Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: inline origin resolution, drop original dependency #281

Merged
merged 1 commit into from
Jun 8, 2022

Conversation

rexxars
Copy link
Member

@rexxars rexxars commented Jun 7, 2022

Apparently the original dependency depends on url-parse module which recently saw some security issues reported. We are no longer depending on this as of 2.0, but the 1.x range does. In order to minimize noise related to this vulnerability, this PR moves the few lines of logic we depended on from this module into the 1.x branch. This ensures we still support node 12 (and 10?).

If approved, I will update the changelog and release a new patch release on the 1.x range - but I am eager to call this the last fix I will be doing for the 1.x range - ideally I would like to move to node 14 as the lowest supported version, following node LTS.

Copy link

@DaleGardner DaleGardner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

@joeybaker joeybaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've got a bit of a nit suggestion, but seems good!

*/
function getOrigin (url) {
if (typeof url === 'string') url = parse(url)
if (!url.protocol || !url.hostname) return 'null'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO 'null' is a little confusing. It could be perceived as a bug? Maybe we should return 'invalid url'?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is confusing, but it is also in accordance with RFC6464, so I think I will leave it like this.

*
* @param {String|Object} url URL to transform to it's origin.
* @returns {String} The origin.
* @api private
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should leave @link https://github.com/unshiftio/original/blob/507b362269c0ad4405d095aedc227c40aecaf68a/index.js as credit to orignal code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants