Gathering detailed insights and metrics for morgan
Gathering detailed insights and metrics for morgan
Gathering detailed insights and metrics for morgan
Gathering detailed insights and metrics for morgan
npm install morgan
Typescript
Module System
Min. Node Version
Node Version
NPM Version
96.1
Supply Chain
99.5
Quality
77.7
Maintenance
100
Vulnerability
100
License
JavaScript (100%)
Total
1,122,181,479
Last Day
243,426
Last Week
5,100,141
Last Month
21,674,304
Last Year
235,148,271
7,968 Stars
374 Commits
536 Forks
94 Watching
1 Branches
45 Contributors
Minified
Minified + Gzipped
Latest Version
1.10.0
Package Id
morgan@1.10.0
Unpacked Size
NaN GB
Size
9.37 kB
File Count
0
NPM Version
6.13.7
Node Version
13.11.0
Publised On
20 Mar 2020
Cumulative downloads
Total Downloads
Last day
-7.4%
243,426
Compared to previous day
Last week
3.7%
5,100,141
Compared to previous week
Last month
-0.9%
21,674,304
Compared to previous month
Last year
15%
235,148,271
Compared to previous year
HTTP request logger middleware for node.js
Named after Dexter, a show you should not watch until completion.
1var morgan = require('morgan')
Create a new morgan logger middleware function using the given format
and options
.
The format
argument may be a string of a predefined name (see below for the names),
a string of a format string, or a function that will produce a log entry.
The format
function will be called with three arguments tokens
, req
, and res
,
where tokens
is an object with all defined tokens, req
is the HTTP request and res
is the HTTP response. The function is expected to return a string that will be the log
line, or undefined
/ null
to skip logging.
1morgan('tiny')
1morgan(':method :url :status :res[content-length] - :response-time ms')
1morgan(function (tokens, req, res) { 2 return [ 3 tokens.method(req, res), 4 tokens.url(req, res), 5 tokens.status(req, res), 6 tokens.res(req, res, 'content-length'), '-', 7 tokens['response-time'](req, res), 'ms' 8 ].join(' ') 9})
Morgan accepts these properties in the options object.
Write log line on request instead of response. This means that a requests will be logged even if the server crashes, but data from the response (like the response code, content length, etc.) cannot be logged.
Function to determine if logging is skipped, defaults to false
. This function
will be called as skip(req, res)
.
1// EXAMPLE: only log error responses 2morgan('combined', { 3 skip: function (req, res) { return res.statusCode < 400 } 4})
Output stream for writing log lines, defaults to process.stdout
.
There are various pre-defined formats provided:
Standard Apache combined log output.
:remote-addr - :remote-user [:date[clf]] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"
Standard Apache common log output.
:remote-addr - :remote-user [:date[clf]] ":method :url HTTP/:http-version" :status :res[content-length]
Concise output colored by response status for development use. The :status
token will be colored green for success codes, red for server error codes,
yellow for client error codes, cyan for redirection codes, and uncolored
for information codes.
:method :url :status :response-time ms - :res[content-length]
Shorter than default, also including response time.
:remote-addr :remote-user :method :url HTTP/:http-version :status :res[content-length] - :response-time ms
The minimal output.
:method :url :status :res[content-length] - :response-time ms
To define a token, simply invoke morgan.token()
with the name and a callback function.
This callback function is expected to return a string value. The value returned is then
available as ":type" in this case:
1morgan.token('type', function (req, res) { return req.headers['content-type'] })
Calling morgan.token()
using the same name as an existing token will overwrite that
token definition.
The token function is expected to be called with the arguments req
and res
, representing
the HTTP request and HTTP response. Additionally, the token can accept further arguments of
it's choosing to customize behavior.
The current date and time in UTC. The available formats are:
clf
for the common log format ("10/Oct/2000:13:55:36 +0000"
)iso
for the common ISO 8601 date time format (2000-10-10T13:55:36.000Z
)web
for the common RFC 1123 date time format (Tue, 10 Oct 2000 13:55:36 GMT
)If no format is given, then the default is web
.
