filenamify vs sanitize-filename vs slugify
Safe String Transformation for Files and URLs
Search packages..
filenamifysanitize-filenameslugifySimilar Packages:

Safe String Transformation for Files and URLs

filenamify, sanitize-filename, and slugify are utilities designed to clean and normalize strings, but they serve distinct purposes in web architecture. filenamify focuses on creating valid filesystem filenames while preserving readability and case. sanitize-filename prioritizes security by stripping dangerous characters and preventing path traversal attacks. slugify transforms text into URL-friendly slugs, enforcing lowercase and replacing spaces with separators for web addresses.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
filenamify051811.7 kB27 months agoMIT
sanitize-filename036917.5 kB243 months agoWTFPL OR ISC
slugify01,73316.2 kB392 months agoMIT

Safe String Transformation: filenamify vs sanitize-filename vs slugify

When handling user input for files or URLs, raw strings are rarely safe. Special characters, reserved words, and path separators can break filesystems, expose security vulnerabilities, or ruin URL structures. filenamify, sanitize-filename, and slugify solve these problems, but they approach them from different angles. Let's compare how they handle real-world data.

πŸ› οΈ Core Behavior: Replacement vs Removal vs Transformation

The fundamental difference lies in how each package treats invalid characters. filenamify replaces them to keep the name intact. sanitize-filename removes them to ensure safety. slugify transforms the entire string for web usage.

filenamify replaces invalid characters with a safe substitute (default _). It preserves case and most punctuation that is safe.

import filenamify from 'filenamify';

// Input: "Project: Alpha (Final).docx"
const safe = filenamify('Project: Alpha (Final).docx');
// Output: "Project_ Alpha (Final).docx"

sanitize-filename removes invalid characters entirely. It does not replace them, which can shorten the string unexpectedly.

import sanitize from 'sanitize-filename';

// Input: "Project: Alpha (Final).docx"
const safe = sanitize('Project: Alpha (Final).docx');
// Output: "Project Alpha (Final).docx"

slugify converts the string to lowercase and replaces spaces/symbols with a separator (default -). It removes most punctuation.

import slugify from 'slugify';

// Input: "Project: Alpha (Final).docx"
const safe = slugify('Project: Alpha (Final).docx');
// Output: "project-alpha-final-docx"

πŸ”’ Security and Path Traversal

Security is critical when accepting filenames from users. Attackers might try to include path separators to write files outside the intended directory.

filenamify focuses on filename validity, not path security. It does not automatically strip path separators like / or \.

import filenamify from 'filenamify';

// Input: "../../etc/passwd"
const safe = filenamify('../../etc/passwd');
// Output: ".._.._etc_passwd" (Still contains dots, may need extra logic)

sanitize-filename is built specifically to prevent path traversal. It strips path separators and reserved names aggressively.

import sanitize from 'sanitize-filename';

// Input: "../../etc/passwd"
const safe = sanitize('../../etc/passwd');
// Output: ".._.._etc_passwd" (Strips path separators effectively)

slugify removes most special characters, including slashes, but it is not designed for security auditing.

import slugify from 'slugify';

// Input: "../../etc/passwd"
const safe = slugify('../../etc/passwd');
// Output: "etc-passwd" (Removes dots and slashes, but not security-hardened)

⚠️ Warning: Never rely solely on these packages for security. Always validate paths on the server and use safe join methods.

πŸ–₯️ Platform Compatibility and Reserved Names

Different operating systems have different rules. Windows reserves names like CON, PRN, and AUX. filenamify and sanitize-filename handle these; slugify does not.

filenamify detects Windows reserved names and adds a suffix to make them valid.

import filenamify from 'filenamify';

// Input: "CON.txt"
const safe = filenamify('CON.txt');
// Output: "CON!.txt" (Modifies reserved name)

sanitize-filename also handles reserved names by appending an underscore or similar modification.

import sanitize from 'sanitize-filename';

// Input: "CON.txt"
const safe = sanitize('CON.txt');
// Output: "CON_.txt" (Modifies reserved name)

slugify ignores OS reserved names because it targets URLs, not filesystems.

import slugify from 'slugify';

// Input: "CON.txt"
const safe = slugify('CON.txt');
// Output: "con-txt" (Lowercases, does not handle Windows reservation)

πŸŽ›οΈ Configuration and Control

Developers often need to tweak how sanitization happens. filenamify and slugify offer options; sanitize-filename is opinionated.

filenamify allows you to set the replacement character and max length.

import filenamify from 'filenamify';

filenamify('file:name', { replacement: '-', maxLength: 10 });
// Output: "file-name"

sanitize-filename has no configuration options. It runs with fixed security rules.

import sanitize from 'sanitize-filename';

// No options available
sanitize('file:name');
// Output: "filename"

slugify offers extensive options for locale, lowercase toggling, and custom removal patterns.

import slugify from 'slugify';

slugify('file:name', { lower: false, replacement: '_' });
// Output: "file_name" (Preserves case)

🌐 Real-World Scenarios

Scenario 1: User Download Button

You need to save a report generated by the user with their custom title.

