NPM Package Analysis: uniqhtt@1.2.7

[codegen-sh]

NPM Package Analysis: uniqhtt

Summary

Comprehensive analysis of the uniqhtt NPM package (v1.2.7) - an enterprise-grade HTTP client for Node.js, Web browsers, and edge computing environments.

Analysis Highlights

📊 Quality Score: 7.5/10

Key Findings:

• ✅ Feature-Rich: HTTP/2, HTTP/3, streaming, proxy support, advanced cookie management
• ✅ Multi-Platform: Node.js, Edge runtimes (Cloudflare Workers, Deno), browsers
• ✅ TypeScript Support: Excellent type definitions with generic parameters
• ✅ Dual API Design: Legacy API (v1) + Pro API (v2) for backward compatibility
• ⚠️ Bundle Size: 1.8MB unpacked (large for lightweight use cases)
• ⚠️ No Tree-Shaking: Monolithic builds, all features bundled

📦 Package Stats:

• Size: 341.4 KB (tarball), 1.8 MB (unpacked)
• Files: 11 files (3 platform builds: universal, Node.js, Edge)
• Code Volume: 453,409 tokens analyzed
• Dependencies: 6 production + 2 dev dependencies

🔑 Core Capabilities:

1. Cookie Management: Best-in-class persistent cookie storage with Netscape format support
2. Web Crawling: Event-driven crawler with LinkedOM HTML/CSS parsing
3. Request Queuing: Built-in rate limiting with p-queue integration
4. Retry Logic: Configurable retry with incremental delays
5. Proxy Support: HTTP, HTTPS, SOCKS5 with authentication
6. File Operations: Downloads with progress tracking

Analysis Sections Covered:

✅ Section 1: Package Overview
✅ Section 2: Installation & Setup
✅ Section 3: Architecture & Code Structure
✅ Section 4: Core Features & API (12 features documented)
✅ Section 5: Entry Points & Exports (detailed analysis)
✅ Section 6: Dependencies & Data Flow
✅ Section 7: Build & CI/CD Pipeline
✅ Section 8: Quality & Maintainability
✅ Section 9: Security Assessment
✅ Section 10: Integration & Usage Guidelines
✅ Section 11: Recommendations
✅ Section 12: Conclusion

Best Suited For:

• ✅ Web scraping and data extraction projects
• ✅ API integration testing with session management
• ✅ Rate-limited batch HTTP operations
• ✅ Multi-platform applications requiring cookie persistence

Not Recommended For:

• ❌ Lightweight serverless functions (due to size)
• ❌ Browser-only applications (limited feature support)
• ❌ Projects requiring minimal dependencies

Files Added:

• npm_analysis/packages/uniqhtt_analysis.md - Complete analysis report (1,073 lines)

Methodology:

• Downloaded package tarball from NPM registry
• Extracted and analyzed all source files
• Used Repomix for comprehensive code analysis (453K+ tokens)
• Examined package.json exports map and entry points
• Analyzed dependencies and security posture
• Created platform compatibility matrix
• Documented API with 40+ code examples

---

Analysis Date: 2025-12-28
Analyzer: Codegen NPM Analysis Agent
Package Version: uniqhtt@1.2.7

---

💻 View my work • 👤 Initiated by @Zeeeepa • About Codegen
⛔ Remove Codegen from PR • 🚫 Ban action checks

---

Summary by cubic

Adds deep-dive NPM package analyses for uniqhtt@1.2.7, lean-agentic@0.3.2, and scordi-extension@1.19.29 to support package evaluation and integration decisions.

• New Features - New features added
  • uniqhtt@1.2.7 (npm_analysis/packages/uniqhtt_analysis.md): Enterprise HTTP client; standout cookies/rate limiting/crawler; risks: 1.8MB, no tree-shaking, Pro API refs missing; suited for scraping and session-heavy automation, not lightweight/browser-only.
  • lean-agentic@0.3.2 (npm_analysis/packages/lean-agentic_analysis.md): WASM theorem prover (<100KB core) with Ed25519 proof signing, MCP server, and AgentDB; 150x equality checks; best for formal verification and AI-assisted proofs (Quality: 9/10).
  • scordi-extension@1.19.29 (npm_analysis/packages/scordi-extension_analysis.md): Chrome extension + SDK for workflow-based browser automation (28+ blocks) with LangChain/OpenAI parsing; dual ESM/CJS; ideal for client-side automation, not Node/server-side (Quality: 7.5/10, rating: 8/10).

