How to Tell If a Website Uses unpkg
unpkg is a fast public CDN for everything on npm. Detect it via assets loaded from unpkg.com/<package>@<version>/ in script, link and module import URLs.
unpkg is a fast, free public CDN for everything on npm — it can serve any file from any npm package straight to the browser, which makes it a favourite for prototypes, demos, module imports and lightweight builds. Because it delivers from its own domain, detecting it is direct: open the Network tab and look for assets loaded from unpkg.com. This guide covers every reliable signal, what the URLs reveal, the look-alikes to rule out, and what unpkg usage tells you about the site.
What is unpkg?
unpkg is a public content-delivery network for the npm registry. Where a developer would normally install an npm package and bundle it into their build, unpkg lets them load any file from any published npm package directly via a URL — unpkg.com/<package>@<version>/<file> — with no build step. It is widely used for quick prototypes, code demos, documentation examples, and lightweight or no-build sites, and it is also popular for loading ES modules directly in the browser (appending ?module rewrites bare imports to unpkg URLs). It sits in the same category as jsDelivr, cdnjs and Google Hosted Libraries.
For detection, the key context is that unpkg, like other public asset CDNs, is a delivery mechanism for open-source npm packages, not a private origin CDN. It serves third-party libraries while the site's own pages and private assets come from elsewhere, so finding unpkg reveals which dependencies a developer chose to load from a public CDN — and exactly which versions — but not where the site is hosted. Because unpkg makes it trivial to pull a single file from npm, its presence often hints at a lightweight, no-build, or prototype-style approach, though it also appears in production on plenty of sites.
How unpkg delivers assets
unpkg URLs follow the simple, revealing form unpkg.com/<package>@<version>/<file> — for example unpkg.com/[email protected]/umd/react.production.min.js or unpkg.com/vue@3/dist/vue.global.js. The @<version> can be an exact version, a semver range (@3), or omitted (defaulting to latest), and unpkg will resolve and redirect accordingly. Requesting a package without a specific file returns its default entry point, and appending ?module makes unpkg serve an ES-module-friendly version with bare imports rewritten to further unpkg URLs — a pattern you will see in modern no-build setups and <script type="module"> usage.
As with jsDelivr, the package name and version sit right in the URL, so an unpkg request tells you which library the site loads and exactly which version — useful for spotting outdated or pinned dependencies. The ?module suffix or import ... from 'https://unpkg.com/...' statements indicate module-style usage, a small signal of a modern, build-light approach. Knowing this URL structure makes detection and dependency reading straightforward; there is nothing to disguise, since loading from the public unpkg domain is the whole point.
How to tell if a website uses unpkg
Confirm at least one signal (a single asset URL suffices).
1. Check the Network tab. Filter for unpkg. Any script, stylesheet or module from unpkg.com confirms unpkg.
2. View the page source. Search the HTML for unpkg.com. <script>, <link> and <script type="module"> tags, and import statements, frequently reference it.
3. Read the path. The <package>@<version>/<file> path reveals the library and version.
4. Look for module usage. A ?module suffix or import statements pointing at unpkg.com indicate ES-module, no-build usage.
5. Note the versions. The @<version> (or its absence) shows whether the developer pins versions or rides latest.
What the unpkg signals look like
<script src="https://unpkg.com/[email protected]/umd/react.production.min.js"></script>
<link rel="stylesheet" href="https://unpkg.com/[email protected]/dist/leaflet.css">
<script type="module">import confetti from "https://unpkg.com/canvas-confetti@1?module";</script>
Any unpkg.com asset URL is conclusive, and the path reveals the package and version.
unpkg versus other public CDNs — avoiding false positives
Match the host to keep public asset CDNs distinct. unpkg uses unpkg.com; jsDelivr uses cdn.jsdelivr.net; cdnjs uses cdnjs.cloudflare.com; Google Hosted Libraries uses ajax.googleapis.com. A site may use more than one. The important conceptual distinction, as with jsDelivr, is between these public open-source asset CDNs and the site's private origin CDN (Cloudflare, Fastly, CloudFront): unpkg delivers npm packages, not the site's own pages, so it says nothing about hosting. Do not infer hosting from unpkg; instead read it as a window into third-party dependencies. The ?module and import patterns are distinctive to modern module usage and help you recognise a no-build approach.
How reliable is each unpkg signal?
An unpkg.com asset URL is definitive — the domain belongs solely to unpkg. The path reliably reveals the package and version, and ?module/import usage reliably indicates module-style loading. The weakest "situation" is that, like jsDelivr, unpkg usage tells you less about the site's own infrastructure than an origin CDN would. There is essentially no false-positive risk for the detection; the only interpretive caution is to remember unpkg is a public asset CDN, not the host. As a rule, a single unpkg.com request confirms it instantly.
