR_INVALID_ARG_VALUE',
+    });
   });
 }
