Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
The 'url' npm package provides utilities for URL resolution and parsing meant to have the same API as provided by the standard library of Node.js. It allows for the parsing of URLs, resolving URLs to absolute paths, and formatting URLs from constituent parts.
URL Parsing
Parse a URL string and provide access to its different parts, such as protocol, hostname, path, query, and hash.
const url = require('url');
const myURL = new URL('https://example.com/path?name=value#hash');
console.log(myURL.hostname); // 'example.com'
URL Resolution
Resolve a target URL relative to a base URL, effectively providing the absolute path of the target.
const url = require('url');
const resolvedUrl = url.resolve('https://example.com/', '/path');
console.log(resolvedUrl); // 'https://example.com/path'
URL Formatting
Format a URL object into a URL string.
const url = require('url');
const myURL = new URL('https://example.com/path?name=value#hash');
const formattedUrl = url.format(myURL);
console.log(formattedUrl); // 'https://example.com/path?name=value#hash'
Implements the WHATWG URL Standard for parsing and serializing URLs. It provides more modern API and better alignment with web standards compared to the 'url' package.
A library for working with URLs. It offers a fluent API for URL manipulation, making it more user-friendly for complex URL operations compared to the 'url' package.
A simple package for parsing URLs with a focus on retrieving individual URL components. It's more lightweight but less feature-rich compared to the 'url' package.
This module has utilities for URL resolution and parsing meant to have feature parity with node.js core url module.
var url = require('url');
Parsed URL objects have some or all of the following fields, depending on whether or not they exist in the URL string. Any parts that are not in the URL string will not be in the parsed object. Examples are shown for the URL
'http://user:pass@host.com:8080/p/a/t/h?query=string#hash'
href
: The full URL that was originally parsed. Both the protocol and host are lowercased.
Example: 'http://user:pass@host.com:8080/p/a/t/h?query=string#hash'
protocol
: The request protocol, lowercased.
Example: 'http:'
host
: The full lowercased host portion of the URL, including port
information.
Example: 'host.com:8080'
auth
: The authentication information portion of a URL.
Example: 'user:pass'
hostname
: Just the lowercased hostname portion of the host.
Example: 'host.com'
port
: The port number portion of the host.
Example: '8080'
pathname
: The path section of the URL, that comes after the host and
before the query, including the initial slash if present.
Example: '/p/a/t/h'
search
: The 'query string' portion of the URL, including the leading
question mark.
Example: '?query=string'
path
: Concatenation of pathname
and search
.
Example: '/p/a/t/h?query=string'
query
: Either the 'params' portion of the query string, or a
querystring-parsed object.
Example: 'query=string'
or {'query':'string'}
hash
: The 'fragment' portion of the URL including the pound-sign.
Example: '#hash'
The following methods are provided by the URL module:
Take a URL string, and return an object.
Pass true
as the second argument to also parse
the query string using the querystring
module.
Defaults to false
.
Pass true
as the third argument to treat //foo/bar
as
{ host: 'foo', pathname: '/bar' }
rather than
{ pathname: '//foo/bar' }
. Defaults to false
.
Take a parsed URL object, and return a formatted URL string.
href
will be ignored.protocol
is treated the same with or without the trailing :
(colon).
http
, https
, ftp
, gopher
, file
will be
postfixed with ://
(colon-slash-slash).mailto
, xmpp
, aim
, sftp
, foo
, etc will
be postfixed with :
(colon)auth
will be used if present.hostname
will only be used if host
is absent.port
will only be used if host
is absent.host
will be used in place of hostname
and port
pathname
is treated the same with or without the leading /
(slash)search
will be used in place of query
query
(object; see querystring
) will only be used if search
is absent.search
is treated the same with or without the leading ?
(question mark)hash
is treated the same with or without the leading #
(pound sign, anchor)Take a base URL, and a href URL, and resolve them as a browser would for an anchor tag. Examples:
url.resolve('/one/two/three', 'four') // '/one/two/four'
url.resolve('http://example.com/', '/one') // 'http://example.com/one'
url.resolve('http://example.com/one', '/two') // 'http://example.com/two'
FAQs
The core `url` packaged standalone for use with Browserify.
The npm package url receives a total of 18,781,324 weekly downloads. As such, url popularity was classified as popular.
We found that url demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.