Strip URL Auth

2.0.0 · active · verified Wed Apr 22

strip-url-auth is a focused JavaScript utility that removes the username and password (authentication) portion from a given URL string. It is currently stable at version 2.0.0. Developed by Sindresorhus, it adheres to a philosophy of single-purpose, highly reliable modules. Key differentiators include its minimalistic API, robust parsing for common URL formats, and its strict adherence to modern JavaScript standards. Releases typically occur when necessary for compatibility with newer Node.js versions or to address specific edge cases, rather than on a fixed cadence. It provides a simple, direct solution for sanitizing URLs for display or storage where authentication credentials should not be exposed.

Common errors

```
Error [ERR_REQUIRE_ESM]: require() of ES Module .../node_modules/strip-url-auth/index.js from ... not supported.
```
cause Attempting to use `require()` to import `strip-url-auth` in a CommonJS module after upgrading to v2.0.0+.

fix Change `const stripUrlAuth = require('strip-url-auth');` to `import stripUrlAuth from 'strip-url-auth';` and ensure your project is configured for ESM (e.g., `"type": "module"` in `package.json` or using `.mjs` file extensions).
```
SyntaxError: Cannot use import statement outside a module
```
cause Using `import stripUrlAuth from 'strip-url-auth';` in a CommonJS file (e.g., a `.js` file without `"type": "module"` in `package.json`) or an environment that doesn't support ESM.

fix Ensure your project or file is treated as an ES Module by adding `"type": "module"` to your `package.json` or by changing the file extension to `.mjs`. Alternatively, if you must remain in CommonJS, consider dynamic import: `(async () => { const { default: stripUrlAuth } = await import('strip-url-auth'); /* use stripUrlAuth */ })();` or stick to v1.x of the package.

Warnings

breaking Version 2.0.0 and newer are pure ESM (ECMAScript Modules). CommonJS `require()` is no longer supported. This affects how the package is imported and used in Node.js environments.
Fix: Migrate your project to use ES Modules or use dynamic `import()` where necessary. Ensure your `package.json` has `"type": "module"` or use `.mjs` file extension for modules importing this package.
breaking Node.js 12 or higher is now required for `strip-url-auth` v2.0.0 and subsequent versions. Older Node.js versions are not supported.
Fix: Upgrade your Node.js runtime to version 12 or newer. If you cannot upgrade Node.js, you must remain on `strip-url-auth` v1.x.
gotcha This package only strips the user and password parts of the URL. It does not validate the URL's overall format or perform any other kind of comprehensive sanitization or encoding.
Fix: For comprehensive URL validation or other manipulations (e.g., encoding components), combine this package with a dedicated URL parsing library like Node's built-in `URL` class or a third-party module like `url-parse`.

Install

npm install strip-url-auth npm
yarn add strip-url-auth yarn
pnpm add strip-url-auth pnpm

Imports

stripUrlAuth
wrong:
```
const stripUrlAuth = require('strip-url-auth');
```
correct:
```
import stripUrlAuth from 'strip-url-auth';
```
Since v2.0.0, this package is pure ESM and must be imported using dynamic `import()` or static `import` statements in an ESM context. CommonJS `require()` is no longer supported and will throw an error.

Quickstart

This example demonstrates how to import and use `stripUrlAuth` to remove authentication credentials from various URL formats, including HTTPS and FTP, and shows its behavior with URLs that do not contain auth or have malformed auth segments.

import stripUrlAuth from 'strip-url-auth';

const urlWithAuth = 'https://admin:securepass@example.com/path?query=value#hash';
const urlWithoutAuth = stripUrlAuth(urlWithAuth);

console.log(`Original URL: ${urlWithAuth}`);
console.log(`URL without auth: ${urlWithoutAuth}`);

// Example with no auth
const simpleUrl = 'https://www.google.com';
const simpleUrlStripped = stripUrlAuth(simpleUrl);
console.log(`\nOriginal simple URL: ${simpleUrl}`);
console.log(`Stripped simple URL: ${simpleUrlStripped}`);

// Demonstrating with a different protocol
const ftpUrl = 'ftp://user:secret@ftp.example.org/files';
const ftpUrlStripped = stripUrlAuth(ftpUrl);
console.log(`\nOriginal FTP URL: ${ftpUrl}`);
console.log(`Stripped FTP URL: ${ftpUrlStripped}`);

// Handles edge cases like empty auth or missing protocol gracefully
const malformedAuthUrl = 'user:@host.com/path';
const malformedAuthUrlStripped = stripUrlAuth(malformedAuthUrl);
console.log(`\nMalformed auth URL: ${malformedAuthUrl}`);
console.log(`Stripped malformed auth URL: ${malformedAuthUrlStripped}`);

view raw JSON →