pnpm icon indicating copy to clipboard operation
pnpm copied to clipboard
verified publisher icon pnpm

`pnpm install` for packages with "bugs" or "homepage" fields incurs a deprecation warning in Node.js v24

Open jeremybanka opened this issue 7 months ago • 2 comments

Verify latest release

  • [x] I verified that the issue exists in the latest pnpm release

pnpm version

10.11.0

Which area(s) of pnpm are affected? (leave empty if unsure)

CLI

Link to the code that reproduces this issue or a replay of the bug

https://github.com/jeremybanka/pnpm-url-parse-repro

Reproduction steps

# Clone the reproduction repo
git clone https://github.com/jeremybanka/pnpm-url-parse-repro
cd pnpm-url-parse-repro

# Ensure you have the (as of this writing) current versions of node and pnpm
node -v # 24.0.1
pnpm -v # 10.11.0

# Run the script to reproduce the problem
pnpm will-show-warning

This will show a warning that url.parse() is deprecated and is called in the method fixHomepageField().

Describe the Bug

pnpm ships a bundle containing multiple instances of the deprecated url.parse, leading to frequent warnings when using pnpm install.

Searching the file .../pnpm/10.11.0/dist/pnpm.cjs for the phrase url.parse turns up five results.

To ensure that this warning does not occur when running pnpm install, all uses of url.parse should be removed.

  • [email protected]/.../fixer.js
    • uses url.parse in fixBugsField() (twice)
    • uses url.parse in fixHomepageField()
    • dependency of pnpm owned by npm
    • though version 7.0.0 is available, it still uses url.parse. Issue here: https://github.com/npm/normalize-package-data/issues/242
      • reading the issue, it seems this package may soon be deprecated anyway...
  • @[email protected]/.../npa.js
    • owned by pnpm
    • uses url.parse in fromURL()
  • @[email protected]/.../nopt.js
    • owned by pnpm
    • uses url.parse in validateUrl()

Expected Behavior

No warnings when running pnpm install.

Which Node.js version are you using?

24.0.1

Which operating systems have you used?

  • [x] macOS
  • [ ] Windows
  • [ ] Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

jeremybanka avatar May 13 '25 19:05 jeremybanka

I thought the next release would fix this deprecation warning (#9502 and #9509) but v10.11.0 came out and still happens on my project:

pnpm run --filter be* dev
(node:455297) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)

> [email protected] dev /mnt/shared/Code/yube/yube-monorepo/apps/benefits
> pnpm dlx concurrently --names=server,tailwindcss --prefix-colors=green,blue 'pnpm dlx @dotenvx/dotenvx run --convention=nextjs -- pnpm dlx tsx watch --include ./src/views/**/*.js --clear-screen=false ./src/server.ts' 'pnpm dlx @tailwindcss/cli -i ./src/styles/app.css -o ./public/styles/app.css --watch'

(node:455345) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
[server] (node:455433) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
[server] (Use `node --trace-deprecation ...` to show where the warning was created)
[server] [[email protected]] injecting env (7) from .env.local
[server] (node:455558) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
[server] (Use `node --trace-deprecation ...` to show where the warning was created)
[tailwindcss] (node:455434) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
[tailwindcss] (Use `node --trace-deprecation ...` to show where the warning was created)

If I use node v22 it doesn't happen.

lcdss avatar May 15 '25 05:05 lcdss

Here's the debug output for me when using --trace-deprecation (node v24.2.0)

NODE_OPTIONS='--trace-deprecation' pnpm i
Scope: all 22 workspace projects
Lockfile is up to date, resolution step is skipped
Already up to date
(node:93526) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
    at Object.urlParse [as parse] (node:url:133:13)
    at Object.fixHomepageField (~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:65983:18)
    at ~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:66227:42
    at Array.forEach (<anonymous>)
    at normalize (~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:66226:19)
    at readPackageJson (~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:66256:46)
    at async safeReadPkgJson (~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:95988:16)
    at async getPackageBins (~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:95896:125)
    at async ~/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:95828:22
    at async Promise.all (index 0)
Done in 1.7s using pnpm v10.12.1

jakst avatar Jun 10 '25 12:06 jakst

Excited for this fix!

❯ pnpm i
(node:31655) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
    at Object.urlParse [as parse] (node:url:133:13)
    at fromURL (🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:104801:28)
    at npa.resolve (🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:104679:16)
    at 🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:104898:46
    at Array.map (<anonymous>)
    at createNode (🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:104889:45)
    at 🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:104878:23
    at XWrap2.f (🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:17692:26)
    at XWrap2.@@transducer/step (🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:17364:21)
    at _arrayReduce (🏠/.proto/tools/pnpm/10.12.1/dist/pnpm.cjs:17456:38)

NullVoxPopuli avatar Jun 25 '25 15:06 NullVoxPopuli

It seems like the usage of normalize-package-data in pnpm needs to be replaced with @npmcli/package-json; a fix for normalize-package-data is unlikely given that it has been inlined into @npmcli/package-json. However, @npmcli/package-json still uses url.parse, so replacing the dependency is not going to immediately solve the problem.

haines avatar Jul 04 '25 10:07 haines

I'm finding that this interferes with shell tab completions which is pretty annoying, so it'd be great to see this fixed soon. (eg: it's not just an annoying warning, but it is tangibly impacting the user experience)

mnahkies avatar Jul 22 '25 08:07 mnahkies

I've sent PRs fixing this to both @npmcli/package-json and normalize-package-data (it looks like normalize-package-data still accepts PRs given they merged one two weeks ago). Hopefully it fixes this issue once merged

  • npm/package-json#150
  • npm/normalize-package-data#247

EDIT: Those PRs got merged, I've opened a pull request here updating the necessary dependencies: #9784

Despite that technically fixing this issue (this issue is about warnings when installing dependencies), warnings in other places are probably still happening due to @pnpm/nopt and @pnpm/npm-package-arg still using url.parse, and they haven't seen any commits in 3/4 years. I wonder if I should send PRs there too

SuperchupuDev avatar Jul 22 '25 09:07 SuperchupuDev

Opened PRs in the two remaining packages:

  • pnpm/nopt#1
  • pnpm/npm-package-arg#1

SuperchupuDev avatar Jul 23 '25 17:07 SuperchupuDev