url
The core `url` packaged standalone for use with Browserify.
11
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
coolaj86ljharbdefunctzombie
Keywords
parsingurlanalyze
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): ljharb is a well-known, highly reputable npm maintainer. The publisher change from defunctzombie to ljharb is a legitimate stewardship transition consistent with ljharb's broad ecosystem maintenance role. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ljharb (Jordan Harband) is a trusted, prolific npm maintainer with 765 approved packages. Addition is a legitimate transfer, not a compromise. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): qs is a well-established, widely trusted query string library replacing the deprecated querystring module. This is a sensible modernization with no supply-chain risk. | ai | |
| dependencies | unvetted-dep:qs | AI (dependencies): qs is a mainstream, well-vetted query string library; its use here as a replacement for the deprecated querystring built-in is a legitimate and expected dependency for this package. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): All 14 hits are in test.js where 'file:///etc/passwd' is a URL string literal used as a parser test fixture, not actual credential access. Stable false positive for a URL parser package. | ai | |
| provenance | no-provenance | AI (provenance): Established package from a known publisher; lack of Sigstore provenance is common for packages of this age and poses no material risk here. | ai |