An implementation of the WHATWG URL Standard in JavaScript
Installations
npm install whatwg-urlScore
99.3
Supply Chain
99.6
Quality
82.2
Maintenance
100
Vulnerability
100
License
Developer
Developer Guide
Module System
CommonJS
Min. Node Version
>=18
Typescript Support
No
Node Version
21.1.0
NPM Version
10.2.0
Statistics
371 Stars
377 Commits
94 Forks
9 Watching
1 Branches
20 Contributors
Updated on 07 Nov 2024
Bundle Size
254.64 kB
Minified
69.40 kB
Minified + Gzipped
Languages
JavaScript (92.04%)
HTML (4.31%)
WebIDL (1.77%)
CSS (1.6%)
Shell (0.28%)
Total Downloads
Cumulative downloads
Total Downloads
11,354,474,250
Last day
-7.4%
14,468,435
Compared to previous day
Last week
2.4%
85,093,950
Compared to previous week
Last month
13.6%
345,059,915
Compared to previous month
Last year
12.9%
3,473,962,089
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
Dev Dependencies
7
whatwg-url
whatwg-url is a full implementation of the WHATWG URL Standard. It can be used standalone, but it also exposes a lot of the internal algorithms that are useful for integrating a URL parser into a project like jsdom.
Specification conformance
whatwg-url is currently up to date with the URL spec up to commit eee49fd.
For file: URLs, whose origin is left unspecified, whatwg-url chooses to use a new opaque origin (which serializes to "null").
whatwg-url does not yet implement any encoding handling beyond UTF-8. That is, the encoding override parameter does not exist in our API.
API
The URL and URLSearchParams classes
The main API is provided by the URL and URLSearchParams exports, which follows the spec's behavior in all ways (including e.g. USVString conversion). Most consumers of this library will want to use these.
Low-level URL Standard API
The following methods are exported for use by places like jsdom that need to implement things like HTMLHyperlinkElementUtils. They mostly operate on or return an "internal URL" or "URL record" type.
- URL parser:
parseURL(input, { baseURL }) - Basic URL parser:
basicURLParse(input, { baseURL, url, stateOverride }) - URL serializer:
serializeURL(urlRecord, excludeFragment) - Host serializer:
serializeHost(hostFromURLRecord) - URL path serializer:
serializePath(urlRecord) - Serialize an integer:
serializeInteger(number) - Origin serializer:
serializeURLOrigin(urlRecord) - Set the username:
setTheUsername(urlRecord, usernameString) - Set the password:
setThePassword(urlRecord, passwordString) - Has an opaque path:
hasAnOpaquePath(urlRecord) - Cannot have a username/password/port:
cannotHaveAUsernamePasswordPort(urlRecord) - Percent decode bytes:
percentDecodeBytes(uint8Array) - Percent decode a string:
percentDecodeString(string)
The stateOverride parameter is one of the following strings:
"scheme start""scheme""no scheme""special relative or authority""path or authority""relative""relative slash""special authority slashes""special authority ignore slashes""authority""host""hostname""port""file""file slash""file host""path start""path""opaque path""query""fragment"
The URL record type has the following API:
These properties should be treated with care, as in general changing them will cause the URL record to be in an inconsistent state until the appropriate invocation of basicURLParse is used to fix it up. You can see examples of this in the URL Standard, where there are many step sequences like "4. Set context object’s url’s fragment to the empty string. 5. Basic URL parse input with context object’s url as url and fragment state as state override." In between those two steps, a URL record is in an unusable state.
The return value of "failure" in the spec is represented by null. That is, functions like parseURL and basicURLParse can return either a URL record or null.
whatwg-url/webidl2js-wrapper module
This module exports the URL and URLSearchParams interface wrappers API generated by webidl2js.
Development instructions
First, install Node.js. Then, fetch the dependencies of whatwg-url, by running from this directory:
npm install
To run tests:
npm test
To generate a coverage report:
npm run coverage
To build and run the live viewer:
npm run prepare
npm run build-live-viewer
Serve the contents of the live-viewer directory using any web server.
Supporting whatwg-url
The jsdom project (including whatwg-url) is a community-driven project maintained by a team of volunteers. You could support us by:
- Getting professional support for whatwg-url as part of a Tidelift subscription. Tidelift helps making open source sustainable for us while giving teams assurances for maintenance, licensing, and security.
- Contributing directly to the project.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE.txt:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/jsdom/.github/SECURITY.md:1
- Info: Found linked content: github.com/jsdom/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/jsdom/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/jsdom/.github/SECURITY.md:1
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/deploy.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/jsdom/whatwg-url/deploy.yml/main?enable=pin
- Info: 0 out of 7 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
0 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1
Reason
Found 2/23 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/build.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy.yml:8
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 25 are checked with a SAST tool
Score
4.2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More