Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
path-to-regexp
Advanced tools
The path-to-regexp package is a utility for converting paths to and from regular expressions. It is commonly used for routing in web applications, allowing developers to define patterns for URL paths and extract parameters from them.
Path to RegExp Conversion
Convert a path string into a regular expression. It can also extract named parameter keys.
const { pathToRegexp } = require('path-to-regexp');
const keys = [];
const regexp = pathToRegexp('/user/:id', keys);
Extracting Parameters from a Path
Match a path against a pattern and extract the named parameters.
const { match } = require('path-to-regexp');
const matchFn = match('/user/:id');
const result = matchFn('/user/123');
// result.params will contain the extracted parameters
Compile Path to String
Compile a path function from a string pattern, which can then be used to construct paths with parameters.
const { compile } = require('path-to-regexp');
const toPath = compile('/user/:id');
const path = toPath({ id: 123 });
// path will be '/user/123'
Express is a web application framework for Node.js that includes its own routing capabilities, which are similar to path-to-regexp. Express uses path-to-regexp internally for its routing logic.
React Router is a routing library for React that uses path-to-regexp-like pattern matching for defining routes and extracting parameters, but it is specifically tailored for React applications.
url-pattern is another library for matching URLs against patterns and extracting parameters. It offers a similar API to path-to-regexp but with different syntax and additional options for pattern matching.
Turn a path string such as
/user/:name
into a regular expression.
npm install path-to-regexp --save
const { pathToRegexp, match, parse, compile } = require("path-to-regexp");
// pathToRegexp(path, keys?, options?)
// match(path)
// parse(path)
// compile(path)
true
the regexp will be case sensitive. (default: false
)true
the regexp allows an optional trailing delimiter to match. (default: false
)true
the regexp will match to the end of the string. (default: true
)true
the regexp will match from the beginning of the string. (default: true
)'/'
)undefined
, any character)RegExp
. (default: x => x
)const keys = [];
const regexp = pathToRegexp("/foo/:bar", keys);
// regexp = /^\/foo\/([^\/]+?)\/?$/i
// keys = [{ name: 'bar', prefix: '/', delimiter: '/', optional: false, repeat: false, pattern: '[^\\/]+?' }]
Please note: The RegExp
returned by path-to-regexp
is intended for ordered data (e.g. pathnames, hostnames). It can not handle arbitrarily ordered data (e.g. query strings, URL fragments, JSON, etc).
The path argument is used to define parameters and populate the list of keys.
Named parameters are defined by prefixing a colon to the parameter name (:foo
). By default, the parameter will match until the next prefix (e.g. [^/]+
).
const regexp = pathToRegexp("/:foo/:bar");
// keys = [{ name: 'foo', prefix: '/', ... }, { name: 'bar', prefix: '/', ... }]
regexp.exec("/test/route");
//=> [ '/test/route', 'test', 'route', index: 0, input: '/test/route', groups: undefined ]
Please note: Parameter names must use "word characters" ([A-Za-z0-9_]
).
Parameters can be suffixed with a question mark (?
) to make the parameter optional.
const regexp = pathToRegexp("/:foo/:bar?");
// keys = [{ name: 'foo', ... }, { name: 'bar', delimiter: '/', optional: true, repeat: false }]
regexp.exec("/test");
//=> [ '/test', 'test', undefined, index: 0, input: '/test', groups: undefined ]
regexp.exec("/test/route");
//=> [ '/test/route', 'test', 'route', index: 0, input: '/test/route', groups: undefined ]
Tip: The prefix is also optional, escape the prefix \/
to make it required.
Parameters can be suffixed with an asterisk (*
) to denote a zero or more parameter matches. The prefix is used for each match.
const regexp = pathToRegexp("/:foo*");
// keys = [{ name: 'foo', delimiter: '/', optional: true, repeat: true }]
regexp.exec("/");
//=> [ '/', undefined, index: 0, input: '/', groups: undefined ]
regexp.exec("/bar/baz");
//=> [ '/bar/baz', 'bar/baz', index: 0, input: '/bar/baz', groups: undefined ]
Parameters can be suffixed with a plus sign (+
) to denote a one or more parameter matches. The prefix is used for each match.
const regexp = pathToRegexp("/:foo+");
// keys = [{ name: 'foo', delimiter: '/', optional: false, repeat: true }]
regexp.exec("/");
//=> null
regexp.exec("/bar/baz");
//=> [ '/bar/baz','bar/baz', index: 0, input: '/bar/baz', groups: undefined ]
It is possible to write an unnamed parameter that only consists of a matching group. It works the same as a named parameter, except it will be numerically indexed.
const regexp = pathToRegexp("/:foo/(.*)");
// keys = [{ name: 'foo', ... }, { name: 0, ... }]
regexp.exec("/test/route");
//=> [ '/test/route', 'test', 'route', index: 0, input: '/test/route', groups: undefined ]
All parameters can have a custom regexp, which overrides the default match ([^/]+
). For example, you can match digits or names in a path:
const regexpNumbers = pathToRegexp("/icon-:foo(\\d+).png");
// keys = [{ name: 'foo', ... }]
regexpNumbers.exec("/icon-123.png");
//=> ['/icon-123.png', '123']
regexpNumbers.exec("/icon-abc.png");
//=> null
const regexpWord = pathToRegexp("/(user|u)");
// keys = [{ name: 0, ... }]
regexpWord.exec("/u");
//=> ['/u', 'u']
regexpWord.exec("/users");
//=> null
Tip: Backslashes need to be escaped with another backslash in JavaScript strings.
