Gathering detailed insights and metrics for tldjs
Gathering detailed insights and metrics for tldjs
JavaScript API to work easily with complex domain names, subdomains and well-known TLDs.
Installations
npm install tldjsDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>= 4
Node Version
9.5.0
NPM Version
5.6.0
Score
92.5
Supply Chain
100
Quality
76
Maintenance
100
Vulnerability
100
License
Releases
9
Languages
1
JavaScript
JavaScript (100%)
Developer
Download Statistics
Total Downloads
34,572,534
Last Day
5,473
Last Week
107,918
Last Month
492,412
Last Year
5,343,406
GitHub Statistics
MIT License
466 Stars
364 Commits
55 Forks
11 Watchers
6 Branches
15 Contributors
Updated on Jun 16, 2025
Bundle Size
115.76 kB
Minified
33.23 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
2.3.1
Package Id
tldjs@2.3.1
Size
141.73 kB
NPM Version
5.6.0
Node Version
9.5.0
Published on
Feb 18, 2018
Total Downloads
Cumulative downloads
Total Downloads
34,572,534
Last Day
0.8%
5,473
Compared to previous day
Last Week
-13.3%
107,918
Compared to previous week
Last Month
8.5%
492,412
Compared to previous month
Last Year
-35.5%
5,343,406
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
tld.js 
tld.jsis a Node.js module written in JavaScript to work against complex domain names, subdomains and well-known TLDs.
It answers with accuracy to questions like what is mail.google.com's domain?, what is a.b.ide.kyoto.jp's subdomain? and is https://big.data's TLD a well-known one?.
tld.js runs fast, is fully tested and is safe to use in the browser (with browserify, webpack and others). Because it relies on Mozilla's public suffix list, now is a good time to say thank you Mozilla!
Install
1# Regular install 2npm install --save tldjs 3 4# You can update the list of well-known TLD during the install 5npm install --save tldjs --tldjs-update-rules
The latter is useful if you significantly rely on an up-to-date list of TLDs. You can list the recent changes (changes Atom Feed) to get a better idea of what is going on in the Public Suffix world.
Using It
1const {parse, tldExists} = require('tldjs'); 2 3// Checking only if TLD exists in URL or hostname 4// First TLD exists; the second does not. 5console.log(tldExists('https://www.bbc')); 6console.log(tldExists('tld.unknown')); 7 8// Retrieving hostname related informations of a given URL 9parse('http://www.writethedocs.org/conf/eu/2017/');
???? Try it your browser to see how it works.
⬇️ Read the documentation below to find out the available functions.
tldjs.parse()
This methods returns handy properties about a URL or a hostname.
1const tldjs = require('tldjs'); 2 3tldjs.parse('https://spark-public.s3.amazonaws.com/dataanalysis/loansData.csv'); 4// { hostname: 'spark-public.s3.amazonaws.com', 5// isValid: true, 6// isIp: false, 7// tldExists: true, 8// publicSuffix: 's3.amazonaws.com', 9// domain: 'spark-public.s3.amazonaws.com', 10// subdomain: '' 11// } 12 13tldjs.parse('gopher://domain.unknown/'); 14// { hostname: 'domain.unknown', 15// isValid: true, 16// isIp: false, 17// tldExists: false, 18// publicSuffix: 'unknown', 19// domain: 'domain.unknown', 20// subdomain: '' 21// } 22 23tldjs.parse('https://192.168.0.0') 24// { hostname: '192.168.0.0', 25// isValid: true, 26// isIp: true, 27// tldExists: false, 28// publicSuffix: null, 29// domain: null, 30// subdomain: null 31// }
| Property Name | Type | |
|---|---|---|
hostname | String | |
isValid | Boolean | Is the hostname valid according to the RFC? |
tldExists | Boolean | Is the TLD well-known or not? |
publicSuffix | String | |
domain | String | |
subdomain | String |
Single purpose methods
These methods are shorthands if you want to retrieve only a single value.
tldExists()
Checks if the TLD is well-known for a given hostname — parseable with require('url').parse.
1const { tldExists } = tldjs; 2 3tldExists('google.com'); // returns `true` 4tldExists('google.local'); // returns `false` (not an explicit registered TLD) 5tldExists('com'); // returns `true` 6tldExists('uk'); // returns `true` 7tldExists('co.uk'); // returns `true` (because `uk` is a valid TLD) 8tldExists('amazon.fancy.uk'); // returns `true` (still because `uk` is a valid TLD) 9tldExists('amazon.co.uk'); // returns `true` (still because `uk` is a valid TLD) 10tldExists('https://user:password@example.co.uk:8080/some/path?and&query#hash'); // returns `true`
getDomain()
Returns the fully qualified domain from a given string — parseable with require('url').parse.
1const { getDomain } = tldjs; 2 3getDomain('google.com'); // returns `google.com` 4getDomain('fr.google.com'); // returns `google.com` 5getDomain('fr.google.google'); // returns `google.google` 6getDomain('foo.google.co.uk'); // returns `google.co.uk` 7getDomain('t.co'); // returns `t.co` 8getDomain('fr.t.co'); // returns `t.co` 9getDomain('https://user:password@example.co.uk:8080/some/path?and&query#hash'); // returns `example.co.uk`
getSubdomain()
Returns the complete subdomain for a given string — parseable with require('url').parse.
