parseuri — Greenflagged

Mighty but tiny URI parser

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

slevithangal

Keywords

uriurlurn

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Legitimate maintainer transition to slevithan, whose GitHub repo hosts the project. Well-established publisher with strong track record.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): slevithan is the new canonical maintainer; repo URL confirms ownership. Stable for future versions.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Complete rewrite from v0.0.6 to v3.0.1 explains size increase. No runtime deps, clean build scripts.	ai	2026/04/24
osv	osv:GHSA-6fx8-h7jm-663j	AI (osv): Advisory is for parse-uri v1.0.9 (different package/codebase). This is parseuri v3.0.1, a complete rewrite by slevithan.	ai	2026/04/24

Versions (showing 8 of 8)

Version	Deps	Published
3.0.2	0 / 2	2024-05-24
3.0.1	0 / 2	2024-05-22
0.0.6	0 / 3	2019-09-18
0.0.5	1 / 2	2016-10-27
0.0.4	1 / 1	2014-07-20
0.0.3	1 / 1	2014-07-04
0.0.2	1 / 1	2014-02-09
0.0.1	0 / 0	2014-02-09

v3.0.2

2 findings

MEDIUM GHSA-6fx8-h7jm-663j: parse-uri Regular expression Denial of Service (ReDoS) osv

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC ```js async function exploit() { const parseuri = require("parse-uri"); // This input is designed to cause excessive backtracking in the regex const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value'; const result = await parseuri(craftedInput); } await exploit(); ```

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

3 findings

HIGH Publisher changed: gal → slevithan (on 2024-05-22) provenance

This version was published by a different npm account than previous versions on 2024-05-22. This could indicate a legitimate maintainer transition or an account compromise.

MEDIUM GHSA-6fx8-h7jm-663j: parse-uri Regular expression Denial of Service (ReDoS) osv

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC ```js async function exploit() { const parseuri = require("parse-uri"); // This input is designed to cause excessive backtracking in the regex const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value'; const result = await parseuri(craftedInput); } await exploit(); ```

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.6

2 findings

MEDIUM GHSA-6fx8-h7jm-663j: parse-uri Regular expression Denial of Service (ReDoS) osv

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC ```js async function exploit() { const parseuri = require("parse-uri"); // This input is designed to cause excessive backtracking in the regex const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value'; const result = await parseuri(craftedInput); } await exploit(); ```

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.