refactor(deps): replace url-parse with native URL API#122
Conversation
0053425 to
aa6d88b
Compare
|
Heads-up on CI: the |
zeevmoney
left a comment
There was a problem hiding this comment.
Clean, behavior-equivalent refactor with a wired-in unit test — nice. Two minor notes.
[MEDIUM] The yarn.lock diff also pulls in ~43 unrelated @esbuild/* and @rollup/* entries resolved against registry.yarnpkg.com while the rest of the lockfile uses registry.npmjs.org. That's regeneration noise that mixes registry hosts and inflates the diff. Consider regenerating from main with the pinned yarn 1.22.22 so only the url-parse/@types/url-parse removals remain.
| * @returns The OPA base URL string (e.g. `http://localhost:8181/v1/data/permit/`). | ||
| */ | ||
| export function buildOpaBaseUrl(pdp: string): string { | ||
| const opaBaseUrl = new URL(pdp); |
There was a problem hiding this comment.
[LOW] Scheme-less PDP input now throws instead of returning a (bad) string
new URL('localhost:7766') throws TypeError [ERR_INVALID_URL], whereas url-parse returned a malformed string without throwing. Scheme-less PDP is unsupported either way, but the failure mode changed from silent-bad-string to a throw in the Enforcer constructor.
Suggestion: Add a @throws note to buildOpaBaseUrl (optionally a t.throws test) so callers know a scheme-less pdp throws.
There was a problem hiding this comment.
Pull request overview
Refactors OPA client base URL construction to use Node’s native WHATWG URL API instead of url-parse, and adds unit coverage to prevent regressions in the URL-building logic.
Changes:
- Replaced
url-parseusage with a small helper (buildOpaBaseUrl) based on the nativeURLAPI. - Added an AVA unit test suite covering default and edge-case PDP URL inputs.
- Removed
url-parse/@types/url-parsefrom dependencies and regenerated the lockfile; added atest:unitscript.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/enforcement/enforcer.ts |
Removes url-parse, introduces buildOpaBaseUrl(), and uses it to configure the OPA axios baseURL. |
src/tests/enforcer.spec.ts |
Adds unit tests validating the exact OPA base URL string for several PDP inputs. |
package.json |
Removes url-parse deps and adds a test:unit script to run the new test. |
yarn.lock |
Lockfile regeneration reflecting dependency removal and resulting resolution changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| export function buildOpaBaseUrl(pdp: string): string { | ||
| const opaBaseUrl = new URL(pdp); | ||
| opaBaseUrl.port = '8181'; | ||
| opaBaseUrl.pathname = `${opaBaseUrl.pathname}v1/data/permit/`; | ||
| return opaBaseUrl.toString(); | ||
| } |
| /** | ||
| * Builds the OPA client base URL from the configured PDP URL by forcing the OPA | ||
| * port (8181) and appending the OPA data path. Uses the native WHATWG `URL` | ||
| * (Node >= 10), replacing the previous `url-parse` dependency (#106). | ||
| * | ||
| * @param pdp - The configured PDP base URL (e.g. `http://localhost:7766`). | ||
| * @returns The OPA base URL string (e.g. `http://localhost:8181/v1/data/permit/`). | ||
| */ |
url-parse was used only to build the OPA client base URL. Node's native WHATWG URL (available since v10; engines.node already requires >=10) does the same, so extract a buildOpaBaseUrl() helper and drop url-parse and @types/url-parse. yarn.lock is pruned of url-parse and its now-orphaned transitive dependencies (querystringify, requires-port) only; every other entry is left byte-for-byte unchanged.
Lock the exact OPA base URL produced for the default PDP, trailing-slash, explicit-port, https, and path-prefix inputs so the url-parse -> native URL refactor is proven behaviour-equivalent on valid input and any regression fails here; assert a scheme-less PDP (bare host or //host:port) throws; and assert the Enforcer wires the OPA client baseURL to buildOpaBaseUrl(pdp).
a42b43d to
575f1b3
Compare
|
Thanks — pushed an update:
Rebased on |
What kind of change does this PR introduce?
Refactor (removes a runtime dependency) + test coverage.
What is the current behavior? (link:
url-parseris an unnecessary dependency #106)The SDK depends on
url-parse(^1.5.10) and@types/url-parse(^1.4.11) solely to build theOPA client base URL in
src/enforcement/enforcer.ts. Node's built-in WHATWGURLhas beenavailable since Node 10, and
package.jsonalready declaresengines.node: ">=10", so thedependency is redundant. There is also no test guarding the OPA URL construction, so a regression
in that logic would go undetected.
What is the new behavior (if this is a feature change)?
URLAPI;url-parseand@types/url-parseare removed.buildOpaBaseUrl(pdp: string): stringso it is unit-testable without a live PDP.
yarn test:unit→src/tests/enforcer.spec.ts) asserts the producedURL for the default PDP and edge cases (trailing slash, https-without-port, explicit-port
override, path-prefix), asserts that the
Enforceractually wires its OPA clientbaseURLthrough the helper, and asserts a scheme-less PDP throws. Reverting the change fails the suite.
Verified byte-identical to the old
url-parseoutput by running both implementations over thesame inputs:
url-parse→URL→http://localhost:7766http://localhost:8181/v1/data/permit/http://localhost:8181/v1/data/permit/http://localhost:7766/http://localhost:8181/v1/data/permit/http://localhost:8181/v1/data/permit/https://pdp.example.comhttps://pdp.example.com:8181/v1/data/permit/https://pdp.example.com:8181/v1/data/permit/https://pdp.example.com:1234https://pdp.example.com:8181/v1/data/permit/https://pdp.example.com:8181/v1/data/permit/http://localhost:7766/prefixhttp://localhost:8181/prefixv1/data/permit/http://localhost:8181/prefixv1/data/permit/One disclosed difference on invalid input: a scheme-less PDP (
localhost,//host:port)previously produced a silent malformed string and now fails fast with a
TypeErroratconstruction — an intentional improvement, locked by a
t.throwstest. (Ahost:portvalue likelocalhost:7766is misparsed rather than rejected under both implementations — a pre-existingfootgun, not changed here.)
Other information:
Validated with
yarn lint,yarn build, andyarn test:unit(7 tests); CI runs lint/build/teston Node 18 and 20.
What's NOT in this PR: the main REST client
baseURL(a plain string concat, never usedurl-parse) is untouched; noengines.nodebump; nosrc/openapi/changes. Theyarn.lockchange is the minimal removal of
url-parse/@types/url-parseand their now-orphaned transitivedependencies (
querystringify,requires-port) — no other entries are touched. A typedPermitError+ scheme validation for an invalid PDP (which would also catch thelocalhost:7766misparse) is a sensible follow-up on
url-parseris an unnecessary dependency #106, deliberately out of scope here.The
security/snyk (permit)check is in an ERROR state due to an org quota condition on forkPRs ("You have used your limit of private tests"), not a vulnerability — this PR removes a
dependency and adds none. A maintainer re-run/waiver would clear it.
Fixes
url-parseris an unnecessary dependency #106