Gathering detailed insights and metrics for express
Gathering detailed insights and metrics for express
Fast, unopinionated, minimalist web framework for node.
Installations
npm install expressDeveloper Guide
BETA
Typescript
No
Module System
N/A
Min. Node Version
>= 18
Node Version
23.5.0
NPM Version
10.9.2
Score
94.3
Supply Chain
98.7
Quality
86.2
Maintenance
100
Vulnerability
100
License
Releases
160
Languages
3
JavaScript
Makefile
Shell
JavaScript (99.89%)
Makefile (0.07%)
Shell (0.05%)
Developer
Download Statistics
Total Downloads
5,226,542,146
Last Day
8,006,335
Last Week
44,352,936
Last Month
169,116,399
Last Year
1,716,208,465
GitHub Statistics
MIT License
66,987 Stars
6,058 Commits
18,534 Forks
1,689 Watchers
10 Branches
335 Contributors
Updated on May 16, 2025
Bundle Size
568.44 kB
Minified
225.37 kB
Minified + Gzipped
Sponsor this package
Maintainers
4
Package Meta Information
Latest Version
5.1.0
Package Id
express@5.1.0
Unpacked Size
192.40 kB
Size
50.89 kB
File Count
11
NPM Version
10.9.2
Node Version
23.5.0
Published on
Mar 31, 2025
Total Downloads
Cumulative downloads
Total Downloads
5,226,542,146
Dependencies
27
Fast, unopinionated, minimalist web framework for Node.js.
This project has a Code of Conduct.
Table of contents
- Installation
- Features
- Docs & Community
- Quick Start
- Running Tests
- Philosophy
- Examples
- Contributing to Express
- TC (Technical Committee)
- Triagers
- License
1import express from 'express' 2 3const app = express() 4 5app.get('/', (req, res) => { 6 res.send('Hello World') 7}) 8 9app.listen(3000)
Installation
This is a Node.js module available through the npm registry.
Before installing, download and install Node.js. Node.js 18 or higher is required.
If this is a brand new project, make sure to create a package.json first with
the npm init command.
Installation is done using the
npm install command:
1npm install express
Follow our installing guide for more information.
Features
- Robust routing
- Focus on high performance
- Super-high test coverage
- HTTP helpers (redirection, caching, etc)
- View system supporting 14+ template engines
- Content negotiation
- Executable for generating applications quickly
Docs & Community
- Website and Documentation - [website repo]
- GitHub Organization for Official Middleware & Modules
- Github Discussions for discussion on the development and usage of Express
PROTIP Be sure to read the migration guide to v5
Quick Start
The quickest way to get started with express is to utilize the executable express(1) to generate an application as shown below:
Install the executable. The executable's major version will match Express's:
1npm install -g express-generator@4
Create the app:
1express /tmp/foo && cd /tmp/foo
Install dependencies:
1npm install
Start the server:
1npm start
View the website at: http://localhost:3000
Philosophy
The Express philosophy is to provide small, robust tooling for HTTP servers, making it a great solution for single page applications, websites, hybrids, or public HTTP APIs.
Express does not force you to use any specific ORM or template engine. With support for over 14 template engines via @ladjs/consolidate, you can quickly craft your perfect framework.
Examples
To view the examples, clone the Express repository:
1git clone https://github.com/expressjs/express.git --depth 1 && cd express
Then install the dependencies:
1npm install
Then run whichever example you want:
1node examples/content-negotiation
Contributing
The Express.js project welcomes all constructive contributions. Contributions take many forms, from code for bug fixes and enhancements, to additions and fixes to documentation, additional tests, triaging incoming pull requests and issues, and more!
See the Contributing Guide for more technical details on contributing.
Security Issues
If you discover a security vulnerability in Express, please see Security Policies and Procedures.
