Gathering detailed insights and metrics for eventsource
Gathering detailed insights and metrics for eventsource
EventSource client for Node.js, browsers and other JavaScript runtimes
Installations
npm install eventsourceDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=20.0.0
Node Version
22.15.0
NPM Version
10.9.2
Score
99.5
Supply Chain
100
Quality
87.7
Maintenance
100
Vulnerability
100
License
Releases
9
Languages
2
TypeScript
HTML
TypeScript (99.04%)
HTML (0.96%)
Developer
EventSource
Download Statistics
Total Downloads
2,312,051,525
Last Day
515,644
Last Week
7,947,475
Last Month
40,654,095
Last Year
258,133,465
GitHub Statistics
MIT License
1,042 Stars
391 Commits
260 Forks
32 Watchers
7 Branches
46 Contributors
Updated on Jun 30, 2025
Bundle Size
6.74 kB
Minified
2.80 kB
Minified + Gzipped
Maintainers
2
Package Meta Information
Latest Version
4.0.0
Package Id
eventsource@4.0.0
Unpacked Size
143.21 kB
Size
23.79 kB
File Count
13
NPM Version
10.9.2
Node Version
22.15.0
Published on
May 13, 2025
Total Downloads
Cumulative downloads
Total Downloads
2,312,051,525
Last Day
-1.4%
515,644
Compared to previous day
Last Week
-11%
7,947,475
Compared to previous week
Last Month
71.2%
40,654,095
Compared to previous month
Last Year
2.6%
258,133,465
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
Dev Dependencies
20
eventsource
WhatWG/W3C-compatible server-sent events/eventsource client. The module attempts to implement an absolute minimal amount of features/changes beyond the specification.
If you're looking for a modern alternative with a less constrained API, check out the eventsource-client package.
Installation
1npm install --save eventsource
Supported engines
- Node.js >= 20
- Chrome >= 63
- Safari >= 11.3
- Firefox >= 65
- Edge >= 79
- Deno >= 1.30
- Bun >= 1.1.23
Basically, any environment that supports:
If you need to support older runtimes, try the 2.x branch/version range (note: 2.x branch is primarily targetted at Node.js, not browsers).
Usage
1import {EventSource} from 'eventsource' 2 3const es = new EventSource('https://my-server.com/sse') 4 5/* 6 * This will listen for events with the field `event: notice`. 7 */ 8es.addEventListener('notice', (event) => { 9 console.log(event.data) 10}) 11 12/* 13 * This will listen for events with the field `event: update`. 14 */ 15es.addEventListener('update', (event) => { 16 console.log(event.data) 17}) 18 19/* 20 * The event "message" is a special case, as it will capture events _without_ an 21 * event field, as well as events that have the specific type `event: message`. 22 * It will not trigger on any other event type. 23 */ 24es.addEventListener('message', (event) => { 25 console.log(event.data) 26}) 27 28/** 29 * To explicitly close the connection, call the `close` method. 30 * This will prevent any reconnection from happening. 31 */ 32setTimeout(() => { 33 es.close() 34}, 10_000)
TypeScript
Make sure you have configured your TSConfig so it matches the environment you are targetting. If you are targetting browsers, this would be dom:
1{ 2 "compilerOptions": { 3 "lib": ["dom"], 4 }, 5}
If you're using Node.js, ensure you have @types/node installed (and it is version 18 or higher). Cloudflare workers have @cloudflare/workers-types etc.
The following errors are caused by targetting an environment that does not have the necessary types available:
error TS2304: Cannot find name 'Event'.
error TS2304: Cannot find name 'EventTarget'.
error TS2304: Cannot find name 'MessageEvent'.
Migrating from v1 / v2
See MIGRATION.md for a detailed migration guide.
Extensions to the WhatWG/W3C API
Message and code properties on errors
The error event has a message and code property that can be used to get more information about the error. In the specification, the Event
1es.addEventListener('error', (err) => { 2 if (err.code === 401 || err.code === 403) { 3 console.log('not authorized') 4 } 5})
Specify fetch implementation
The EventSource constructor accepts an optional fetch property in the second argument that can be used to specify the fetch implementation to use.
This can be useful in environments where the global fetch function is not available - but it can also be used to alter the request/response behaviour.
Setting HTTP request headers
1const es = new EventSource('https://my-server.com/sse', {
2 fetch: (input, init) =>
3 fetch(input, {
4 ...init,
5 headers: {
6 ...init.headers,
7 Authorization: 'Bearer myToken',
8 },
9 }),
10})HTTP/HTTPS proxy
Use a package like node-fetch-native to add proxy support, either through environment variables or explicit configuration.
1// npm install node-fetch-native --save 2import {fetch} from 'node-fetch-native/proxy' 3 4const es = new EventSource('https://my-server.com/sse', { 5 fetch: (input, init) => fetch(input, init), 6})
Allow unauthorized HTTPS requests
Use a package like undici for more control of fetch options through the use of an Agent.
1// npm install undici --save 2import {fetch, Agent} from 'undici' 3 4await fetch('https://my-server.com/sse', { 5 dispatcher: new Agent({ 6 connect: { 7 rejectUnauthorized: false, 8 }, 9 }), 10})
License
MIT-licensed. See LICENSE.
Critical
9.3/10
Summary
Exposure of Sensitive Information in eventsource
Affected Versions
>= 2.0.0, < 2.0.2
Patched Versions
2.0.2
Critical
9.3/10
Summary
Exposure of Sensitive Information in eventsource
Affected Versions
< 1.1.1
Patched Versions
1.1.1
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:27
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8
Reason
dependency not pinned by hash detected -- score normalized to 5
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/EventSource/eventsource/test.yml/main?enable=pin
- Info: 0 out of 12 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 4 out of 4 npmCommand dependencies pinned
Reason
Found 0/30 approved changesets -- score normalized to 0
Reason
no SAST tool detected
Details
- Warn: no pull requests merged into dev branch
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact v4.0.0 not signed: https://api.github.com/repos/EventSource/eventsource/releases/218181807
- Warn: release artifact v3.0.7 not signed: https://api.github.com/repos/EventSource/eventsource/releases/217564784
- Warn: release artifact v3.0.6 not signed: https://api.github.com/repos/EventSource/eventsource/releases/208579641
- Warn: release artifact v3.0.5 not signed: https://api.github.com/repos/EventSource/eventsource/releases/197049792
- Warn: release artifact v3.0.4 not signed: https://api.github.com/repos/EventSource/eventsource/releases/197044659
- Warn: release artifact v4.0.0 does not have provenance: https://api.github.com/repos/EventSource/eventsource/releases/218181807
- Warn: release artifact v3.0.7 does not have provenance: https://api.github.com/repos/EventSource/eventsource/releases/217564784
- Warn: release artifact v3.0.6 does not have provenance: https://api.github.com/repos/EventSource/eventsource/releases/208579641
- Warn: release artifact v3.0.5 does not have provenance: https://api.github.com/repos/EventSource/eventsource/releases/197049792
- Warn: release artifact v3.0.4 does not have provenance: https://api.github.com/repos/EventSource/eventsource/releases/197044659
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Score
4.9
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More