There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
url-parse is vulnerable to URL Redirection to Untrusted Site
You can find information about how to handle these issues in the security team's documentation.