npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cookies-tiny

v0.2.1

Published

Tiny RFC 6265 cookie parser and serializer. Set-Cookie parsing, SameSite/Secure/HttpOnly, URL-encoding. Zero dependencies.

Downloads

432

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vlad1987654123vlad1987654123

Keywords

cookierfc6265httpset-cookiesamesite

Readme

cookies-tiny

ci

npm downloads bundle

Tiny RFC 6265 cookie parser and serializer. Cookie request header → object, Set-Cookie value ↔ object, with all the standard attributes. Zero dependencies.

import { parse, serialize, parseSetCookie } from "cookies-tiny";

parse("session=abc; locale=ro");
// { session: "abc", locale: "ro" }

serialize("session", "abc", {
  httpOnly: true,
  secure: true,
  sameSite: "Lax",
  maxAge: 3600,
});
// "session=abc; Max-Age=3600; HttpOnly; Secure; SameSite=Lax"

parseSetCookie("session=abc; Path=/; Max-Age=3600; HttpOnly");
// { name: "session", value: "abc", path: "/", maxAge: 3600, secure: false, httpOnly: true }

Install

npm install cookies-tiny

Works with Node 20+, browsers, Bun, Deno. ESM + CJS.

Why

The classic cookie package on npm is ~700 lines of CJS-only code. tough-cookie is even bigger (with a full cookie jar). For a request handler that just needs to read Cookie and write Set-Cookie, you want something small, ESM-first, fully typed.

cookies-tiny is ~150 lines. RFC 6265 compliant where it matters (SameSite=None requires Secure, name validation, URL encoding by default).

Recipes

Plain http middleware

import { parse, serialize } from "cookies-tiny";

function cookieParser(req: IncomingMessage) {
  return parse(req.headers.cookie ?? "");
}

function setCookie(res: ServerResponse, name: string, value: string, opts: SerializeOptions) {
  const existing = res.getHeader("Set-Cookie") ?? [];
  const list = Array.isArray(existing) ? existing : [String(existing)];
  list.push(serialize(name, value, opts));
  res.setHeader("Set-Cookie", list);
}

Session cookie

import { serialize } from "cookies-tiny";

const sessionCookie = serialize("sid", sessionId, {
  httpOnly: true,   // not readable by JS
  secure: true,     // HTTPS only
  sameSite: "Lax",  // CSRF protection
  path: "/",
  maxAge: 60 * 60 * 24 * 7,  // 1 week
});

Delete a cookie

import { serialize } from "cookies-tiny";

const clear = serialize("sid", "", { path: "/", maxAge: 0 });
// Send as Set-Cookie to delete the client-side cookie

Read cookies in a Next.js / Cloudflare Worker handler

import { parse } from "cookies-tiny";

export async function GET(req: Request) {
  const cookies = parse(req.headers.get("cookie") ?? "");
  const sessionId = cookies.sid;
  if (!sessionId) return new Response("Unauthorized", { status: 401 });
  // ...
}

Inspect Set-Cookie from a fetch response

import { parseSetCookie } from "cookies-tiny";

const res = await fetch(url);
for (const raw of res.headers.getSetCookie()) {
  const parsed = parseSetCookie(raw);
  console.log("server set:", parsed?.name, "expires", parsed?.expires);
}

API

parse(cookieHeader: string): Record<string, string>

Parses the Cookie request header. URL-decodes values. First occurrence wins per RFC 6265. Returns {} for empty/invalid input — never throws.

serialize(name, value, opts?): string

Builds a single Set-Cookie value. URL-encodes the value by default. Validates input and throws for invalid names/domains.

| Option | Type | Notes | |---|---|---| | domain | string | | | path | string | | | expires | Date | Emitted as Expires=<UTC> | | maxAge | number (integer seconds) | Use 0 to delete | | secure | boolean | | | httpOnly | boolean | | | sameSite | "Strict" \| "Lax" \| "None" (case-insensitive) | None requires secure: true | | raw | boolean | Skip URL-encoding (only for already-safe values) |

parseSetCookie(setCookieHeader: string): ParsedSetCookie | null

Parses a single Set-Cookie header value into { name, value, domain?, path?, expires?, maxAge?, secure, httpOnly, sameSite? }. Returns null for invalid input.

Caveats

  • Single header at a time. parseSetCookie parses one value. If you have multiple Set-Cookie headers in a response, iterate them (e.g. via headers.getSetCookie() in modern fetch).
  • No cookie jar. No domain/path matching for outgoing requests. If you're building a programmatic HTTP client that needs to send cookies it received, use tough-cookie or implement matching yourself.
  • SameSite=None requires Secureserialize throws if you violate this. Intentional.

License

Apache-2.0 © Vlad Bordei