
Research
SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains
An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.
Help in opening URLs (mostly HTTP) in a complex world — basic and digest authentication, redirections, cookies and more. Base undici fetch API.
Request HTTP URLs in a complex world — basic and digest authentication, redirections, cookies, timeout and more.
npm install urllib --save
import { request } from 'urllib';
const { data, res } = await request('http://cnodejs.org/');
// result: { data: Buffer, res: Response }
console.log('status: %s, body size: %d, headers: %j', res.statusCode, data.length, res.headers);
const { request } = require('urllib');
const { data, res } = await request('http://cnodejs.org/');
// result: { data: Buffer, res: Response }
console.log('status: %s, body size: %d, headers: %j', res.statusCode, data.length, res.headers);
response eventYou should create a urllib instance first.
import { HttpClient } from 'urllib';
const httpclient = new HttpClient();
httpclient.on('response', (info) => {
error: err,
ctx: args.ctx,
req: {
url: url,
options: options,
size: requestSize,
},
res: res
});
const { data, res } = await httpclient.request('https://nodejs.org');
console.log('status: %s, body size: %d, headers: %j', res.statusCode, data.length, res.headers);
async request(url[, options])GET. Could be GET, POST, DELETE or PUT. Alias 'type'.data will be ignored.data and content will be ignored.callback will be called with data set null after finished writing.multipart/form-data format, base on formstream. If method not set, will use POST method by default.json (Notes: not use application/json here). If it's json, will auto set Content-Type: application/json header.text or json. If it's text, the callbacked data would be a String. If it's json, the data of callback would be a parsed JSON Object and will auto set Accept: application/json header. Default callbacked data would be a Buffer.false.exports.TIMEOUT, both are 5s. You can use timeout: 5000 to tell urllib use same timeout on two phase or set them seperately such as timeout: [3000, 5000], which will set connecting timeout to 3s and response 5s.username:password used in HTTP Basic Authorization.false if you does not use agent.false if you does not use agent.url.resolve(from, to).res object when request connected, default false. alias customResponsegzip, br response content and auto decode it, default is false.false.options.dataWhen making a request:
await request('https://example.com', {
method: 'GET',
data: {
'a': 'hello',
'b': 'world',
}
});
For GET request, data will be stringify to query string, e.g. http://example.com/?a=hello&b=world.
For others like POST, PATCH or PUT request,
in defaults, the data will be stringify into application/x-www-form-urlencoded format
if content-type header is not set.
If content-type is application/json, the data will be JSON.stringify to JSON data format.
options.contentoptions.content is useful when you wish to construct the request body by yourself,
for example making a content-type: application/json request.
Notes that if you want to send a JSON body, you should stringify it yourself:
await request('https://example.com', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
content: JSON.stringify({
a: 'hello',
b: 'world',
})
});
It would make a HTTP request like:
POST / HTTP/1.1
host: example.com
content-type: application/json
{
"a": "hello",
"b": "world"
}
This exmaple can use options.data with application/json content type:
await request('https://example.com', {
method: 'POST',
headers: {
'content-type': 'application/json'
},
data: {
a: 'hello',
b: 'world',
}
});
options.filesUpload a file with a hello field.
await request('https://example.com/upload', {
method: 'POST',
files: __filename,
data: {
hello: 'hello urllib',
},
});
Upload multi files with a hello field.
await request('https://example.com/upload', {
method: 'POST',
files: [
__filename,
fs.createReadStream(__filename),
Buffer.from('mock file content'),
],
data: {
hello: 'hello urllib with multi files',
},
});
Custom file field name with uploadfile.
await request('https://example.com/upload', {
method: 'POST',
files: {
uploadfile: __filename,
},
});
options.streamUploads a file with formstream:
import formstream from 'formstream';
const form = formstream();
form.file('file', __filename);
form.field('hello', '你好urllib');
await request('https://example.com/upload', {
method: 'POST',
headers: form.headers(),
stream: form,
});
Response is normal object, it contains:
status or statusCode: response status code.
-1 meaning some network error like ENOTFOUND-2 meaning ConnectionTimeoutErrorheaders: response http headers, default is {}size: response sizeaborted: response was aborted or notrt: total request and response time in ms.timing: timing object if timing enable.remoteAddress: http server ip addressremotePort: http server ip portsocketHandledRequests: socket already handled request countsocketHandledResponses: socket already handled response countNODE_DEBUG=urllib npm test
This project follows the git-contributor spec, auto updated at Tue Jul 05 2022 16:17:31 GMT+0800.
Axios is a promise-based HTTP client for the browser and Node.js. It provides a more modern and flexible API compared to urllib, with support for interceptors, request cancellation, and automatic JSON data transformation.
Node-fetch is a lightweight module that brings the Fetch API to Node.js. It is a minimalistic alternative to urllib, focusing on simplicity and compliance with the Fetch standard.
Request is a simplified HTTP client for Node.js with a rich set of features. It is more feature-rich than urllib, offering support for OAuth, cookies, and multipart form data. However, it has been deprecated in favor of more modern alternatives like axios.
FAQs
Help in opening URLs (mostly HTTP) in a complex world — basic and digest authentication, redirections, timeout and more. Base undici API.
The npm package urllib receives a total of 119,878 weekly downloads. As such, urllib popularity was classified as popular.
We found that urllib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 9 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.

Company News
Socket is proud to join the OpenJS Foundation as a Silver Member, deepening our commitment to the long-term health and security of the JavaScript ecosystem.

Security News
npm now links to Socket's security analysis on every package page. Here's what you'll find when you click through.