Installations
npm install expressScore
59
Supply Chain
96.6
Quality
89.6
Maintenance
100
Vulnerability
100
License
Releases
Contributors
Developer
Module System
N/A
Unable to determine the module system for this package.
Statistics
65,723 Stars
6,000 Commits
16,323 Forks
1,697 Watching
16 Branches
326 Contributors
Updated on 20 Nov 2024
Bundle Size
580.16 kB
Minified
231.43 kB
Minified + Gzipped
Languages
JavaScript (99.89%)
Makefile (0.07%)
Shell (0.05%)
Total Downloads
Cumulative downloads
Total Downloads
4,345,570,770
Last day
5.8%
6,976,201
Compared to previous day
Last week
2.5%
35,629,865
Compared to previous week
Last month
11.1%
150,217,082
Compared to previous month
Last year
6.8%
1,541,770,283
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
31
Fast, unopinionated, minimalist web framework for Node.js.
This project has a Code of Conduct.
Table of contents
- Installation
- Features
- Docs & Community
- Quick Start
- Running Tests
- Philosophy
- Examples
- Contributing to Express
- TC (Technical Committee)
- Triagers
- License
1import express from 'express' 2 3const app = express() 4 5app.get('/', (req, res) => { 6 res.send('Hello World') 7}) 8 9app.listen(3000)
Installation
This is a Node.js module available through the npm registry.
Before installing, download and install Node.js. Node.js 18 or higher is required.
If this is a brand new project, make sure to create a package.json first with
the npm init command.
Installation is done using the
npm install command:
1npm install express
Follow our installing guide for more information.
Features
- Robust routing
- Focus on high performance
- Super-high test coverage
- HTTP helpers (redirection, caching, etc)
- View system supporting 14+ template engines
- Content negotiation
- Executable for generating applications quickly
Docs & Community
- Website and Documentation - [website repo]
- GitHub Organization for Official Middleware & Modules
- Github Discussions for discussion on the development and usage of Express
PROTIP Be sure to read the migration guide to v5
Quick Start
The quickest way to get started with express is to utilize the executable express(1) to generate an application as shown below:
Install the executable. The executable's major version will match Express's:
1npm install -g express-generator@4
Create the app:
1express /tmp/foo && cd /tmp/foo
Install dependencies:
1npm install
Start the server:
1npm start
View the website at: http://localhost:3000
Philosophy
The Express philosophy is to provide small, robust tooling for HTTP servers, making it a great solution for single page applications, websites, hybrids, or public HTTP APIs.
Express does not force you to use any specific ORM or template engine. With support for over 14 template engines via @ladjs/consolidate, you can quickly craft your perfect framework.
Examples
To view the examples, clone the Express repository:
1git clone https://github.com/expressjs/express.git --depth 1 && cd express
Then install the dependencies:
1npm install
Then run whichever example you want:
1node examples/content-negotiation
Contributing
The Express.js project welcomes all constructive contributions. Contributions take many forms, from code for bug fixes and enhancements, to additions and fixes to documentation, additional tests, triaging incoming pull requests and issues, and more!
See the Contributing Guide for more technical details on contributing.
Security Issues
If you discover a security vulnerability in Express, please see Security Policies and Procedures.
Running Tests
To run the test suite, first install the dependencies:
1npm install
Then run npm test:
1npm test
People
The original author of Express is TJ Holowaychuk
TC (Technical Committee)
- UlisesGascon - Ulises Gascón (he/him)
- jonchurch - Jon Church
- wesleytodd - Wes Todd
- LinusU - Linus Unnebäck
- blakeembrey - Blake Embrey
- sheplu - Jean Burellier
- crandmck - Rand McKinney
- ctcpip - Chris de Almeida
TC emeriti members
TC emeriti members
- dougwilson - Douglas Wilson
- hacksparrow - Hage Yaapa
- jonathanong - jongleberry
- niftylettuce - niftylettuce
- troygoode - Troy Goode
Triagers
- aravindvnair99 - Aravind Nair
- bjohansebas - Sebastian Beltran
- carpasse - Carlos Serrano
- CBID2 - Christine Belzie
- enyoghasim - David Enyoghasim
- UlisesGascon - Ulises Gascón (he/him)
- mertcanaltin - Mert Can Altin
- 0ss - Salah
- import-brain - Eric Cheng (he/him)
- 3imed-jaberi - Imed Jaberi
- dakshkhetan - Daksh Khetan (he/him)
- lucasraziel - Lucas Soares Do Rego
- IamLizu - S M Mahmudul Hasan (he/him)
- Sushmeet - Sushmeet Sunger
Triagers emeriti members
Emeritus Triagers
- AuggieH - Auggie Hudak
- G-Rath - Gareth Jones
- MohammadXroid - Mohammad Ayashi
- NawafSwe - Nawaf Alsharqi
- NotMoni - Moni
- VigneshMurugan - Vignesh Murugan
- davidmashe - David Ashe
- digitaIfabric - David
- e-l-i-s-e - Elise Bonner
- fed135 - Frederic Charette
- firmanJS - Firman Abdul Hakim
- getspooky - Yasser Ameur
- ghinks - Glenn
- ghousemohamed - Ghouse Mohamed
- gireeshpunathil - Gireesh Punathil
- jake32321 - Jake Reed
- jonchurch - Jon Church
- lekanikotun - Troy Goode
- marsonya - Lekan Ikotun
- mastermatt - Matt R. Wilson
- maxakuru - Max Edell
- mlrawlings - Michael Rawlings
- rodion-arr - Rodion Abdurakhimov
- sheplu - Jean Burellier
- tarunyadav1 - Tarun yadav
- tunniclm - Mike Tunnicliffe
License
Stable Version
The latest stable version of the package.
Stable Version
5.0.0
MODERATE
4
6.1/10
Summary
Express.js Open Redirect in malformed URLs
Affected Versions
>= 5.0.0-alpha.1, < 5.0.0-beta.3
Patched Versions
5.0.0-beta.3
6.1/10
Summary
Express.js Open Redirect in malformed URLs
Affected Versions
< 4.19.2
Patched Versions
4.19.2
6.1/10
Summary
No Charset in Content-Type Header in express
Affected Versions
>= 4.0.0, < 4.5.0
Patched Versions
4.5.0
6.1/10
Summary
No Charset in Content-Type Header in express
Affected Versions
< 3.11.0
Patched Versions
3.11.0
LOW
3
4.7/10
Summary
Express Open Redirect vulnerability
Affected Versions
>= 3.4.5, < 4.0.0-rc1
Patched Versions
4.0.0-rc1
5/10
Summary
express vulnerable to XSS via response.redirect()
Affected Versions
>= 5.0.0-alpha.1, < 5.0.0
Patched Versions
5.0.0
5/10
Summary
express vulnerable to XSS via response.redirect()
Affected Versions
< 4.20.0
Patched Versions
4.20.0
Reason
all changesets reviewed
Reason
30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: Security.md:1
- Info: Found linked content: Security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: Security.md:1
- Info: Found text in security policy: Security.md:1
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 21 commits out of 30 are checked with a SAST tool
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24
- Warn: no topLevel permission defined: .github/workflows/legacy.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/legacy.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:37
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:69
- Warn: npmCommand not pinned by hash: .github/workflows/legacy.yml:52
- Info: 3 out of 15 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
7.2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More