Gathering detailed insights and metrics for compression
Gathering detailed insights and metrics for compression
Installations
npm install compressionDeveloper
expressjs
Developer Guide
BETA
Module System
Unable to determine the module system for this package.
Min. Node Version
>= 0.8.0
Typescript Support
No
Node Version
22.10.0
NPM Version
10.9.0
Statistics
2,775 Stars
407 Commits
242 Forks
58 Watching
3 Branches
41 Contributors
Updated on 27 Nov 2024
Bundle Size
169.13 kB
Minified
27.84 kB
Minified + Gzipped
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
4,140,991,751
Last day
-6.7%
3,518,160
Compared to previous day
Last week
0.8%
20,090,348
Compared to previous week
Last month
10.7%
84,880,372
Compared to previous month
Last year
-0.7%
930,734,903
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
compression
Node.js compression middleware.
The following compression codings are supported:
- deflate
- gzip
Install
This is a Node.js module available through the
npm registry. Installation is done using the
npm install command:
1$ npm install compression
API
1var compression = require('compression')
compression([options])
Returns the compression middleware using the given options. The middleware
will attempt to compress response bodies for all requests that traverse through
the middleware, based on the given options.
This middleware will never compress responses that include a Cache-Control
header with the no-transform directive,
as compressing will transform the body.
Options
compression() accepts these properties in the options object. In addition to
those listed below, zlib options may be
passed in to the options object.
chunkSize
The default value is zlib.Z_DEFAULT_CHUNK, or 16384.
See Node.js documentation regarding the usage.
filter
A function to decide if the response should be considered for compression.
This function is called as filter(req, res) and is expected to return
true to consider the response for compression, or false to not compress
the response.
The default filter function uses the compressible
module to determine if res.getHeader('Content-Type') is compressible.
level
The level of zlib compression to apply to responses. A higher level will result in better compression, but will take longer to complete. A lower level will result in less compression, but will be much faster.
This is an integer in the range of 0 (no compression) to 9 (maximum
compression). The special value -1 can be used to mean the "default
compression level", which is a default compromise between speed and
compression (currently equivalent to level 6).
-1Default compression level (alsozlib.Z_DEFAULT_COMPRESSION).0No compression (alsozlib.Z_NO_COMPRESSION).1Fastest compression (alsozlib.Z_BEST_SPEED).23456(currently whatzlib.Z_DEFAULT_COMPRESSIONpoints to).789Best compression (alsozlib.Z_BEST_COMPRESSION).
The default value is zlib.Z_DEFAULT_COMPRESSION, or -1.
Note in the list above, zlib is from zlib = require('zlib').
memLevel
This specifies how much memory should be allocated for the internal compression
state and is an integer in the range of 1 (minimum level) and 9 (maximum
level).
The default value is zlib.Z_DEFAULT_MEMLEVEL, or 8.
See Node.js documentation regarding the usage.
strategy
This is used to tune the compression algorithm. This value only affects the compression ratio, not the correctness of the compressed output, even if it is not set appropriately.
zlib.Z_DEFAULT_STRATEGYUse for normal data.zlib.Z_FILTEREDUse for data produced by a filter (or predictor). Filtered data consists mostly of small values with a somewhat random distribution. In this case, the compression algorithm is tuned to compress them better. The effect is to force more Huffman coding and less string matching; it is somewhat intermediate betweenzlib.Z_DEFAULT_STRATEGYandzlib.Z_HUFFMAN_ONLY.zlib.Z_FIXEDUse to prevent the use of dynamic Huffman codes, allowing for a simpler decoder for special applications.zlib.Z_HUFFMAN_ONLYUse to force Huffman encoding only (no string match).zlib.Z_RLEUse to limit match distances to one (run-length encoding). This is designed to be almost as fast aszlib.Z_HUFFMAN_ONLY, but give better compression for PNG image data.
