While reviewing #2412, I double-checked that the URL-parser parseRequest in FromJSON PackageLocation did the right thing. But it seems it doesn't quite do that. It allows specifying a method: parseRequest "POST http://httpbin.org/post" [1].
Potentially worse, I can ship somebody a stack.yaml that will trigger POST requests upon install. I don't see how to actually exploit this, but someone might. Switching to another URI parser should prevent this, and should be easy since the parsed URI is thrown away. One should probably also review the parsing that is used to actually access the URI though.

[1] https://hackage.haskell.org/package/http-client-0.5.0/docs/Network-HTTP-Client.html#v:parseRequest

[2] http://hackage.haskell.org/package/network-uri-2.6.1.0/docs/Network-URI.html#v:parseURI