Hi team!
I'm reaching out to report that using Crypto-js in a Node.js v22 environment is triggering the following deprecation warning:
(node:70238) [DEP0169] DeprecationWarning: url.parse()behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued forurl.parse() vulnerabilities.
A quick check shows that url.parse() is being used directly within the Crypto-js core files:
node_modules/crypto-js/crypto-js.jsnode_modules/crypto-js/enc-base64url.js
While it is currently just a console warning, the legacy URL API has known parsing inconsistencies that could lead to security issues.
Could we update the dependency tree or migrate to the WHATWG URL API to resolve this and ensure better security?
Environment:
- Node.js: v22.22.2
- Crypto-js: v4.2.0
Thanks!
Hi team!
I'm reaching out to report that using Crypto-js in a Node.js v22 environment is triggering the following deprecation warning:
(node:70238) [DEP0169] DeprecationWarning:url.parse()behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued forurl.parse()vulnerabilities.A quick check shows that url.parse() is being used directly within the Crypto-js core files:
node_modules/crypto-js/crypto-js.jsnode_modules/crypto-js/enc-base64url.jsWhile it is currently just a console warning, the legacy URL API has known parsing inconsistencies that could lead to security issues.
Could we update the dependency tree or migrate to the WHATWG URL API to resolve this and ensure better security?
Environment:
Thanks!