Replace url-regex and is-url-superb with custom implementation

[richardowen]

Feature Use Case

There is an open security vulnerability in url-regex (kevva/url-regex#70) and no patch available. The url-regex dependency isn't actually used by this package but even if it was removed, it would still be required further down the dependency tree by is-url-superb. It has been removed as a dependency of that package but upgrading isn't an option as that package now doesn't class protocol-relative URLs as valid. Protocol-relative URLs are valid in CSS so we want to allow them in this package. See #119 for more discussion.

Feature Proposal

• Implement a new isUrl check in this package
  • This could use the Node.js URL class for the bulk of validation but also needs to allow protocol-relative URLs (not allowed by the URL class)
• Remove the is-url-superb and url-regex dependencies

[jhuesos]

As a workaround, maybe it could be an option to replace url-regex with url-regex-safe which fixes the issue and I think its API is fully compatible?

[shellscape]

@jhuesos looks good 👍

[richardowen]

@jhuesos Yes that sounds good.

Note that url-regex isn't actually used in this package right now (although it is a direct dependency so that needs removing). This package uses is-url-superb so the change would need to be replacing is-url-superb with an implementation which uses url-regex-safe.

[Hypnosphi]

FYI: is-url-superb@4 no longer depends on url-regex: sindresorhus/is-url-superb@v3.0.0...v4.0.0#diff-b9cfc7f2cdf78a7f4b91a753d10865a2L30

[richardowen]

@Hypnosphi Unfortunately upgrading to that version isn't an option here because the new version doesn't class protocol-relative URLs as valid. See the original comment on this issue for more.

[davilima6]

Can be closed after #125