Dependency issue with url-parse
dmregister opened this issue · 0 comments
Description
url-parse is a dependency of the utils package that uses the ^
to indicate it's compatible with any minor version. Unfortunately, url-parse changed the way the url href is returned to circumvent a vulnerability found in the package. This change affects how identifiers are created, which affects how the requestId is calculated and ultimately causes the request to miss the recording.
Shareable Source
The identifiers change from
identifiers: {
method: 'POST',
body: '{"foo":"bar"}}',
url: 'http:///example/url/path'
}
to
identifiers: {
method: 'POST',
body: '{"foo":"bar"}}',
url: 'http://@/example/url/path'
}
I have restored the previous behavior by applying the following patch
diff --git a/node_modules/@pollyjs/core/dist/cjs/pollyjs-core.js b/node_modules/@pollyjs/core/dist/cjs/pollyjs-core.js
index 0c25668..415c853 100644
--- a/node_modules/@pollyjs/core/dist/cjs/pollyjs-core.js
+++ b/node_modules/@pollyjs/core/dist/cjs/pollyjs-core.js
@@ -2562,7 +2562,7 @@ function url(url, config, req) {
parsedUrl.set('query', parse(stringify(parsedUrl.query)));
}
- return parsedUrl.href;
+ return parsedUrl.href.replace('://@/', ':///');
}
function headers(headers, config, req) {
const normalizedHeaders = new HTTPHeaders(headers);
Error Message & Stack Trace
Config
import { setupPolly } from 'setup-polly-jest';
import NodeHttpAdapter from '@pollyjs/adapter-node-http';
import FSPersister from '@pollyjs/persister-fs';
setupPolly({
adapters: [NodeHttpAdapter],
persister: FSPersister,
persisterOptions: {
fs: {
recordingsDir: path.resolve(recordingsDir),
},
},
expiryStrategy: 'warn',
matchRequestsBy: {
method: true,
headers: false,
body: true,
order: false,
url: {
protocol: true,
username: false,
password: false,
hostname: false,
port: false,
pathname: true,
query: true,
hash: false,
},
},
recordIfMissing: false,
mode: MODES.REPLAY,
recordFailedRequests: true,
});
Dependencies
Copy the @pollyjs dependencies from package.json
:
{
"@pollyjs/adapter-node-http": "6.0.5",
"@pollyjs/core": "6.0.5",
"@pollyjs/persister-fs": "6.0.5",
"setup-polly-jest": "0.10.0",
}
3rd party dependency resolved as:
url-parse@^1.5.3, url-parse@^1.5.9:
version "1.5.10"
resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.10.tgz#9d3c2f736c1d75dd3bd2be507dcc111f1e2ea9c1"
integrity sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==
Relevant Links
PR that introduced the change:
unshiftio/url-parse#226
Tag that includes the change:
https://github.com/unshiftio/url-parse/commits/8b3f5f2c88a4cfc2880f2319c307994cb25bb10a
Environment
Tell us which operating system you are using, as well as which versions of Node.js and npm/yarn. If applicable, include the browser and the corresponding version.
Run the following to get it quickly:
> node -e "var os=require('os');console.log('Node.js ' + process.version + '\n' + os.platform() + ' ' + os.release())"
Node.js v16.13.0
darwin 20.6.0
> yarn --version
1.19.1