
Security News
pnpm 11.10 Hardens Registry Authentication to Block Token Redirection
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.
Very fast zlib-compatible compression for JavaScript.
node v24, 1 MB input sample:
deflate-pako x 14.27 ops/sec ±3.41% (37 runs sampled)
deflate-pako-zlib-hash x 10.60 ops/sec ±0.50% (29 runs sampled)
deflate-zlib x 30.30 ops/sec ±0.61% (51 runs sampled)
gzip-pako x 13.48 ops/sec ±0.50% (36 runs sampled)
inflate-pako x 138 ops/sec ±1.26% (75 runs sampled)
inflate-zlib x 397 ops/sec ±1.37% (81 runs sampled)
ungzip-pako x 125 ops/sec ±1.46% (73 runs sampled)
npm install pako
[!NOTE] For a quick look at
dist/folder contents, see https://unpkg.com/pako@latest/.
Full docs - http://nodeca.github.io/pako/
import { Deflate, Inflate, deflate, inflate } from 'pako';
// Deflate
//
const input = new Uint8Array();
//... fill input data here
const output = deflate(input);
// Inflate (simple wrapper can throw exception on broken stream)
//
const compressed = new Uint8Array();
//... fill data to uncompress here
try {
const result = inflate(compressed);
// ... continue processing
} catch (err) {
console.log(err);
}
//
// Alternate interface for chunking & without exceptions
//
const deflator = new Deflate();
deflator.push(chunk1, false);
deflator.push(chunk2); // second param is false by default.
...
deflator.push(chunk_last, true); // `true` says this chunk is last
if (deflator.err) {
console.log(deflator.msg);
}
const output = deflator.result;
const inflator = new Inflate();
inflator.push(chunk1);
inflator.push(chunk2);
...
inflator.push(chunk_last); // no second param because end is auto-detected
if (inflator.err) {
console.log(inflator.msg);
}
const output = inflator.result;
For CommonJS:
const { deflate, inflate } = require('pako');
If you need the whole API as an object, use namespace import:
import * as pako from 'pako';
Sometimes you may wish to work with strings — for example, to send
stringified objects to a server. Pako's deflate detects the input data type and
automatically recodes strings to utf-8 prior to compression. High-level inflate
helpers can decode utf-8 output back to JavaScript strings with toText: true.
import { deflate, inflate } from 'pako';
const test = { my: 'super', puper: [456, 567], awesome: 'pako' };
const compressed = deflate(JSON.stringify(test));
const restored = JSON.parse(inflate(compressed, { toText: true }));
Pako does not contain some specific zlib functions:
deflateCopy, deflateBound, deflateParams,
deflatePending, deflatePrime, deflateTune.inflateCopy, inflateMark,
inflatePrime, inflateGetDictionary, inflateSync, inflateSyncPoint, inflateUndermine.Personal thanks to:
Original implementation (in C):
/src/zlib folder/src/zlib contentThe zlib package is a core module in Node.js for compression/decompression. It is similar to pako but is built into Node.js and does not work in the browser without additional bundling or shimming.
JSZip is a library for creating, reading, and editing .zip files with JavaScript, with a lovely and simple API. While pako focuses on zlib compression, JSZip provides additional functionalities to handle zip files.
Compressjs is a pure JavaScript implementation of various data compression algorithms, such as Huffman coding and Burrows-Wheeler transform. It offers a wider range of algorithms than pako, but it might not be as optimized for speed.
fflate is a high-performance, low-level deflate/inflate compression library that is faster than pako on most benchmarks. It is a newer library that focuses on performance and efficiency.
FAQs
zlib port to javascript - fast, modularized, with browser support
The npm package pako receives a total of 80,759,932 weekly downloads. As such, pako popularity was classified as popular.
We found that pako demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.

Security News
/Research
Socket uncovered 17 malicious npm and PyPI packages typosquatting Paysafe, Skrill, and Neteller SDKs to steal developer secrets.

Security News
Node.js is debating whether AI-driven security report volume warrants moving more vulnerability reports into public workflows.