^{Written for commit 578ec7c. Summary will update automatically on new commits.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 2 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="npm_analysis/packages/uniqhtt_analysis.md">

<violation number="1" location="npm_analysis/packages/uniqhtt_analysis.md:842">
P2: The claim that SOCKS5 proxy works in browsers is technically inaccurate. Browsers cannot use SOCKS5 proxies directly from JavaScript due to security restrictions - they only support HTTP-level proxying through browser settings, not programmatic SOCKS connections.</violation>

<violation number="2" location="npm_analysis/packages/uniqhtt_analysis.md:858">
P1: This code example demonstrates an SSRF vulnerability by directly using user-provided URL without validation. Documentation examples should include URL allowlisting or validation to avoid teaching insecure patterns.

Consider adding validation:
```javascript
const allowedHosts = [&#39;api.example.com&#39;, &#39;data.example.com&#39;];
const parsedUrl = new URL(req.params.url);
if (!allowedHosts.includes(parsedUrl.hostname)) {
  return res.status(403).json({ error: &#39;Host not allowed&#39; });
}
```</violation>
</file>

_{Reply to cubic to teach it or ask questions. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The claim that SOCKS5 proxy works in browsers is technically inaccurate. Browsers cannot use SOCKS5 proxies directly from JavaScript due to security restrictions - they only support HTTP-level proxying through browser settings, not programmatic SOCKS connections.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At npm_analysis/packages/uniqhtt_analysis.md, line 842:

<comment>The claim that SOCKS5 proxy works in browsers is technically inaccurate. Browsers cannot use SOCKS5 proxies directly from JavaScript due to security restrictions - they only support HTTP-level proxying through browser settings, not programmatic SOCKS connections.</comment>

<file context>
@@ -0,0 +1,1073 @@
+| HTTP/2 | ✅ | ❌ | ❌ |
+| Cookie Persistence | ✅ | ⚠️ Limited | ❌ |
+| Proxy (HTTP/HTTPS) | ✅ | ❌ | ❌ |
+| Proxy (SOCKS5) | ✅ | ✅ | ✅ |
+| File Downloads | ✅ | ✅ | ⚠️ Limited |
+| Web Crawler | ✅ | ✅ | ⚠️ Limited |
</file context>

[cubic-dev-ai]

P1: This code example demonstrates an SSRF vulnerability by directly using user-provided URL without validation. Documentation examples should include URL allowlisting or validation to avoid teaching insecure patterns.

Consider adding validation:

const allowedHosts = ['api.example.com', 'data.example.com'];
const parsedUrl = new URL(req.params.url);
if (!allowedHosts.includes(parsedUrl.hostname)) {
  return res.status(403).json({ error: 'Host not allowed' });
}

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At npm_analysis/packages/uniqhtt_analysis.md, line 858:

<comment>This code example demonstrates an SSRF vulnerability by directly using user-provided URL without validation. Documentation examples should include URL allowlisting or validation to avoid teaching insecure patterns.

Consider adding validation:
```javascript
const allowedHosts = [&#39;api.example.com&#39;, &#39;data.example.com&#39;];
const parsedUrl = new URL(req.params.url);
if (!allowedHosts.includes(parsedUrl.hostname)) {
  return res.status(403).json({ error: &#39;Host not allowed&#39; });
}
```</comment>

<file context>
@@ -0,0 +1,1073 @@
+
+app.get(&#39;/proxy/:url&#39;, async (req, res) =&gt; {
+  try {
+    const response = await uniqhtt.get(req.params.url, {
+      timeout: 5000,
+      enableCookieJar: false
</file context>