[dundarious]

Javascript is absolutely not the only way these payloads can infect your device, so I wouldn't consider that particularly safe.

Also, if you aren't on a phone or similar, you can just use curl to expand shortened URLS. Tell it follow redirects (-L) and print headers (-I), and use the last "location: " header it spits out. e.g.,

    curl -fsSLI https://t.co/blahblah | sed -n 's/^location: //p'

[dundarious]

I know I'm replying to a 2 day old comment now, but I should add that I understand there may be a benefit to using a URL expanding service, in that the connection is not made from your host, so the various endpoints of your URLs won't see your IP address, etc. But the single URL expanding service will see all the URLs you expand and your IP address, etc., so you should trust it as much as any VPN service or ISP. That is to say, you should not trust it at all, until given numerous legal, technical, and reputational guarantees or assurances.