What unpkg usage reveals about a site
Finding unpkg signals a developer loading npm packages directly from a public CDN, frequently in a lightweight, no-build, prototype or demo context — though it also appears in production. More valuable than the bare presence is what the URLs reveal: the specific packages and versions the site depends on, which supports a quick dependency and security audit (an outdated or vulnerable version pulled from unpkg is easy to spot). Module-style usage (?module, import from unpkg) further indicates a modern, build-light approach, common in small projects, internal tools, documentation sites and rapid prototypes. If you sell developer, security or dependency-management tooling, the version information an unpkg scan surfaces is actionable, and the no-build pattern hints at the team's engineering style.
What finding unpkg means for sales, agencies and competitive research
For sales and prospecting, unpkg itself is a weak qualifier, but the package versions it exposes flag sites with outdated or vulnerable dependencies that may need help, and the libraries reveal the technical approach.
For agencies and consultants, reading unpkg URLs gives a quick dependency check — spotting old versions, latest-pinning risks, or missing subresource integrity — a concrete basis for a maintenance or modernisation conversation. The presence of no-build module usage also tells you how the project is structured.
For competitive and market research, the libraries a competitor loads from unpkg reveal part of their front-end stack and their dependency hygiene, useful when benchmarking technical maturity, especially for smaller or prototype-style sites.
unpkg in the wider stack
unpkg sits alongside the site's own hosting, delivering open-source libraries. It is especially common on lightweight, no-build, documentation and prototype sites, and on sites that load a single library (a map, a charting tool, a confetti effect) without a bundler. It frequently coexists with module-based <script type="module"> usage and minimal tooling. On more substantial sites it may appear alongside jsDelivr or a bundled build for a few quick dependencies. For an auditor, the valuable details are which packages and versions are loaded, whether module usage indicates a no-build approach, whether versions are current, and what other public CDNs accompany unpkg; together these characterise the site's dependency footprint and its engineering style.
A quick unpkg confirmation walkthrough
Open the site with developer tools on the Network panel and reload, then filter for unpkg. Any asset from unpkg.com confirms it. Click a request and read the <package>@<version>/<file> path to identify the library and version. Look for ?module suffixes or import statements pointing at unpkg, which indicate ES-module usage. View the source and search for unpkg.com in <script>, <link> and module tags. A single unpkg.com request is enough to confirm unpkg and reveal the dependency it serves.
A quick unpkg detection checklist
- Filter the Network tab for
unpkg; anyunpkg.comasset is conclusive. - Read the
<package>@<version>/<file>path for the library and version. - Look for
?moduleorimportusage indicating a no-build, module approach. - Note whether versions are pinned or default to
latest. - Remember unpkg is a public npm CDN, not the site's own host.
- Note which other public CDNs (jsDelivr, cdnjs, Google) accompany it.
Detecting unpkg at scale
Checking one site is quick, but auditing many — to find sites loading outdated npm packages from public CDNs — calls for automation. StackOptic detects unpkg and thousands of other technologies from a real browser, surfacing the packages and versions a site depends on. For related reading, see our guides to checking what JavaScript libraries a website uses and telling if a website uses Cloudflare or another CDN, and the full unpkg technology profile.
Frequently asked questions
What is the fastest way to detect unpkg?
Open the Network tab, reload and filter for 'unpkg'. Any script, stylesheet or module loaded from unpkg.com confirms unpkg. You can also view the source and search for unpkg.com in script, link and import statements.
How does an unpkg URL reveal the library and version?
unpkg URLs take the form unpkg.com/<package>@<version>/<file>, for example unpkg.com/[email protected]/umd/react.production.min.js. The package name and version are right in the path, so the URL tells you exactly which npm library and version the site loads.
What is unpkg used for besides scripts?
Besides classic <script> and <link> tags, unpkg is popular for loading ES modules directly in the browser (appending ?module), for quick prototypes and demos, and for pulling a single file from any npm package without a build step. Seeing ?module or import statements pointing at unpkg.com indicates module-style usage.
Is unpkg the site's hosting provider?
No. Like jsDelivr, unpkg is a free public CDN for open-source npm assets, not a private origin CDN. It delivers third-party libraries alongside the site's normal hosting, so finding unpkg does not tell you where the site itself is hosted.
What does it mean if a site uses unpkg?
unpkg signals a developer loading npm packages directly from a public CDN, often in lightweight builds, prototypes, demos or sites that avoid a bundler. It reveals which libraries and versions the site depends on and hints at a no-build or quick-integration approach.
Analyse any website with StackOptic
Get the full technology stack, performance, security and SEO report in seconds — free.
Analyse a websiteRelated articles
How to Tell If a Website Uses Heap
Heap (Heap Analytics) autocaptures product events. Detect it via the cdn.heapanalytics.com script, the global heap object, heapanalytics.com beacons and _hp2 cookies.
How to Tell If a Website Uses Foundation
Foundation (by Zurb) is a responsive front-end framework. Detect it via its grid classes (row/columns, grid-x/cell), data-* component attributes and the foundation.css/js files.
How to Tell If a Website Uses Crisp
Crisp is a developer-friendly, affordable live-chat and messaging tool. Detect it via the client.crisp.chat/l.js script, the window.$crisp object and the CRISP_WEBSITE_ID value.