From 8c3fd95e476b9f35fd6233085b6c17334114b22c Mon Sep 17 00:00:00 2001
From: Rich Trott <rtrott@gmail.com>
Date: Tue, 11 Oct 2022 11:20:46 -0700
Subject: [PATCH] fixup! doc: deprecate url.parse()

---
 doc/api/url.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/api/url.md b/doc/api/url.md
index f5d4fe24b98bec..bfb0dcb3c3fbe0 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1565,8 +1565,9 @@ A `URIError` is thrown if the `auth` property is present but cannot be decoded.
 
 `url.parse()` uses a lenient, non-standard algorithm for parsing URL
 strings. It is prone to security issues such as [host name spoofing][]
-and incorrect handling of usernames and passwords. Use the [WHATWG URL][] API
-instead.
+and incorrect handling of usernames and passwords. Do not use with untrusted
+input. CVEs are not issued for `url.parse()` vulnerabilities. Use the
+[WHATWG URL][] API instead.
 
 ### `url.resolve(from, to)`