RFC 3986 and password

[dineshbvadhia]

The RFC 3986 standard says "Use of the format "user:password" in the userinfo field is deprecated." But, yarl allows password in the authority field eg.

    authority = ''.join([user, ':', password, '@', host, ':', port])
    uri = URL.build(scheme='sftp', authority=authority, path=path)

This maybe to allow backward compatibility with RFC 1808. If RFC 3986 compliance is mandatory then my code has to validate the authority entries to ensure it doesn't contain a password prior to passing to URL.build. Is this correct?

[webknjaz]

https://datatracker.ietf.org/doc/html/rfc3986#section-7.5:

A password appearing within the userinfo component is deprecated and
should be considered an error (or simply ignored) except in those
rare cases where the 'password' parameter is intended to be public.

It does sound like the application is responsible for deciding this.