← Home

native-url

npm Repository Homepage

Brings the node url api layer to whatwg-url class

15
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

janicklas-ralph

Keywords

urlurinormalizationnormalisationqueryquerystringwhatwg-urlparseformatresolveresolveObject

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/index.mjs AI (source-diff): ESM minified microbundle output of URL parsing library; not obfuscated malicious code. Stable for this package. ai
source-diff obfuscated-file:dist/index.js AI (source-diff): dist/index.js is microbundle minified output of src/index.js — standard build artifact for this package, not obfuscation. ai
semgrep semgrep:etc-passwd-access AI (semgrep): All 14 hits are in URL parser test cases using 'file:///etc/passwd' as a test URL string, not actual file access. Standard for URL parsing test suites. ai

Versions (showing 15 of 15)

Version Deps Published
0.3.4 1 / 8
0.3.3 1 / 8
0.3.2 1 / 8
0.3.1 1 / 8
0.3.0 1 / 8
0.2.6 1 / 7
0.2.5 1 / 7
0.2.4 1 / 7
0.2.3 1 / 7
0.2.2 1 / 7
0.2.1 1 / 7
0.2.0 1 / 5
0.1.2 1 / 5
0.1.1 1 / 5
0.1.0 1 / 5

v0.3.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

15 findings
HIGH etc-passwd-access: third_party/index.test.js:301 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L301 299 | }, 300 | > 301 | 'file:///etc/passwd': { 302 | href: 'file:///etc/passwd', 303 | slashes: true,

HIGH etc-passwd-access: third_party/index.test.js:302 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L302 300 | 301 | 'file:///etc/passwd': { > 302 | href: 'file:///etc/passwd', 303 | slashes: true, 304 | protocol: 'file:',

HIGH etc-passwd-access: third_party/index.test.js:305 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L305 303 | slashes: true, 304 | protocol: 'file:', > 305 | pathname: '/etc/passwd', 306 | hostname: '', 307 | host: '',

HIGH etc-passwd-access: third_party/index.test.js:308 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L308 306 | hostname: '', 307 | host: '', > 308 | path: '/etc/passwd' 309 | }, 310 |

HIGH etc-passwd-access: third_party/index.test.js:311 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L311 309 | }, 310 | > 311 | // "file://localhost/etc/passwd": { 312 | // href: "file://localhost/etc/passwd", 313 | // protocol: "file:",

HIGH etc-passwd-access: third_party/index.test.js:312 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L312 310 | 311 | // "file://localhost/etc/passwd": { > 312 | // href: "file://localhost/etc/passwd", 313 | // protocol: "file:", 314 | // slashes: true,

HIGH etc-passwd-access: third_party/index.test.js:315 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L315 313 | // protocol: "file:", 314 | // slashes: true, > 315 | // pathname: "/etc/passwd", 316 | // hostname: "localhost", 317 | // host: "localhost",

HIGH etc-passwd-access: third_party/index.test.js:318 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L318 316 | // hostname: "localhost", 317 | // host: "localhost", > 318 | // path: "/etc/passwd" 319 | // }, 320 |

HIGH etc-passwd-access: third_party/index.test.js:321 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L321 319 | // }, 320 | > 321 | 'file://foo/etc/passwd': { 322 | href: 'file://foo/etc/passwd', 323 | protocol: 'file:',

HIGH etc-passwd-access: third_party/index.test.js:322 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L322 320 | 321 | 'file://foo/etc/passwd': { > 322 | href: 'file://foo/etc/passwd', 323 | protocol: 'file:', 324 | slashes: true,

HIGH etc-passwd-access: third_party/index.test.js:325 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L325 323 | protocol: 'file:', 324 | slashes: true, > 325 | pathname: '/etc/passwd', 326 | hostname: 'foo', 327 | host: 'foo',

HIGH etc-passwd-access: third_party/index.test.js:328 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L328 326 | hostname: 'foo', 327 | host: 'foo', > 328 | path: '/etc/passwd' 329 | }, 330 |

HIGH etc-passwd-access: third_party/index.test.js:1242 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L1242 1240 | 'http://example.com/a/b/c/d' 1241 | ], > 1242 | ['/foo/bar/baz', '/../etc/passwd', '/etc/passwd'] 1243 | ]; 1244 |

HIGH etc-passwd-access: third_party/index.test.js:1242 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/GoogleChromeLabs/native-url/blob/8c9cd74a6d7c4c72238911fb3a1f79775e577174/third_party/index.test.js#L1242 1240 | 'http://example.com/a/b/c/d' 1241 | ], > 1242 | ['/foo/bar/baz', '/../etc/passwd', '/etc/passwd'] 1243 | ]; 1244 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.2

3 findings
HIGH New obfuscated file: dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

2 findings
HIGH New obfuscated file: dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.