  • βœ… Best choice: filenamify
  • Why? It keeps the name readable and safe for the user's OS without forcing lowercase.
const filename = filenamify(`${userTitle}.pdf`);
downloadUrl(blob, filename);

Scenario 2: Server-Side File Upload

You accept files from an API endpoint and store them on disk.

  • βœ… Best choice: sanitize-filename
  • Why? It prioritizes security against path traversal and illegal characters.
const safeName = sanitize(req.file.originalname);
fs.writeFileSync(path.join(uploadDir, safeName), buffer);

Scenario 3: Blog Post URL

You need a clean URL for a new article based on its title.

  • βœ… Best choice: slugify
  • Why? It creates SEO-friendly, lowercase URLs with dashes.
const urlSlug = slugify(postTitle);
router.get(`/posts/${urlSlug}`, handler);

πŸ“Š Summary Table

Featurefilenamifysanitize-filenameslugify
Primary GoalValid FilenamesSecurity & SafetyURL Slugs
Case HandlingPreserves CasePreserves CaseForces Lowercase
Invalid CharsReplaces (e.g., _)RemovesReplaces (e.g., -)
Path TraversalNoYesPartial
Windows ReservedYesYesNo
Config OptionsYesNoYes

πŸ’‘ Final Recommendation

These tools solve different problems despite similar inputs. Use filenamify for client-side downloads where user experience matters. Use sanitize-filename for server-side storage where security is critical. Use slugify for routing and web addresses. Never mix them up β€” using slugify for filenames loses case information, and using filenamify for URLs might leave unsafe characters.

How to Choose: filenamify vs sanitize-filename vs slugify

  • filenamify:

    Choose filenamify when you need to save user-generated files on the client or server while keeping the name readable and safe. It handles OS-specific reserved names and allows you to control replacement characters. This is the best option for download buttons, export features, or any scenario where the original filename structure matters.

  • sanitize-filename:

    Choose sanitize-filename when security is the primary concern, especially on the server side. It aggressively removes illegal characters and path separators to prevent directory traversal attacks. Use this for handling untrusted input where safety outweighs preserving the exact original string format.

  • slugify:

    Choose slugify when generating URL paths, SEO-friendly identifiers, or database keys. It converts text to lowercase and replaces special characters with dashes, making it unsuitable for preserving case-sensitive filenames. This is the standard choice for routing, permalinks, and human-readable IDs.

Similar Npm Packages to filenamify

filenamify is an npm package designed to create safe and valid filenames from strings. It helps developers ensure that the filenames generated from user input or other sources do not contain any illegal characters that could cause issues in file systems. By replacing or removing problematic characters, filenamify makes it easier to manage files in a consistent manner across different operating systems.

While filenamify is a great tool for sanitizing filenames, there are other alternatives that also serve similar purposes. Here are a couple of noteworthy options:

  • sanitize-filename is a library that provides a straightforward way to sanitize filenames by removing or replacing characters that are not allowed in filenames across various operating systems. It is particularly useful for ensuring that filenames are safe to use in different environments, making it a reliable choice for developers who need to handle user-generated filenames. sanitize-filename is simple to use and can help prevent errors related to invalid characters in filenames.
  • slugify is another popular library that converts strings into URL-friendly slugs. While its primary use case is for creating slugs for URLs, it can also be adapted for generating safe filenames. slugify replaces spaces and special characters with hyphens or underscores, making it suitable for generating clean and readable filenames. If your goal is to create filenames that are both safe and SEO-friendly, slugify is a versatile option.

To see how filenamify compares with sanitize-filename and slugify, check out the comparison: Comparing filenamify vs sanitize-filename vs slugify.

Similar Npm Packages to sanitize-filename

sanitize-filename is a utility library that helps developers create safe and valid filenames by sanitizing input strings. It removes or replaces characters that are not allowed in filenames across different operating systems, ensuring that the generated filenames are safe to use. This is particularly useful when dealing with user-generated content or any input that may contain invalid characters.

