[parse-url] parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing

parse-url prior to 8.1.0 is vulnerable to Misinterpretation of Input. parse-url parses certain http or https URLs incorrectly, identifying the URL’s protocol as ssh. It may also parse the host name incorrectly.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-3224
• https://github.com/ionicabizau/parse-url/commit/9cacf38de02db0fb1358bd6ec04543e523cd6a8e
• https://huntr.dev/bounties/3587a567-7fcd-4702-b7c9-d9ca565e3c62
• https://github.com/advisories/GHSA-pqw5-jmp5-px4v