From ff002c23dd44a47b0fc27c8b3ece1ce5f1d43931 Mon Sep 17 00:00:00 2001
From: mukunda katta <mukunda.vjcs6@gmail.com>
Date: Fri, 15 May 2026 13:07:15 -0700
Subject: [PATCH] doc: clarify url.parse security warning

---
 doc/api/url.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/doc/api/url.md b/doc/api/url.md
index d5dc06055b6cc3..21f4f19bc1df5d 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1921,11 +1921,13 @@ A `TypeError` is thrown if `urlString` is not a string.
 
 A `URIError` is thrown if the `auth` property is present but cannot be decoded.
 
-`url.parse()` uses a lenient, non-standard algorithm for parsing URL
-strings. It is prone to security issues such as [host name spoofing][]
-and incorrect handling of usernames and passwords. Do not use with untrusted
-input. CVEs are not issued for `url.parse()` vulnerabilities. Use the
-[WHATWG URL][] API instead, for example:
+`url.parse()` can be used with URLs from trusted input, such as application
+configuration. It uses a lenient, non-standard algorithm for parsing URL
+strings, so do not use it with untrusted input or when parsed URL components
+are used for security decisions. It is prone to security issues such as
+[host name spoofing][] and incorrect handling of usernames and passwords. CVEs
+are not issued for `url.parse()` vulnerabilities. Use the [WHATWG URL][] API
+instead, for example:
 
 ```js
 function getURL(req) {