fix!: Upgrade url-parse (#426)

BREAKING CHANGE: Upgrade url-version to 1.5.0+ to fix CVE-2021-27515. This change could alter the final url generated for a request.

packages/@pollyjs/core/tests/unit/utils/normalize-request-test.js

@@ -119,8 +119,8 @@ describe('Unit | Utils | Normalize Request', function () {
 
   describe('url', function () {
     it('should sort query params', function () {
-      expect(url('http://foo.com?b=1&c=1&a=1', {})).to.equal(
-        'http://foo.com?a=1&b=1&c=1'
+      expect(url('http://foo.com/?b=1&c=1&a=1', {})).to.equal(
+        'http://foo.com/?a=1&b=1&c=1'
       );
     });
 
@@ -130,51 +130,51 @@ describe('Unit | Utils | Normalize Request', function () {
           /* config options */
           'hash',
           /* input url */
-          'http://hash-test.com?b=1&c=1&a=1#hello=world',
+          'http://hash-test.com/?b=1&c=1&a=1#hello=world',
           /* expected when true */
-          [true, 'http://hash-test.com?a=1&b=1&c=1#hello=world'],
+          [true, 'http://hash-test.com/?a=1&b=1&c=1#hello=world'],
           /* expected when false */
-          [false, 'http://hash-test.com?a=1&b=1&c=1'],
+          [false, 'http://hash-test.com/?a=1&b=1&c=1'],
           /* expected when custom fn */
           [
             (h) => h.replace('=', '!='),
-            'http://hash-test.com?a=1&b=1&c=1#hello!=world'
+            'http://hash-test.com/?a=1&b=1&c=1#hello!=world'
           ]
         ],
         [
           'protocol',
-          'http://protocol-test.com',
-          [true, 'http://protocol-test.com'],
-          [false, '//protocol-test.com'],
-          [(p) => p.replace('http', 'https'), 'https://protocol-test.com']
+          'http://protocol-test.com/',
+          [true, 'http://protocol-test.com/'],
+          [false, '//protocol-test.com/'],
+          [(p) => p.replace('http', 'https'), 'https://protocol-test.com/']
         ],
         [
           'query',
-          'http://query-test.com?b=1&c=1&a=1',
-          [true, 'http://query-test.com?a=1&b=1&c=1'],
-          [false, 'http://query-test.com'],
-          [(q) => ({ ...q, c: 2 }), 'http://query-test.com?a=1&b=1&c=2']
+          'http://query-test.com/?b=1&c=1&a=1',
+          [true, 'http://query-test.com/?a=1&b=1&c=1'],
+          [false, 'http://query-test.com/'],
+          [(q) => ({ ...q, c: 2 }), 'http://query-test.com/?a=1&b=1&c=2']
         ],
         [
           'username',
-          'https://username:[email protected]',
-          [true, 'https://username:[email protected]'],
-          [false, 'https://username-test.com'],
-          [(u) => `${u}123`, 'https://username123:[email protected]']
+          'https://username:[email protected]/',
+          [true, 'https://username:[email protected]/'],
+          [false, 'https://username-test.com/'],
+          [(u) => `${u}123`, 'https://username123:[email protected]/']
         ],
         [
           'password',
-          'https://username:[email protected]',
-          [true, 'https://username:[email protected]'],
-          [false, 'https://[email protected]'],
-          [(p) => `${p}123`, 'https://username:[email protected]']
+          'https://username:[email protected]/',
+          [true, 'https://username:[email protected]/'],
+          [false, 'https://[email protected]/'],
+          [(p) => `${p}123`, 'https://username:[email protected]/']
         ],
         [
           'port',
-          'https://port-test.com:8000',
-          [true, 'https://port-test.com:8000'],
-          [false, 'https://port-test.com'],
-          [(p) => Number(p) + 1, 'https://port-test.com:8001']
+          'https://port-test.com:8000/',
+          [true, 'https://port-test.com:8000/'],
+          [false, 'https://port-test.com/'],
+          [(p) => Number(p) + 1, 'https://port-test.com:8001/']
         ],
         [
           'pathname',
@@ -196,8 +196,8 @@ describe('Unit | Utils | Normalize Request', function () {
 