Running Tests
To run the test suite, first install the dependencies:
1npm install
Then run npm test:
1npm test
People
The original author of Express is TJ Holowaychuk
TC (Technical Committee)
- UlisesGascon - Ulises Gascón (he/him)
- jonchurch - Jon Church
- wesleytodd - Wes Todd
- LinusU - Linus Unnebäck
- blakeembrey - Blake Embrey
- sheplu - Jean Burellier
- crandmck - Rand McKinney
- ctcpip - Chris de Almeida
TC emeriti members
TC emeriti members
- dougwilson - Douglas Wilson
- hacksparrow - Hage Yaapa
- jonathanong - jongleberry
- niftylettuce - niftylettuce
- troygoode - Troy Goode
Triagers
- aravindvnair99 - Aravind Nair
- bjohansebas - Sebastian Beltran
- carpasse - Carlos Serrano
- CBID2 - Christine Belzie
- dpopp07 - Dustin Popp
- UlisesGascon - Ulises Gascón (he/him)
- 3imed-jaberi - Imed Jaberi
- IamLizu - S M Mahmudul Hasan (he/him)
- Phillip9587 - Phillip Barta
- Sushmeet - Sushmeet Sunger
- rxmarbles Rick Markins (He/him)
Triagers emeriti members
Emeritus Triagers
- AuggieH - Auggie Hudak
- G-Rath - Gareth Jones
- MohammadXroid - Mohammad Ayashi
- NawafSwe - Nawaf Alsharqi
- NotMoni - Moni
- VigneshMurugan - Vignesh Murugan
- davidmashe - David Ashe
- digitaIfabric - David
- e-l-i-s-e - Elise Bonner
- fed135 - Frederic Charette
- firmanJS - Firman Abdul Hakim
- getspooky - Yasser Ameur
- ghinks - Glenn
- ghousemohamed - Ghouse Mohamed
- gireeshpunathil - Gireesh Punathil
- jake32321 - Jake Reed
- jonchurch - Jon Church
- lekanikotun - Troy Goode
- marsonya - Lekan Ikotun
- mastermatt - Matt R. Wilson
- maxakuru - Max Edell
- mlrawlings - Michael Rawlings
- rodion-arr - Rodion Abdurakhimov
- sheplu - Jean Burellier
- tarunyadav1 - Tarun yadav
- tunniclm - Mike Tunnicliffe
- enyoghasim - David Enyoghasim
- 0ss - Salah
- import-brain - Eric Cheng (he/him)
- dakshkhetan - Daksh Khetan (he/him)
- lucasraziel - Lucas Soares Do Rego
- mertcanaltin - Mert Can Altin
License
Moderate
4/10
Summary
Express ressource injection
Affected Versions
<= 3.21.4
Patched Versions
4.0.0-rc1
Moderate
6.1/10
Summary
Express.js Open Redirect in malformed URLs
Affected Versions
>= 5.0.0-alpha.1, < 5.0.0-beta.3
Patched Versions
5.0.0-beta.3
Moderate
6.1/10
Summary
Express.js Open Redirect in malformed URLs
Affected Versions
< 4.19.2
Patched Versions
4.19.2
Moderate
6.1/10
Summary
No Charset in Content-Type Header in express
Affected Versions
>= 4.0.0, < 4.5.0
Patched Versions
4.5.0
Moderate
6.1/10
Summary
No Charset in Content-Type Header in express
Affected Versions
< 3.11.0
Patched Versions
3.11.0
Low
4.7/10
Summary
Express Open Redirect vulnerability
Affected Versions
>= 3.4.5, < 4.0.0-rc1
Patched Versions
4.0.0-rc1
Low
5/10
Summary
express vulnerable to XSS via response.redirect()
Affected Versions
>= 5.0.0-alpha.1, < 5.0.0
Patched Versions
5.0.0
Low
5/10
Summary
express vulnerable to XSS via response.redirect()
Affected Versions
< 4.20.0
Patched Versions
4.20.0
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: Security.md:1
- Info: Found linked content: Security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: Security.md:1
- Info: Found text in security policy: Security.md:1
Reason
no dangerous workflow patterns detected
Reason
28 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Reason
update tool detected
Details
- Info: detected update tool: Dependabot: .github/dependabot.yml:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:92
- Warn: jobLevel 'checks' permission set to 'write': .github/workflows/ci.yml:93
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/legacy.yml:76
- Warn: jobLevel 'checks' permission set to 'write': .github/workflows/legacy.yml:77
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24
- Info: topLevel 'contents' permission set to 'read': .github/workflows/legacy.yml:18
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
project has 119 contributing companies or organizations
Details
- Info: found contributions from: Bit-Byte-Drought, Callcredit, CampusMadridProjects, CartQL, Cartizon, DSC-ASEB, DefinitelyTyped, Diversity-In-DSC, ExpressGateway, FACE-Amrita-Bengaluru, FinFlee, Golang-Tunisia, IBM, Iterable, LaunchMade, MusicMapIo, Netflix, Node-Ops, OpenPathfinder, PaackEng, Quanexpert, TunisianJS, TypeStrong, Ultimate-Hosts-Blacklist, Wake-our-Lake, WinterTC55, a11y-badges, adobe, afterburner-js, ai-ng, alm-tools, amazon web services (@aws), apache, apex, beenvo, beerjs, borderless, clibs, codexscribo, cojs, collective-funds, component, crypto-utils, cyber-nomads, department, dsc-x, dsccodecollab, estreamercoders, expressjs, fastify, filament, forma-lab, fortunejs, github-beta, github-tunisia, gohttp, gridsome, guidesmiths, hackreactor, herodevs, houzz, https://vercel.com, ibm, iterable, javascript-tutorial, jsconf, jshttp, jstrace, koa-better-modules, koajs, macchiatojs, makeplane, makespacemadrid, memezinga, mercurius-js, migratejs, mootools, msysgit, mysqljs, namehash, nanodb, netflix, nko, nko2, nodejs, nodeshift, nodesource, openjs-foundation, ossf, paackeng, pillarjs, pkgjs, playframework, publicclass, reactjs, repo-utils, restify, reworkcss, sbt, senchalabs, serviejs, slate, softvenue, sortxyz, sparkpost, sprengnetter austria gmbh, standardschema, stream-utils, tc39, todogroup, tursodatabase, typed-typings, typings, vercel, visionmedia, w3c, webmodules, yeoman, zeromq
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 29 commits out of 30 are checked with a SAST tool
Reason
29 out of 30 merged PRs checked by a CI test -- score normalized to 9
Reason
dependency not pinned by hash detected -- score normalized to 6
Details
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:71
- Warn: npmCommand not pinned by hash: .github/workflows/legacy.yml:55
- Info: 18 out of 18 GitHub-owned GitHubAction dependencies pinned
- Info: 3 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
8.8
/10
Last Scanned on 2025-05-15T16:40:45Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More