1const { getSubdomain } = tldjs; 2 3getSubdomain('google.com'); // returns `` 4getSubdomain('fr.google.com'); // returns `fr` 5getSubdomain('google.co.uk'); // returns `` 6getSubdomain('foo.google.co.uk'); // returns `foo` 7getSubdomain('moar.foo.google.co.uk'); // returns `moar.foo` 8getSubdomain('t.co'); // returns `` 9getSubdomain('fr.t.co'); // returns `fr` 10getSubdomain('https://user:password@secure.example.co.uk:443/some/path?and&query#hash'); // returns `secure`
getPublicSuffix()
Returns the public suffix for a given string — parseable with require('url').parse.
1const { getPublicSuffix } = tldjs; 2 3getPublicSuffix('google.com'); // returns `com` 4getPublicSuffix('fr.google.com'); // returns `com` 5getPublicSuffix('google.co.uk'); // returns `co.uk` 6getPublicSuffix('s3.amazonaws.com'); // returns `s3.amazonaws.com` 7getPublicSuffix('tld.is.unknown'); // returns `unknown`
isValid()
Checks the validity of a given string — parseable with require('url').parse.
It does not check if the TLD is well-known.
1const { isValid } = tldjs; 2 3isValid('google.com'); // returns `true` 4isValid('.google.com'); // returns `false` 5isValid('my.fake.domain'); // returns `true` 6isValid('localhost'); // returns `false` 7isValid('https://user:password@example.co.uk:8080/some/path?and&query#hash'); // returns `true` 8isValid('192.168.0.0') // returns `true`
Troubleshooting
Retrieving subdomain of localhost and custom hostnames
tld.js methods getDomain and getSubdomain are designed to work only with known and valid TLDs.
This way, you can trust what a domain is.
localhost is a valid hostname but not a TLD. Although you can instanciate your own flavour of tld.js with additional valid hosts:
1const tldjs = require('tldjs'); 2 3tldjs.getDomain('localhost'); // returns null 4tldjs.getSubdomain('vhost.localhost'); // returns null 5 6const myTldjs = tldjs.fromUserSettings({ 7 validHosts: ['localhost'] 8}); 9 10myTldjs.getDomain('localhost'); // returns 'localhost' 11myTldjs.getSubdomain('vhost.localhost'); // returns 'vhost'
Updating the TLDs List
Many libraries offer a list of TLDs. But, are they up-to-date? And how to update them?
tld.js bundles a list of known TLDs but this list can become outdated.
This is especially true if the package have not been updated on npm for a while.
Hopefully for you, even if I'm flying over the world, if I've lost my Internet connection or even if you do manage your own list, you can update it by yourself, painlessly.
How? By passing the --tldjs-update-rules to your npm install command:
1# anytime you reinstall your project 2npm install --tldjs-update-rules 3 4# or if you add the dependency to your project 5npm install --save tldjs --tldjs-update-rules
Open an issue to request an update of the bundled TLDs.
Contributing
Provide a pull request (with tested code) to include your work in this main project. Issues may be awaiting for help so feel free to give a hand, with code or ideas.
Performances
tld.js is fast, but keep in mind that it might vary depending on your own
use-case. Because the library tried to be smart, the speed can be drastically
different depending on the input (it will be faster if you provide an already
cleaned hostname, compared to a random URL).
On an Intel i7-6600U (2,60-3,40 GHz):
For already cleaned hostnames
| Methods | ops/sec |
|---|---|
isValid | ~8,700,000 |
extractHostname | ~8,100,000 |
tldExists | ~2,000,000 |
getPublicSuffix | ~1,130,000 |
getDomain | ~1,000,000 |
getSubdomain | ~1,000,000 |
parse | ~850,000 |
For random URLs
| Methods | ops/sec |
|---|---|
isValid | ~25,400,000 |
extractHostname | ~400,000 |
tldExists | ~310,000 |
getPublicSuffix | ~240,000 |
getDomain | ~240,000 |
getSubdomain | ~240,000 |
parse | ~230,000 |
You can measure the performance of tld.js on your hardware by running the following command:
1npm run benchmark
Notice: if this is not fast enough for your use-case, keep in mind that you can
provide your own extractHostname function (which is the bottleneck in
this benchmark) to tld.js.
Contributors
This project exists thanks to all the people who contribute. [Contribute].
Backers
Thank you to all our backers! ???? [Become a backer]
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
License
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 7/17 approved changesets -- score normalized to 4
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'master'
- Info: 'force pushes' disabled on branch 'master'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'master'
- Warn: could not determine whether codeowners review is allowed
- Warn: 'up-to-date branches' is disabled on branch 'master'
- Info: status check found to merge onto on branch 'master'
- Warn: PRs are not required to make changes on branch 'master'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/main.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/thom4parisot/tld.js/main.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/thom4parisot/tld.js/main.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/thom4parisot/tld.js/main.yml/master?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 22 are checked with a SAST tool
Reason
11 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
- Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
Score
3.2
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More