Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
idna-uts46-hx
Advanced tools
Convert Domain Names correctly from IDN to Punycode and vice-versa and offer TR46 processing.
This module is a IDNA UTS46 connector library for javascript. In addition to the default functionality of tr46, we offer converting domain names to unicode / punycode considering the respective registry provider's behavior.
The JS Punycode converter library is a great tool for handling Unicode domain names, but it only implements the Punycode encoding of domain labels, not the full IDNA algorithm. In simple cases, a mere conversion to lowercase text before input would seem sufficient, but the real mapping for strings is far more complex. This library implements the full mapping for these strings, as defined by UTS #46.
With v6 we migrated our library to npm package tr46
as software dependency. By that step we use a library that is actively maintained in direction of correctly supporting the TR46
standard and supporting the latest Version of the Unicode Standard. Reinventing the wheel isn't useful and something we have time or resources for. We were able to dramatically decrease the number of lines of code on our end.
toUnicode
comes with auto-detection of transitionalProcessing
setting based on the provided domain name inputtoAscii
comes with auto-detection of transitionalProcessing
setting based on the provided domain name inputIn general, we don't see a blocker for upgrading to v6. Still, consider the below changes.
Runtime performance of v6 compared to v5 has slightly improved. The compression for the underlying idna mapping table is superfluous, tr46 covers it well.
The below configuration options for the methods toUnicode
and toAscii
must be renamed in case you're using them:
Option, old | Option, new |
---|---|
transitional | transitionalProcessing |
useStd3ASCII | useSTD3ASCIIRules |
verifyDnsLength | verifyDNSLength |
Earlier versions kept option transitional
by default to false which is now automatically detected and results may therefore differ.
This affects the toAscii
method.
The toUnicode
function did not allow for a options parameter in earlier versions, now it follows the exemplary way of package tr46
.
Thanks for the below former contributions:
See also the list of contributors who participated in this project.
MIT
FAQs
Convert Domain Names correctly from IDN to Punycode and vice-versa and offer TR46 processing.
The npm package idna-uts46-hx receives a total of 266,979 weekly downloads. As such, idna-uts46-hx popularity was classified as popular.
We found that idna-uts46-hx demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.