While sanitize-filename is a valuable tool for filename sanitization, there are other libraries that serve similar purposes. Here are a couple of alternatives:

  • sanitize-filename (note that this is the same library mentioned above) is specifically designed to ensure that filenames are valid and safe for use across different platforms. It focuses on removing or replacing characters that could lead to issues when creating files or directories. This library is straightforward to use and can be integrated easily into any Node.js application.
  • sanitize-html is a library that focuses on sanitizing HTML content rather than filenames. It allows developers to clean up user-generated HTML by removing unwanted tags, attributes, and styles, ensuring that the output is safe for rendering in web applications. While it does not directly deal with filenames, it is essential for preventing XSS (Cross-Site Scripting) attacks and ensuring that HTML content is safe to use.

To see how sanitize-filename compares with its alternatives, check out the comparison: Comparing sanitize-filename vs sanitize-filename vs sanitize-html.

Similar Npm Packages to slugify

slugify is a popular npm package used to convert strings into URL-friendly slugs. This is particularly useful for generating clean, readable URLs from titles or other text inputs, making it easier for users and search engines to understand the content of a page. The slugify function typically removes special characters, replaces spaces with hyphens, and converts the text to lowercase, resulting in a string that can be safely used in URLs. While slugify is a great choice for this task, there are several alternatives worth considering:

  • slug is a simple and efficient library for creating slugs from strings. It provides a straightforward API and focuses on generating clean slugs without unnecessary complexity. If you need a lightweight solution that handles basic slug generation, slug is an excellent option. It is easy to use and integrates well with various JavaScript projects, making it a popular choice among developers looking for a no-frills slug generation tool.

  • speakingurl is another alternative that focuses on creating human-readable slugs. It offers more customization options compared to other libraries, allowing developers to define their own character replacements and transformations. This can be particularly useful if you need to generate slugs that adhere to specific formatting rules or if you want to support multiple languages. speakingurl is ideal for projects that require more control over the slug generation process.

  • url-slug is a library designed to convert strings into URL slugs while preserving the original meaning of the text. It aims to create slugs that are both user-friendly and SEO-friendly. url-slug offers various options for customization, such as specifying delimiters and handling special characters. If your project requires slugs that are optimized for search engines and user experience, url-slug is a solid choice.

To see how slugify compares with slug, speakingurl, and url-slug, check out the comparison: Comparing slug vs slugify vs speakingurl vs url-slug.

README for filenamify

filenamify

Convert a string to a valid safe filename

On Unix-like systems, / is reserved. On Windows, <>:"/\|?* along with trailing periods and spaces are reserved.

This module also removes non-printable control characters (including Unicode bidirectional marks) and normalizes Unicode whitespace.

Install

npm install filenamify

Usage

import filenamify from 'filenamify';

filenamify('<foo/bar>');
//=> '!foo!bar!'

filenamify('foo:"bar"', {replacement: '🐴'});
//=> 'foo🐴bar🐴'

API

filenamify(string, options?)

Convert a string to a valid filename.

filenamifyPath(path, options?)

Convert the filename in a path to a valid filename and return the augmented path.

import {filenamifyPath} from 'filenamify';

filenamifyPath('foo:bar');
//=> 'foo!bar'

options

Type: object

replacement

Type: string
Default: '!'

String to use as replacement for reserved filename characters.

Cannot contain: < > : " / \ | ? * or control characters.

maxLength

Type: number
Default: 100

Truncate the filename to the given length.

Only the base of the filename is truncated, preserving the extension. If the extension itself is longer than maxLength, you will get a string that is longer than maxLength, so you need to check for that if you allow arbitrary extensions.

Truncation is grapheme-aware and will not split Unicode characters (surrogate pairs or extended grapheme clusters). If the remaining budget (after accounting for the extension) is smaller than a whole grapheme, the base filename may be truncated to an empty string to avoid splitting.

Systems generally allow up to 255 characters, but we default to 100 for usability reasons.

Browser-only import

You can also import filenamify/browser, which only imports filenamify and not filenamifyPath, which relies on path being available or polyfilled. Importing filenamify this way is therefore useful when it is shipped using webpack or similar tools, and if filenamifyPath is not needed.

import filenamify from 'filenamify/browser';

filenamify('<foo/bar>');
//=> '!foo!bar!'

Related

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.