     it('should support a custom fn', function () {
       expect(
-        url('https://foo.bar', (url) => url.replace('bar', 'foo'))
-      ).to.equal('https://foo.foo');
+        url('https://foo.bar/', (url) => url.replace('bar', 'foo'))
+      ).to.equal('https://foo.foo/');
     });
 
     it('should pass the correct arguments to the custom fn', function () {

packages/@pollyjs/core/tests/unit/utils/parse-url-test.js

@@ -8,7 +8,6 @@ describe('Unit | Utils | parseUrl', function () {
   it('should exactly match passed urls', function () {
     [
       '/movies/1',
-      '//netflix.com/movies/1',
       'http://netflix.com/movies/1',
       'http://netflix.com/movies/1?sort=title&dir=asc'
     ].forEach((url) => expect(parseUrl(url).href).to.equal(url));

packages/@pollyjs/core/tests/unit/utils/remove-host-from-url-test.js

@@ -13,14 +13,8 @@ describe('Unit | Utils | removeHostFromUrl', function () {
     expect(url.toString()).to.equal('/bar/baz/');
   });
 
-  it('should remove hostname without a protocol', function () {
-    const url = removeHost(new URL('//foo.com/bar/baz/'));
-
-    expect(url.toString()).to.equal('/bar/baz/');
-  });
-
-  it('should remove hostname without a protocol and a tld', function () {
-    const url = removeHost(new URL('//foo/bar/baz/'));
+  it('should remove hostname without a tld', function () {
+    const url = removeHost(new URL('http://foo/bar/baz/'));
 
     expect(url.toString()).to.equal('/bar/baz/');
   });

packages/@pollyjs/utils/package.json

@@ -39,7 +39,7 @@
   "license": "Apache-2.0",
   "dependencies": {
     "qs": "^6.10.1",
-    "url-parse": "^1.4.7"
+    "url-parse": "^1.5.3"
   },
   "devDependencies": {
     "rollup": "^1.14.6"

packages/@pollyjs/utils/tests/unit/utils/url-test.js

@@ -9,11 +9,11 @@ describe('Unit | Utils | URL', function () {
   });
 
   it('should work', function () {
-    expect(new URL('http://netflix.com').href).to.equal('http://netflix.com');
+    expect(new URL('http://netflix.com/').href).to.equal('http://netflix.com/');
   });
 
   it('should should not parse the query string by default', function () {
-    expect(new URL('http://netflix.com?foo=bar').query).to.equal('?foo=bar');
+    expect(new URL('http://netflix.com/?foo=bar').query).to.equal('?foo=bar');
   });
 
   it('should correctly parse query params', function () {
@@ -26,7 +26,9 @@ describe('Unit | Utils | URL', function () {
       ['a=1&a=2', { a: ['1', '2'] }],
       ['foo[bar][baz]=1', { foo: { bar: { baz: '1' } } }]
     ].forEach(([query, obj]) => {
-      expect(new URL(`http://foo.bar?${query}`, true).query).to.deep.equal(obj);
+      expect(new URL(`http://foo.bar/?${query}`, true).query).to.deep.equal(
+        obj
+      );
     });
   });
 
@@ -55,7 +57,7 @@ describe('Unit | Utils | URL', function () {
       `${encode('a[]')}=1&${encode('a[]')}=2`,
       'a=1&a=2'
     ].forEach((query) => {
-      const url = new URL(`http://foo.bar?${query}`, true);
+      const url = new URL(`http://foo.bar/?${query}`, true);
 
       expect(decode(url.href.split('?')[1])).to.equal(decode(query));
       expect(decode(url.toString().split('?')[1])).to.equal(decode(query));

yarn.lock

@@ -17503,10 +17503,10 @@ url-parse-lax@^3.0.0:
   dependencies:
     prepend-http "^2.0.0"
 
-url-parse@^1.4.7:
-  version "1.4.7"
-  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.4.7.tgz#a8a83535e8c00a316e403a5db4ac1b9b853ae278"
-  integrity sha512-d3uaVyzDB9tQoSXFvuSUNFibTd9zxd2bkVrDRvF5TmvWWQwqE4lgYJ5m+x1DbecWkw+LK4RNl2CU1hHuOKPVlg==
+url-parse@^1.5.3:
+  version "1.5.3"
+  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.3.tgz#71c1303d38fb6639ade183c2992c8cc0686df862"
+  integrity sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==
   dependencies:
     querystringify "^2.1.1"
     requires-port "^1.0.0"