Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
A robust Punycode converter that fully complies to RFC 3492 and RFC 5891, and works on nearly all JavaScript platforms.
The punycode npm package is a robust library for encoding and decoding Unicode with Punycode. It's useful for internationalization and handling Unicode domain names and email addresses.
Encoding to Punycode
Converts a Unicode string to a Punycode string (ASCII). Mainly used for domain names.
punycode.encode('mañana') // => 'maana-pta'
Decoding from Punycode
Converts a Punycode string (ASCII) back to a Unicode string. Useful for displaying human-readable text.
punycode.decode('maana-pta') // => 'mañana'
Unicode to ASCII conversion for domain names
Converts a Unicode domain name to an ASCII-compatible encoding (ACE) domain name.
punycode.toASCII('español.example.com') // => 'xn--espaol-zwa.example.com'
ASCII to Unicode conversion for domain names
Converts an ASCII-compatible encoding (ACE) domain name back to a Unicode domain name.
punycode.toUnicode('xn--espaol-zwa.example.com') // => 'español.example.com'
A library that implements IDNA (Internationalized Domain Names in Applications) to Punycode conversion using the latest Unicode version. It's similar to punycode but follows the IDNA 2008 protocol, which is more up-to-date compared to the IDNA 2003 protocol that punycode follows.
Punycode.js is a robust Punycode converter that fully complies to RFC 3492 and RFC 5891.
This JavaScript library is the result of comparing, optimizing and documenting different open-source implementations of the Punycode algorithm:
punycode.c
by Markus W. Scherer (IBM)punycode.c
by Ben Noordhuispunycode.js
by Ben Noordhuis (note: not fully compliant)This project was bundled with Node.js from v0.6.2+ until v7 (soft-deprecated).
This project provides a CommonJS module that uses ES2015+ features and JavaScript module, which work in modern Node.js versions and browsers. For the old Punycode.js version that offers the same functionality in a UMD build with support for older pre-ES2015 runtimes, including Rhino, Ringo, and Narwhal, see v1.4.1.
Via npm:
npm install punycode --save
In Node.js:
⚠️ Note that userland modules don't hide core modules. For example,
require('punycode')
still imports the deprecated core module even if you executednpm install punycode
. Userequire('punycode/')
to import userland modules rather than core modules.
const punycode = require('punycode/');
punycode.decode(string)
Converts a Punycode string of ASCII symbols to a string of Unicode symbols.
// decode domain name parts
punycode.decode('maana-pta'); // 'mañana'
punycode.decode('--dqo34k'); // '☃-⌘'
punycode.encode(string)
Converts a string of Unicode symbols to a Punycode string of ASCII symbols.
// encode domain name parts
punycode.encode('mañana'); // 'maana-pta'
punycode.encode('☃-⌘'); // '--dqo34k'
punycode.toUnicode(input)
Converts a Punycode string representing a domain name or an email address to Unicode. Only the Punycoded parts of the input will be converted, i.e. it doesn’t matter if you call it on a string that has already been converted to Unicode.
// decode domain names
punycode.toUnicode('xn--maana-pta.com');
// → 'mañana.com'
punycode.toUnicode('xn----dqo34k.com');
// → '☃-⌘.com'
// decode email addresses
punycode.toUnicode('джумла@xn--p-8sbkgc5ag7bhce.xn--ba-lmcq');
// → 'джумла@джpумлатест.bрфa'
punycode.toASCII(input)
Converts a lowercased Unicode string representing a domain name or an email address to Punycode. Only the non-ASCII parts of the input will be converted, i.e. it doesn’t matter if you call it with a domain that’s already in ASCII.
// encode domain names
punycode.toASCII('mañana.com');
// → 'xn--maana-pta.com'
punycode.toASCII('☃-⌘.com');
// → 'xn----dqo34k.com'
// encode email addresses
punycode.toASCII('джумла@джpумлатест.bрфa');
// → 'джумла@xn--p-8sbkgc5ag7bhce.xn--ba-lmcq'
punycode.ucs2
punycode.ucs2.decode(string)
Creates an array containing the numeric code point values of each Unicode symbol in the string. While JavaScript uses UCS-2 internally, this function will convert a pair of surrogate halves (each of which UCS-2 exposes as separate characters) into a single code point, matching UTF-16.
punycode.ucs2.decode('abc');
// → [0x61, 0x62, 0x63]
// surrogate pair for U+1D306 TETRAGRAM FOR CENTRE:
punycode.ucs2.decode('\uD834\uDF06');
// → [0x1D306]
punycode.ucs2.encode(codePoints)
Creates a string based on an array of numeric code point values.
punycode.ucs2.encode([0x61, 0x62, 0x63]);
// → 'abc'
punycode.ucs2.encode([0x1D306]);
// → '\uD834\uDF06'
punycode.version
A string representing the current Punycode.js version number.
On the main
branch, bump the version number in package.json
:
npm version patch -m 'Release v%s'
Instead of patch
, use minor
or major
as needed.
Note that this produces a Git commit + tag.
Push the release commit and tag:
git push && git push --tags
Our CI then automatically publishes the new release to npm, under both the punycode
and punycode.js
names.
Mathias Bynens |
Punycode.js is available under the MIT license.
FAQs
A robust Punycode converter that fully complies to RFC 3492 and RFC 5891, and works on nearly all JavaScript platforms.
We found that punycode demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.