Gathering detailed insights and metrics for express
Gathering detailed insights and metrics for express
Fast, unopinionated, minimalist web framework for node.
Installations
npm install expressDeveloper Guide
BETA
Typescript
No
Module System
N/A
Min. Node Version
>= 0.10.0
Node Version
20.16.0
NPM Version
10.8.1
Score
94.2
Supply Chain
96.6
Quality
84.2
Maintenance
100
Vulnerability
100
License
Releases
159
Contributors
333
Unable to fetch Contributors
Languages
3
JavaScript
Makefile
Shell
JavaScript (99.89%)
Makefile (0.07%)
Shell (0.05%)
Developer
Download Statistics
Total Downloads
4,920,823,566
Last Day
6,792,637
Last Week
36,593,970
Last Month
160,603,093
Last Year
1,642,787,337
GitHub Statistics
MIT License
66,556 Stars
6,040 Commits
17,897 Forks
1,693 Watchers
13 Branches
333 Contributors
Updated on Mar 21, 2025
Bundle Size
580.92 kB
Minified
232.34 kB
Minified + Gzipped
Sponsor this package
Maintainers
8
Package Meta Information
Latest Version
4.21.2
Package Id
express@4.21.2
Unpacked Size
216.04 kB
Size
56.66 kB
File Count
16
NPM Version
10.8.1
Node Version
20.16.0
Published on
Dec 05, 2024
Total Downloads
Cumulative downloads
Total Downloads
4,920,823,566
Last Day
-0.4%
6,792,637
Compared to previous day
Last Week
-2.4%
36,593,970
Compared to previous week
Last Month
3.2%
160,603,093
Compared to previous month
Last Year
13.1%
1,642,787,337
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
31
Fast, unopinionated, minimalist web framework for Node.js.
This project has a Code of Conduct.
Table of contents
- Installation
- Features
- Docs & Community
- Quick Start
- Running Tests
- Philosophy
- Examples
- Contributing to Express
- TC (Technical Committee)
- Triagers
- License
1const express = require('express') 2const app = express() 3 4app.get('/', function (req, res) { 5 res.send('Hello World') 6}) 7 8app.listen(3000)
Installation
This is a Node.js module available through the npm registry.
Before installing, download and install Node.js. Node.js 0.10 or higher is required.
If this is a brand new project, make sure to create a package.json first with
the npm init command.
Installation is done using the
npm install command:
1$ npm install express
Follow our installing guide for more information.
Features
- Robust routing
- Focus on high performance
- Super-high test coverage
- HTTP helpers (redirection, caching, etc)
- View system supporting 14+ template engines
- Content negotiation
- Executable for generating applications quickly
Docs & Community
- Website and Documentation - [website repo]
- #express on Libera Chat IRC
- GitHub Organization for Official Middleware & Modules
- Visit the Wiki
- Google Group for discussion
- Gitter for support and discussion
PROTIP Be sure to read Migrating from 3.x to 4.x as well as New features in 4.x.
Quick Start
The quickest way to get started with express is to utilize the executable express(1) to generate an application as shown below:
Install the executable. The executable's major version will match Express's:
1$ npm install -g express-generator@4
Create the app:
1$ express /tmp/foo && cd /tmp/foo
Install dependencies:
1$ npm install
Start the server:
1$ npm start
View the website at: http://localhost:3000
Philosophy
The Express philosophy is to provide small, robust tooling for HTTP servers, making it a great solution for single page applications, websites, hybrids, or public HTTP APIs.
Express does not force you to use any specific ORM or template engine. With support for over 14 template engines via Consolidate.js, you can quickly craft your perfect framework.
Examples
To view the examples, clone the Express repo and install the dependencies:
1$ git clone https://github.com/expressjs/express.git --depth 1 2$ cd express 3$ npm install
Then run whichever example you want:
1$ node examples/content-negotiation
Contributing
The Express.js project welcomes all constructive contributions. Contributions take many forms, from code for bug fixes and enhancements, to additions and fixes to documentation, additional tests, triaging incoming pull requests and issues, and more!
See the Contributing Guide for more technical details on contributing.
Security Issues
If you discover a security vulnerability in Express, please see Security Policies and Procedures.