Note in the list above, zlib is from zlib = require('zlib').
threshold
The byte threshold for the response body size before compression is considered
for the response, defaults to 1kb. This is a number of bytes or any string
accepted by the bytes module.
Note this is only an advisory setting; if the response size cannot be determined
at the time the response headers are written, then it is assumed the response is
over the threshold. To guarantee the response size can be determined, be sure
set a Content-Length response header.
windowBits
The default value is zlib.Z_DEFAULT_WINDOWBITS, or 15.
See Node.js documentation regarding the usage.
.filter
The default filter function. This is used to construct a custom filter
function that is an extension of the default function.
1var compression = require('compression') 2var express = require('express') 3 4var app = express() 5app.use(compression({ filter: shouldCompress })) 6 7function shouldCompress (req, res) { 8 if (req.headers['x-no-compression']) { 9 // don't compress responses with this request header 10 return false 11 } 12 13 // fallback to standard filter function 14 return compression.filter(req, res) 15}
res.flush
This module adds a res.flush() method to force the partially-compressed
response to be flushed to the client.
Examples
express/connect
When using this module with express or connect, simply app.use the module as
high as you like. Requests that pass through the middleware will be compressed.
1var compression = require('compression') 2var express = require('express') 3 4var app = express() 5 6// compress all responses 7app.use(compression()) 8 9// add all routes
Server-Sent Events
Because of the nature of compression this module does not work out of the box with server-sent events. To compress content, a window of the output needs to be buffered up in order to get good compression. Typically when using server-sent events, there are certain block of data that need to reach the client.
You can achieve this by calling res.flush() when you need the data written to
actually make it to the client.
1var compression = require('compression') 2var express = require('express') 3 4var app = express() 5 6// compress responses 7app.use(compression()) 8 9// server-sent event stream 10app.get('/events', function (req, res) { 11 res.setHeader('Content-Type', 'text/event-stream') 12 res.setHeader('Cache-Control', 'no-cache') 13 14 // send a ping approx every 2 seconds 15 var timer = setInterval(function () { 16 res.write('data: ping\n\n') 17 18 // !!! this is the important part 19 res.flush() 20 }, 2000) 21 22 res.on('close', function () { 23 clearInterval(timer) 24 }) 25})
License
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
17 different organizations found -- score normalized to 10
Details
- Info: contributors work for ExpressGateway,async-rs,crypto-utils,expressjs,houzz,http-rs,jshttp,koajs,mysqljs,node-forward,nodejs,nucleus-js,pillarjs,repo-utils,senior software engineer @ godaddy inc,squamishaccess,stream-utils
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
13 commit(s) out of 30 and 6 issue activity out of 30 found in the last 90 days -- score normalized to 10
Reason
no vulnerabilities detected
Reason
12 out of 14 merged PRs checked by a CI test -- score normalized to 8
Reason
SAST tool detected but not run on all commits
Details
- Warn: 2 commits out of 15 are checked with a SAST tool
- Info: SAST tool detected: CodeQL
Reason
found 15 unreviewed changesets out of 29 -- score normalized to 4
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/compression/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:203: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/compression/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:215: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/compression/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:163
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:179
- Info: 6 out of 7 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project: QuickCheck: https://hackage.haskell.org/package/QuickCheck hedgehog: https://hedgehog.qa/ validity: https://github.com/NorfairKing/validity smallcheck: https://hackage.haskell.org/package/smallcheck hspec: https://hspec.github.io/ tasty: https://hackage.haskell.org/package/tasty (High effort)
- Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
- Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
Reason
security policy file not detected
Details
- Warn: no security policy file detected: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. For additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Provide a point of contact in your SECURITY.md. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1: Visit https://app.stepsecurity.io/secureworkflow/expressjs/compression/ci.yml/master?enable=permissions Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:19
- Info: no jobLevel write permissions found
Score
5.6
/10
Last Scanned on 2024-11-25T21:23:39Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More