Gathering detailed insights and metrics for svg-url-loader
Gathering detailed insights and metrics for svg-url-loader
A webpack loader which loads SVG file as utf-8 encoded DataUrl string.
Installations
npm install svg-url-loaderDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=14
Node Version
16.15.0
NPM Version
8.16.0
Score
85.9
Supply Chain
61.9
Quality
74.6
Maintenance
100
Vulnerability
99.6
License
Releases
17
v8.0.0
v8.0.0
Updated on Sep 04, 2022
Performance improvements
v7.1.1
Updated on Nov 29, 2020
Add resourceQuery support
v7.1.0
Updated on Nov 27, 2020
Fallback to file-loader using default options
v7.0.0
Updated on Nov 26, 2020
Deprecate stripdeclarations option
v6.0.0
Updated on May 24, 2020
Compatible with Yarn 2
v5.0.1
Updated on May 24, 2020
Languages
4
JavaScript
Less
SCSS
CSS
JavaScript (98.36%)
Less (0.55%)
SCSS (0.55%)
CSS (0.54%)
Developer
bhovhannes
Download Statistics
Total Downloads
107,744,568
Last Day
8,837
Last Week
292,717
Last Month
1,326,052
Last Year
14,188,181
GitHub Statistics
MIT License
242 Stars
1,168 Commits
33 Forks
3 Watchers
2 Branches
10 Contributors
Updated on Jun 28, 2025
Bundle Size
242.61 kB
Minified
65.39 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
8.0.0
Package Id
svg-url-loader@8.0.0
Unpacked Size
9.98 kB
Size
4.23 kB
File Count
5
NPM Version
8.16.0
Node Version
16.15.0
Total Downloads
Cumulative downloads
Total Downloads
107,744,568
Last Day
-14.9%
8,837
Compared to previous day
Last Week
-12.9%
292,717
Compared to previous week
Last Month
5.9%
1,326,052
Compared to previous month
Last Year
3.4%
14,188,181
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
Peer Dependencies
1
svg-url-loader
A webpack loader which loads SVG file as utf-8 encoded DataUrl string.
Existing url-loader always does Base64 encoding for data-uri. As SVG content is a human-readable xml string, using base64 encoding is not mandatory. Instead, one may only escape unsafe characters and replace " with ' as described in this article.
There are some benefits for choosing utf-8 encoding over base64.
- Resulting string is shorter (can be ~2 times shorter for 2K-sized icons);
- Resulting string will be compressed better when using gzip compression;
- Browser parses utf-8 encoded string faster than its base64 equivalent.
Supported parameters
Parameters can be passed both in an url or from webpack config file. See Loaders section in webpack documentation for more details.
Passing parameters using resourceQuery is also supported:
1.selector { 2 background-image: url(../assets/foo.svg?encoding=base64); 3}
The loader supports the following parameters:
limit
If given, loader will not encode the source file if its content is greater than this limit.
Defaults to no limit.
If the file is greater than the limit the file-loader is used, receiving all query parameters set for svg-url-loader.
1require("svg-url-loader?limit=1024!./file.svg"); 2// => DataUrl if "file.png" is smaller that 1kb 3 4require("svg-url-loader?prefix=img/!./file.svg"); 5// => Parameters for the file-loader are valid too 6// They are passed to the file-loader if used.
stripdeclarations
This option is true by default. It will be removed in the next major release.
See this issue for more context about this decision.
If given will tell the loader to strip out any XML declaration, e.g. <?xml version="1.0" encoding="UTF-8"?> at the beginning of imported SVGs.
Internet Explorer (tested in Edge 14) cannot handle XML declarations in CSS data URLs (content: url("data:image/svg...")).
1require("svg-url-loader?stripdeclarations!./file.svg");
iesafe
This option tells loader to fall back to the file-loader if the file contains a style-element and the encoded size is above 4kB no matter the limit specified.
This option was introduced because Internet Explorer (including IE11) stops parsing style-elements in SVG data-URIs longer than 4kB. This results in black fill-color for all styled shapes.
You can either specify iesafe option in the query:
1// apply `iesafe` option only for 'foo.svg' 2require("svg-url-loader?iesafe!./foo.svg");
Or, you can set this option globally in you webpack config:
1module.exports = { 2 //... 3 module: { 4 rules: [ 5 { 6 test: /\.svg/, 7 use: { 8 loader: "svg-url-loader", 9 options: { 10 // make all svg images to work in IE 11 iesafe: true, 12 }, 13 }, 14 }, 15 ], 16 }, 17 //... 18};
encoding
This option controls which encoding to use when constructing a data-URI for an SVG. When set to a non-"none" value, loader does not apply quotes to the resulting data-URI.
Possible values are "base64" and "none". Defaults to "none".
Normally, setting encoding option to base64 should not be required, as using base64 encoding defeats the original purpose of this loader - embed svg with minimal size overhead. However, because of incompatibility with some tools, we support this mode, too.
You can either specify base64 option in the query:
1// apply `base64` option only for 'foo.svg' 2require("svg-url-loader?encoding=base64!./foo.svg");
Or, you can set this option globally in you webpack config:
1module.exports = { 2 //... 3 module: { 4 rules: [ 5 { 6 test: /\.svg/, 7 use: { 8 loader: "svg-url-loader", 9 options: { 10 // make loader to behave like url-loader, for all svg files 11 encoding: "base64", 12 }, 13 }, 14 }, 15 ], 16 }, 17 //... 18};
Usage
In JS:
1require("svg-url-loader!./file.svg"); 2// => DataUrl for file.svg
In CSS (with webpack.config.js below):
1.icon { 2 background: url("../images/file.svg"); 3}
1module.exports = { 2 //... 3 module: { 4 rules: [ 5 { 6 test: /\.svg/, 7 use: { 8 loader: "svg-url-loader", 9 options: {}, 10 }, 11 }, 12 ], 13 }, 14 //... 15};
Benefits of using data-uri
- Browser won't make an extra http call to download the image
- Some folks mentioned that even if image is in browser cache images with data url appear on screen faster.
License
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
dependency not pinned by hash detected -- score normalized to 4
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/bhovhannes/svg-url-loader/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/bhovhannes/svg-url-loader/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/bhovhannes/svg-url-loader/main.yml/main?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 1 out of 1 npmCommand dependencies pinned
Reason
8 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/main.yml:1
- Info: no jobLevel write permissions found
Reason
Found 0/6 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 24 are checked with a SAST tool
Score
4.3
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More