Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The 'url' npm package provides utilities for URL resolution and parsing meant to have the same API as provided by the standard library of Node.js. It allows for the parsing of URLs, resolving URLs to absolute paths, and formatting URLs from constituent parts.
URL Parsing
Parse a URL string and provide access to its different parts, such as protocol, hostname, path, query, and hash.
const url = require('url');
const myURL = new URL('https://example.com/path?name=value#hash');
console.log(myURL.hostname); // 'example.com'
URL Resolution
Resolve a target URL relative to a base URL, effectively providing the absolute path of the target.
const url = require('url');
const resolvedUrl = url.resolve('https://example.com/', '/path');
console.log(resolvedUrl); // 'https://example.com/path'
URL Formatting
Format a URL object into a URL string.
const url = require('url');
const myURL = new URL('https://example.com/path?name=value#hash');
const formattedUrl = url.format(myURL);
console.log(formattedUrl); // 'https://example.com/path?name=value#hash'
Implements the WHATWG URL Standard for parsing and serializing URLs. It provides more modern API and better alignment with web standards compared to the 'url' package.
A library for working with URLs. It offers a fluent API for URL manipulation, making it more user-friendly for complex URL operations compared to the 'url' package.
A simple package for parsing URLs with a focus on retrieving individual URL components. It's more lightweight but less feature-rich compared to the 'url' package.
This module has utilities for URL resolution and parsing meant to have feature parity with node.js core url module.
var url = require('url');
Parsed URL objects have some or all of the following fields, depending on whether or not they exist in the URL string. Any parts that are not in the URL string will not be in the parsed object. Examples are shown for the URL
'http://user:pass@host.com:8080/p/a/t/h?query=string#hash'
href
: The full URL that was originally parsed. Both the protocol and host are lowercased.
Example: 'http://user:pass@host.com:8080/p/a/t/h?query=string#hash'
protocol
: The request protocol, lowercased.
Example: 'http:'
host
: The full lowercased host portion of the URL, including port
information.
Example: 'host.com:8080'
auth
: The authentication information portion of a URL.
Example: 'user:pass'
hostname
: Just the lowercased hostname portion of the host.
Example: 'host.com'
port
: The port number portion of the host.
Example: '8080'
pathname
: The path section of the URL, that comes after the host and
before the query, including the initial slash if present.
Example: '/p/a/t/h'
search
: The 'query string' portion of the URL, including the leading
question mark.
Example: '?query=string'
path
: Concatenation of pathname
and search
.
Example: '/p/a/t/h?query=string'
query
: Either the 'params' portion of the query string, or a
querystring-parsed object.
Example: 'query=string'
or {'query':'string'}
hash
: The 'fragment' portion of the URL including the pound-sign.
Example: '#hash'
The following methods are provided by the URL module:
Take a URL string, and return an object.
Pass true
as the second argument to also parse
the query string using the querystring
module.
Defaults to false
.
Pass true
as the third argument to treat //foo/bar
as
{ host: 'foo', pathname: '/bar' }
rather than
{ pathname: '//foo/bar' }
. Defaults to false
.
Take a parsed URL object, and return a formatted URL string.
href
will be ignored.protocol
is treated the same with or without the trailing :
(colon).
http
, https
, ftp
, gopher
, file
will be
postfixed with ://
(colon-slash-slash).mailto
, xmpp
, aim
, sftp
, foo
, etc will
be postfixed with :
(colon)auth
will be used if present.hostname
will only be used if host
is absent.port
will only be used if host
is absent.host
will be used in place of hostname
and port
pathname
is treated the same with or without the leading /
(slash)search
will be used in place of query
query
(object; see querystring
) will only be used if search
is absent.search
is treated the same with or without the leading ?
(question mark)hash
is treated the same with or without the leading #
(pound sign, anchor)Take a base URL, and a href URL, and resolve them as a browser would for an anchor tag. Examples:
url.resolve('/one/two/three', 'four') // '/one/two/four'
url.resolve('http://example.com/', '/one') // 'http://example.com/one'
url.resolve('http://example.com/one', '/two') // 'http://example.com/two'
FAQs
The core `url` packaged standalone for use with Browserify.
The npm package url receives a total of 16,996,573 weekly downloads. As such, url popularity was classified as popular.
We found that url demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.