[BUG] [DEP0170] DeprecationWarning for git+ssh:// dependencies

[dmke]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

On Node v20, DEP0170 is active:

Type: Runtime

url.parse() accepts URLs with ports that are not numbers. This behavior might result in host name spoofing with unexpected input. These URLs will throw an error in future versions of Node.js, as the WHATWG URL API does already.

It looks like npm tries to parse dependencies like

{
  "dependencies": {
    "something-private": "git+ssh://git@gitlab.example.com:group/project.git#commitish"
  }
}

with url.parse, which in turn interprets group as port number.

The NPM docs on Git URLs as Dependencies state:

Git urls are of the form:

<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish> | #semver:<semver>]

<protocol> is one of git, git+ssh, git+http, git+https, or git+file.

Changing the dependency URL to

git+ssh://git@gitlab.example.com:22:group/project.git#commitish

leads to Gitlab intepreting "22:group" as (non-existing) project namespace.

Expected Behavior

The warning should be addressed.

Since Node obviously seeks WHATWG URL API compatibility, there are a few options:

1. Use a custom URL parser, which allows to parse all documented NPM dependency URL formats, without warnings.
2. Deprecate dependency URL formats which don't follow the WHATWG API URL specification.
3. Amend the WHATWG API URL with generic URL formats, such as git+ssh, where host/port and path are separated by a colon.

Steps To Reproduce

See current behaviour above:

1. reference a dependency via git+ssh:// URL
2. run npm install
3. observe the warning [DEP0170] DeprecationWarning: The URL git+ssh://... is invalid. Future versions of Node.js will throw an error.

Environment

• npm: 10.1.0
• Node.js: v20.8.0
• OS Name: Debian 11.7
• System Model Name: n/a
• npm config:

; "user" config from /home/dm/.npmrc

prefix = "/home/dm/.local" 
python = "/usr/bin/python3" 

; node bin location = /usr/bin/node
; node version = v20.8.0
; npm local prefix = [irrelevant]
; npm version = 10.1.0
; cwd = [irrelevant]
; HOME = [irrelevant]
; Run `npm config ls -l` to show all defaults.

[ljharb]

Indeed, npm (and the ecosystem) will need a longer-term solution for URLs like this.

[dmke]

@lukekarrys: This isn't a regression in 10.x, the 9.x series is affected as well (I suspect all NPM versions running on Node 20+ are).

[lukekarrys]

@dmke Thank you, I thought we switched URL parsers in the switch to npm@10 but that must have happened at a different time.

[wraithgar]

This was fixed in npm@10.2.0 which brought in npm-package-arg@11.0.1

cf npm/npm-package-arg#141

[dmke]

Can confirm, updating to 10.2.0 fixes this issue.

Thank you!

[DeepzUa]

I have same warning on npm 10.5.0 and nodejs 20.12.0 but im using #tag

{
  "dependencies": {
    "something-private": "git+ssh://git@gitlab.example.com:group/project.git#tag"
  }
}