Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
url-toolkit
Advanced tools
url-toolkit
Build an absolute URL from a base URL and a relative URL (RFC 1808). No dependencies!
URL Toolkit
Lightweight library to build an absolute URL from a base URL and a relative URL, written from the spec (RFC 1808). Initially part of HLS.JS.
Differences to JS URL()
The JS URL() function also lets you calculate a new URL from a base and relative one.
That uses the URL Living Standard which is slightly different to RFC 1808 that this library implements.
One of the key differences is that the URL Living Standard has the concept of a 'special url' and 'special scheme'. For these special URL's, such as a URL with the http scheme, they normalise them in a way that results in http:///example.com/something becoming http://example.com/something. This library does not do that and parseURL() would give you // as the netLoc and /example.com as the path.
Methods
buildAbsoluteURL(baseURL, relativeURL, opts={})
Build an absolute URL from a relative and base one.
URLToolkit.buildAbsoluteURL('http://a.com/b/cd', 'e/f/../g'); // => http://a.com/b/e/g
If you want to ensure that the URL is treated as a relative one you should prefix it with ./.
URLToolkit.buildAbsoluteURL('http://a.com/b/cd', 'a:b'); // => a:b
URLToolkit.buildAbsoluteURL('http://a.com/b/cd', './a:b'); // => http://a.com/b/a:b
By default the paths will not be normalized unless necessary, according to the spec. However you can ensure paths are always normalized by setting the opts.alwaysNormalize option to true.
URLToolkit.buildAbsoluteURL('http://a.com/b/cd', '/e/f/../g'); // => http://a.com/e/f/../g
URLToolkit.buildAbsoluteURL('http://a.com/b/cd', '/e/f/../g', {
alwaysNormalize: true,
}); // => http://a.com/e/g
normalizePath(url)
Normalizes a path.
URLToolkit.normalizePath('a/b/../c'); // => a/c
parseURL(url)
Parse a URL into its separate components.
URLToolkit.parseURL('http://a/b/c/d;p?q#f'); // =>
/* {
scheme: 'http:',
netLoc: '//a',
path: '/b/c/d',
params: ';p',
query: '?q',
fragment: '#f'
} */
buildURLFromParts(parts)
Puts all the parts from parseURL() back together into a string.
Example
var URLToolkit = require('url-toolkit');
var url = URLToolkit.buildAbsoluteURL(
'https://a.com/b/cd/e.m3u8?test=1#something',
'../z.ts?abc=1#test'
);
console.log(url); // 'https://a.com/b/z.ts?abc=1#test'
Browser
This can also be used in the browser thanks to jsDelivr:
<head>
<script
type="text/javascript"
src="https://cdn.jsdelivr.net/npm/url-toolkit@2"
></script>
<script type="text/javascript">
var url = URLToolkit.buildAbsoluteURL(
'https://a.com/b/cd/e.m3u8?test=1#something',
'../z.ts?abc=1#test'
);
console.log(url); // 'https://a.com/b/z.ts?abc=1#test'
</script>
</head>
Other packages similar to url-toolkit
url
The 'url' package is a core Node.js module that provides utilities for URL resolution and parsing. It offers similar functionalities to url-toolkit, such as parsing URLs and resolving relative URLs. However, url-toolkit provides additional features like URL normalization.
whatwg-url
The 'whatwg-url' package is a full implementation of the WHATWG URL Standard. It provides comprehensive URL parsing, serialization, and manipulation functionalities. Compared to url-toolkit, whatwg-url is more standards-compliant and offers a broader range of URL manipulation features.
url-parse
The 'url-parse' package is a lightweight URL parser that works in both Node.js and the browser. It provides similar functionalities to url-toolkit, such as parsing and resolving URLs. However, url-parse is designed to be more lightweight and faster.
FAQs
Build an absolute URL from a base URL and a relative URL (RFC 1808). No dependencies!
We found that url-toolkit demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 04 Feb 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025