URL Safe Logger

2.0.0 · abandoned · verified Wed Apr 22

The `url-safe` package provides a minimalist utility for sanitizing URLs by removing or masking the authentication (username:password) part. This is primarily used to prevent sensitive credentials from being exposed in logs or other less secure outputs. The current stable version is `2.0.0`, which was released on 2015-07-23. The package has seen no further releases or active development since then, indicating it is no longer maintained. Its key differentiator is its singular focus on URL sanitization for logging, leveraging Node.js's built-in `url` module. Developers should be aware of its age and lack of modern updates when considering its use in contemporary projects. Alternatives often involve more robust URL parsing and manipulation libraries or custom regex-based solutions for sensitive data removal.

Common errors

```
TypeError: urlSafe is not a function
```
cause Attempting to call `urlSafe` when it was not correctly imported or required, potentially due to mixing CJS and ESM without proper interop.

fix Ensure you are using `const urlSafe = require('url-safe');` for CommonJS projects. If in an ESM context, consider `const { default: urlSafe } = await import('url-safe');` or similar interop patterns, though direct `require` is recommended for this specific package.
```
ERR_REQUIRE_ESM: Must use import to load ES Module: ...url-safe/index.js
```
cause This error is unlikely for `url-safe` itself as it's CJS, but if `url-safe` were treated as ESM by a misconfigured transpiler or an environment forcing ESM interpretation, this could occur.

fix Verify that `url-safe` is treated as a CommonJS module. If you are experiencing this, it's more likely an issue with your project's configuration for handling CJS modules in an ESM context. Use `require()` directly.

Warnings

breaking Starting with v2.0.0, the returned URL string is consistently formatted using Node.js's `url.format()` function. This may alter the exact string representation compared to previous versions if they used different serialization methods.
Fix: Review code that processes the output of `url-safe` to ensure it correctly handles the `url.format()` output, especially regarding path, query, and hash serialization.
gotcha The package is CommonJS-only and has not been updated since 2015. It lacks native ESM support, which may require specific configuration (e.g., dynamic `import()`) or transpilation in modern ESM-first Node.js or browser environments.
Fix: For ESM projects, use `const urlSafe = await import('url-safe');` or ensure your build setup correctly handles CJS interop. Alternatively, consider modern alternatives with native ESM support.
gotcha Given its age, the package may not fully leverage or be compatible with newer URL parsing and formatting standards or security practices introduced in more recent Node.js versions or web specifications. The internal `url` module usage might be based on older APIs.
Fix: For security-critical applications or those requiring strict adherence to modern URL standards, consider using actively maintained libraries like `URL` (native in Node.js/browsers) or `url-parse` for more robust and current URL manipulation.

Install

npm install url-safe npm
yarn add url-safe yarn
pnpm add url-safe pnpm

Imports

urlSafe
wrong:
```
import urlSafe from 'url-safe';
```
correct:
```
const urlSafe = require('url-safe');
```
This package is CommonJS-only and exports a default function. Direct ESM `import` statements will fail; use dynamic `import()` or CJS `require`.
urlSafe
wrong:
```
import { urlSafe } from 'url-safe';
```
correct:
```
const { urlSafe } = await import('url-safe');
```
While not explicitly designed for named exports, Node.js's ESM interop allows dynamic import for CommonJS default exports in some configurations, but `require` is the intended usage.

Quickstart

Demonstrates basic usage of `url-safe` to strip or mask the authentication portion of URLs for logging.

const urlSafe = require('url-safe');

const sensitiveUrl1 = 'http://user:pass@example.com/path?query=abc#hash';
const sensitiveUrl2 = 'https://admin:secret@api.service.com/data';
const sensitiveUrl3 = 'ftp://anonymous:ftp@example.org';

console.log('Original URL 1:', sensitiveUrl1);
console.log('Safe URL 1 (default):', urlSafe(sensitiveUrl1));
// Expected: http://example.com/path?query=abc#hash

console.log('\nOriginal URL 2:', sensitiveUrl2);
console.log('Safe URL 2 (masked with ***):', urlSafe(sensitiveUrl2, '***'));
// Expected: https://***@api.service.com/data

console.log('\nOriginal URL 3:', sensitiveUrl3);
console.log('Safe URL 3 (masked with [REDACTED]):', urlSafe(sensitiveUrl3, '[REDACTED]'));
// Expected: ftp://[REDACTED]@example.org

// Example with no auth part
const plainUrl = 'https://www.google.com';
console.log('\nPlain URL:', plainUrl);
console.log('Safe Plain URL:', urlSafe(plainUrl));
// Expected: https://www.google.com

view raw JSON →