The match
function will return a function for transforming paths into parameters:
// Make sure you consistently `decode` segments.
const match = match("/user/:id", { decode: decodeURIComponent });
match("/user/123"); //=> { path: '/user/123', index: 0, params: { id: '123' } }
match("/invalid"); //=> false
match("/user/caf%C3%A9"); //=> { path: '/user/caf%C3%A9', index: 0, params: { id: 'café' } }
You should make sure variations of the same path to match your input path
. Here's one possible solution:
/**
* Normalize a pathname for matching, replaces multiple slashes with a single
* slash and normalizes unicode characters to "NFC". When using this method,
* `decode` should be an identity function so you don't decode strings twice.
*/
function normalizePathname(pathname: string) {
return (
decodeURI(pathname)
// Replaces repeated slashes in the URL.
.replace(/\/+/g, "/")
// Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/normalize
// Note: Missing native IE support, may want to skip this step.
.normalize()
);
}
const re = pathToRegexp("/caf\u00E9");
const input = encodeURI("/cafe\u0301");
re.test(input); //=> false
re.test(normalizePathname(input)); //=> true
Note: URL
automatically encodes pathnames for you, which would result in a consistent match if you use encodeURI
in pathToRegexp
options.
The parse
function will return a list of strings and keys from a path string:
const tokens = parse("/route/:foo/(.*)");
console.log(tokens[0]);
//=> "/route"
console.log(tokens[1]);
//=> { name: 'foo', prefix: '/', delimiter: '/', optional: false, repeat: false, pattern: '[^\\/]+?' }
console.log(tokens[2]);
//=> { name: 0, prefix: '/', delimiter: '/', optional: false, repeat: false, pattern: '.*' }
Note: This method only works with strings.
The compile
function will return a function for transforming parameters into a valid path:
// Make sure you encode your path segments consistently.
const toPath = compile("/user/:id", { encode: encodeURIComponent });
toPath({ id: 123 }); //=> "/user/123"
toPath({ id: "café" }); //=> "/user/caf%C3%A9"
toPath({ id: "/" }); //=> "/user/%2F"
toPath({ id: ":/" }); //=> "/user/%3A%2F"
// Without `encode`, you need to make sure inputs are encoded correctly.
const toPathRaw = compile("/user/:id");
toPathRaw({ id: "%3A%2F" }); //=> "/user/%3A%2F"
toPathRaw({ id: ":/" }, { validate: false }); //=> "/user/:/"
const toPathRepeated = compile("/:segment+");
toPathRepeated({ segment: "foo" }); //=> "/foo"
toPathRepeated({ segment: ["a", "b", "c"] }); //=> "/a/b/c"
const toPathRegexp = compile("/user/:id(\\d+)");
toPathRegexp({ id: 123 }); //=> "/user/123"
toPathRegexp({ id: "123" }); //=> "/user/123"
toPathRegexp({ id: "abc" }); //=> Throws `TypeError`.
toPathRegexp({ id: "abc" }, { validate: false }); //=> "/user/abc"
Note: The generated function will throw on invalid input. It will do all necessary checks to ensure the generated path is valid. This method only works with strings.
Path-To-RegExp exposes the two functions used internally that accept an array of tokens.
tokensToRegexp(tokens, keys?, options?)
Transform an array of tokens into a matching regular expression.tokensToFunction(tokens)
Transform an array of tokens into a path generator function.name
The name of the token (string
for named or number
for unnamed index)prefix
The prefix character for the segment (e.g. /
)delimiter
The delimiter for the segment (same as prefix or default delimiter)optional
Indicates the token is optional (boolean
)repeat
Indicates the token is repeated (boolean
)pattern
The RegExp used to match this token (string
)Path-To-RegExp breaks compatibility with Express <= 4.x
:
RegExp
special characters regardless of position - this is considered a bug*
, +
and ?
. E.g. /:user*
*
) - use parameters instead ((.*)
or :splat*
)You can see a live demo of this library in use at express-route-tester.
MIT
FAQs
Express style path to RegExp utility
The npm package path-to-regexp receives a total of 46,650,749 weekly downloads. As such, path-to-regexp popularity was classified as popular.
We found that path-to-regexp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.