Running Tests
To run the test suite, first install the dependencies, then run npm test:
1$ npm install 2$ npm test
People
The original author of Express is TJ Holowaychuk
TC (Technical Committee)
- UlisesGascon - Ulises Gascón (he/him)
- jonchurch - Jon Church
- wesleytodd - Wes Todd
- LinusU - Linus Unnebäck
- blakeembrey - Blake Embrey
- sheplu - Jean Burellier
- crandmck - Rand McKinney
- ctcpip - Chris de Almeida
TC emeriti members
TC emeriti members
- dougwilson - Douglas Wilson
- hacksparrow - Hage Yaapa
- jonathanong - jongleberry
- niftylettuce - niftylettuce
- troygoode - Troy Goode
Triagers
- aravindvnair99 - Aravind Nair
- carpasse - Carlos Serrano
- CBID2 - Christine Belzie
- enyoghasim - David Enyoghasim
- UlisesGascon - Ulises Gascón (he/him)
- mertcanaltin - Mert Can Altin
- 0ss - Salah
- import-brain - Eric Cheng (he/him)
- 3imed-jaberi - Imed Jaberi
- dakshkhetan - Daksh Khetan (he/him)
- lucasraziel - Lucas Soares Do Rego
- IamLizu - S M Mahmudul Hasan (he/him)
- Sushmeet - Sushmeet Sunger
Triagers emeriti members
Emeritus Triagers
- AuggieH - Auggie Hudak
- G-Rath - Gareth Jones
- MohammadXroid - Mohammad Ayashi
- NawafSwe - Nawaf Alsharqi
- NotMoni - Moni
- VigneshMurugan - Vignesh Murugan
- davidmashe - David Ashe
- digitaIfabric - David
- e-l-i-s-e - Elise Bonner
- fed135 - Frederic Charette
- firmanJS - Firman Abdul Hakim
- getspooky - Yasser Ameur
- ghinks - Glenn
- ghousemohamed - Ghouse Mohamed
- gireeshpunathil - Gireesh Punathil
- jake32321 - Jake Reed
- jonchurch - Jon Church
- lekanikotun - Troy Goode
- marsonya - Lekan Ikotun
- mastermatt - Matt R. Wilson
- maxakuru - Max Edell
- mlrawlings - Michael Rawlings
- rodion-arr - Rodion Abdurakhimov
- sheplu - Jean Burellier
- tarunyadav1 - Tarun yadav
- tunniclm - Mike Tunnicliffe
License
Moderate
4/10
Summary
Express ressource injection
Affected Versions
<= 3.21.4
Patched Versions
4.0.0-rc1
Moderate
6.1/10
Summary
Express.js Open Redirect in malformed URLs
Affected Versions
>= 5.0.0-alpha.1, < 5.0.0-beta.3
Patched Versions
5.0.0-beta.3
Moderate
6.1/10
Summary
Express.js Open Redirect in malformed URLs
Affected Versions
< 4.19.2
Patched Versions
4.19.2
Moderate
6.1/10
Summary
No Charset in Content-Type Header in express
Affected Versions
>= 4.0.0, < 4.5.0
Patched Versions
4.5.0
Moderate
6.1/10
Summary
No Charset in Content-Type Header in express
Affected Versions
< 3.11.0
Patched Versions
3.11.0
Low
4.7/10
Summary
Express Open Redirect vulnerability
Affected Versions
>= 3.4.5, < 4.0.0-rc1
Patched Versions
4.0.0-rc1
Low
5/10
Summary
express vulnerable to XSS via response.redirect()
Affected Versions
>= 5.0.0-alpha.1, < 5.0.0
Patched Versions
5.0.0
Low
5/10
Summary
express vulnerable to XSS via response.redirect()
Affected Versions
< 4.20.0
Patched Versions
4.20.0
Reason
update tool detected
Details
- Info: detected update tool: Dependabot: .github/dependabot.yml:1
Reason
30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: Security.md:1
- Info: Found linked content: Security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: Security.md:1
- Info: Found text in security policy: Security.md:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:92
- Warn: jobLevel 'checks' permission set to 'write': .github/workflows/ci.yml:93
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/legacy.yml:76
- Warn: jobLevel 'checks' permission set to 'write': .github/workflows/legacy.yml:77
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24
- Info: topLevel 'contents' permission set to 'read': .github/workflows/legacy.yml:18
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
29 out of 29 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 119 contributing companies or organizations
Details
- Info: found contributions from: Bit-Byte-Drought, Callcredit, CampusMadridProjects, CartQL, Cartizon, DSC-ASEB, DefinitelyTyped, Diversity-In-DSC, ExpressGateway, FACE-Amrita-Bengaluru, FinFlee, Golang-Tunisia, IBM, Iterable, LaunchMade, MusicMapIo, Netflix, Node-Ops, OpenPathfinder, PaackEng, Quanexpert, Thinkful-Ed, TunisianJS, TypeStrong, Ultimate-Hosts-Blacklist, Wake-our-Lake, a11y-badges, adobe, afterburner-js, ai-ng, alm-tools, amazon web services (@aws), apache, apex, beenvo, beerjs, borderless, clibs, cojs, collective-funds, component, crypto-utils, cyber-nomads, department, dsc-x, dsccodecollab, estreamercoders, expressjs, fastify, filament, forma-lab, fortunejs, github-beta, github-tunisia, gohttp, gridsome, guidesmiths, hackreactor, herodevs, houzz, https://vercel.com, ibm, iterable, javascript-tutorial, jsconf, jshttp, jstrace, koa-better-modules, koajs, macchiatojs, makespacemadrid, memezinga, mercurius-js, migratejs, mootools, msysgit, mysqljs, namehash, nanodb, netflix, nko, nko2, nodejs, nodeshift, nodesource, openjs-foundation, ossf, paackeng, pillarjs, pkgjs, playframework, publicclass, reactjs, repo-utils, restify, reworkcss, sbt, senchalabs, serviejs, slate, softvenue, sortxyz, sparkpost, sprengnetter austria gmbh, standardschema, stream-utils, tc39, todogroup, tursodatabase, typed-typings, typings, vercel, visionmedia, w3c, webmodules, william gates, wintercg, yeoman, zeromq
Reason
Found 27/28 approved changesets -- score normalized to 9
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 28 commits out of 29 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/legacy.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/legacy.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/express/legacy.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:71
- Warn: npmCommand not pinned by hash: .github/workflows/legacy.yml:55
- Info: 6 out of 18 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
8.5
/10
Last Scanned on 2025-03-19T00:17:36Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More