Ensure passwords in hosted Git URLs are correctly escaped #58
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Hosted Git URLs may be specified in the format
protocol:https://username:password@domain/path
.However, when the username and/or password contain certain punctuation characters (notably
:
or@
), this library fails to return the credentials with these characters correctly escaped. The result is that npm either fails to connect because the hostname has been parsed incorrectly, or fails to authenticate with the host because the credentials have been parsed incorrectly.Why
The reason for this is that the "Legacy" API of Node.js'
url
module does not escape these characters in theauth
property of the parsed URL.See https://nodejs.org/api/url.html#url_percent_encoding_in_urls for details.
How
Node.js' newer, WHATWG-compatible API does escape the
username
andpassword
properties of the parsed URL. The fix that I propose in this PR is to continue using the Legacy API to minimize code changes and therefore risk of regression, but to use the WHATWG API to return the parsed username and password only when auth is included in the URL.