whatwg-url
An implementation of the WHATWG URL Standard's URL API and parsing machinery
70
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
timothygudomenicsebmasterzirrotmpvarjoris-van-der-wel
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Package is a legitimate WHATWG URL implementation from 2015; missing README/repo/keywords are artifacts of early npm publishing conventions, not spam indicators. | ai | |
| phantom-deps | phantom-dep:guid | AI (phantom-deps): guid is declared as a dependency in this early version; phantom detection reflects it not being directly imported in source, not a security concern. | ai | |
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): prettify.js is Google's syntax-highlighter, a standard minified artifact generated by Istanbul's lcov reporter. It is dev/coverage tooling with no runtime role; not malicious obfuscation. | ai | |
| dependencies | unvetted-dep:@exodus/bytes | AI (dependencies): @exodus/bytes is a utility library; new dependency is legitimate for whatwg-url's URL parsing scope. | ai | |
| provenance | no-provenance | AI (provenance): Package published in 2017, predating Sigstore provenance on npm. Not applicable. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Domenic (domenic on npm) is a recognized web standards contributor with a strong track record. Adding them as maintainer of a WHATWG URL implementation is entirely expected. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions with SLSA attestation indicates legitimate CI/CD automation of official jsdom repository. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependency is a utility library, not a suspicious addition; SLSA provenance and official repo context mitigate risk. | ai | |
| dependencies | unvetted-dep:tr46 | AI (dependencies): tr46 is a long-standing companion package in the jsdom ecosystem, consistently used by whatwg-url across many versions. | ai | |
| dependencies | unvetted-dep:webidl-conversions | AI (dependencies): webidl-conversions is a long-standing companion package in the jsdom ecosystem, consistently used by whatwg-url across many versions. | ai |
Versions (showing 70 of 70)
| Version | Deps | Published |
|---|---|---|
| 16.0.1 | 3 / 7 | |
| 16.0.0 | 3 / 7 | |
| 15.1.0 | 2 / 7 | |
| 15.0.0 | 2 / 7 | |
| 14.2.0 | 2 / 7 | |
| 14.1.1 | 2 / 7 | |
| 14.1.0 | 2 / 7 | |
| 14.0.0 | 2 / 7 | |
| 13.0.0 | 2 / 8 | |
| 12.0.1 | 2 / 8 | |
| 12.0.0 | 2 / 8 | |
| 11.0.0 | 2 / 8 | |
| 10.0.0 | 2 / 8 | |
| 9.1.0 | 2 / 9 | |
| 9.0.0 | 2 / 9 | |
| 8.7.0 | 3 / 9 | |
| 8.6.0 | 3 / 8 | |
| 8.5.0 | 3 / 8 | |
| 8.4.0 | 3 / 8 | |
| 8.3.0 | 3 / 8 | |
| 8.2.2 | 3 / 8 | |
| 8.2.1 | 3 / 8 | |
| 8.2.0 | 3 / 8 | |
| 8.1.0 | 3 / 7 | |
| 8.0.0 | 3 / 7 | |
| 7.1.0 | 3 / 7 | |
| 7.0.0 | 3 / 8 | |
| 6.5.0 | 3 / 9 | |
| 6.4.1 | 3 / 8 | |
| 6.4.0 | 3 / 8 | |
| 6.3.0 | 3 / 8 | |
| 6.2.1 | 3 / 8 | |
| 6.2.0 | 3 / 8 | |
| 6.1.0 | 3 / 7 | |
| 6.0.1 | 3 / 7 | |
| 6.0.0 | 4 / 7 | |
| 5.0.0 | 2 / 6 | |
| 4.8.0 | 2 / 6 | |
| 4.7.1 | 2 / 6 | |
| 4.7.0 | 2 / 6 | |
| 4.6.0 | 2 / 6 | |
| 4.5.1 | 2 / 6 | |
| 4.5.0 | 2 / 6 | |
| 4.4.0 | 2 / 6 | |
| 4.3.0 | 2 / 6 | |
| 4.2.0 | 2 / 6 | |
| 4.1.1 | 2 / 6 | |
| 4.1.0 | 2 / 6 | |
| 4.0.0 | 2 / 6 | |
| 3.1.0 | 2 / 6 | |
| 3.0.0 | 2 / 6 | |
| 2.0.1 | 2 / 6 | |
| 2.0.0 | 2 / 6 | |
| 1.0.1 | 2 / 7 | |
| 1.0.0 | 2 / 7 | |
| 0.6.5 | 1 / 5 | |
| 0.6.4 | 1 / 6 | |
| 0.6.2 | 1 / 5 | |
| 0.6.1 | 1 / 5 | |
| 0.6.0 | 1 / 5 | |
| 0.5.0 | 1 / 5 | |
| 0.4.2 | 1 / 5 | |
| 0.4.1 | 1 / 5 | |
| 0.4.0 | 1 / 5 | |
| 0.3.1 | 1 / 5 | |
| 0.3.0 | 1 / 5 | |
| 0.2.1 | 1 / 5 | |
| 0.2.0 | 2 / 5 | |
| 0.1.0 | 0 / 4 | |
| 0.0.1 | 0 / 4 |