The HTTP version of the request.
The HTTP method of the request.
The Referrer header of the request. This will use the standard mis-spelled Referer header if exists, otherwise Referrer.
The remote address of the request. This will use req.ip
, otherwise the standard req.connection.remoteAddress
value (socket address).
The user authenticated as part of Basic auth for the request.
The given header
of the request. If the header is not present, the
value will be displayed as "-"
in the log.
The given header
of the response. If the header is not present, the
value will be displayed as "-"
in the log.
The time between the request coming into morgan
and when the response
headers are written, in milliseconds.
The digits
argument is a number that specifies the number of digits to
include on the number, defaulting to 3
, which provides microsecond precision.
The status code of the response.
If the request/response cycle completes before a response was sent to the
client (for example, the TCP socket closed prematurely by a client aborting
the request), then the status will be empty (displayed as "-"
in the log).
The time between the request coming into morgan
and when the response
has finished being written out to the connection, in milliseconds.
The digits
argument is a number that specifies the number of digits to
include on the number, defaulting to 3
, which provides microsecond precision.
The URL of the request. This will use req.originalUrl
if exists, otherwise req.url
.
The contents of the User-Agent header of the request.
Compile a format string into a format
function for use by morgan
. A format string
is a string that represents a single log line and can utilize token syntax.
Tokens are references by :token-name
. If tokens accept arguments, they can
be passed using []
, for example: :token-name[pretty]
would pass the string
'pretty'
as an argument to the token token-name
.
The function returned from morgan.compile
takes three arguments tokens
, req
, and
res
, where tokens
is object with all defined tokens, req
is the HTTP request and
res
is the HTTP response. The function will return a string that will be the log line,
or undefined
/ null
to skip logging.
Normally formats are defined using morgan.format(name, format)
, but for certain
advanced uses, this compile function is directly available.
Simple app that will log all request in the Apache combined format to STDOUT
1var express = require('express') 2var morgan = require('morgan') 3 4var app = express() 5 6app.use(morgan('combined')) 7 8app.get('/', function (req, res) { 9 res.send('hello, world!') 10})
Simple app that will log all request in the Apache combined format to STDOUT
1var finalhandler = require('finalhandler') 2var http = require('http') 3var morgan = require('morgan') 4 5// create "middleware" 6var logger = morgan('combined') 7 8http.createServer(function (req, res) { 9 var done = finalhandler(req, res) 10 logger(req, res, function (err) { 11 if (err) return done(err) 12 13 // respond to request 14 res.setHeader('content-type', 'text/plain') 15 res.end('hello, world!') 16 }) 17})
Simple app that will log all requests in the Apache combined format to the file
access.log
.
1var express = require('express') 2var fs = require('fs') 3var morgan = require('morgan') 4var path = require('path') 5 6var app = express() 7 8// create a write stream (in append mode) 9var accessLogStream = fs.createWriteStream(path.join(__dirname, 'access.log'), { flags: 'a' }) 10 11// setup the logger 12app.use(morgan('combined', { stream: accessLogStream })) 13 14app.get('/', function (req, res) { 15 res.send('hello, world!') 16})
Simple app that will log all requests in the Apache combined format to one log
file per day in the log/
directory using the
rotating-file-stream module.
1var express = require('express') 2var morgan = require('morgan') 3var path = require('path') 4var rfs = require('rotating-file-stream') // version 2.x 5 6var app = express() 7 8// create a rotating write stream 9var accessLogStream = rfs.createStream('access.log', { 10 interval: '1d', // rotate daily 11 path: path.join(__dirname, 'log') 12}) 13 14// setup the logger 15app.use(morgan('combined', { stream: accessLogStream })) 16 17app.get('/', function (req, res) { 18 res.send('hello, world!') 19})
The morgan
middleware can be used as many times as needed, enabling
combinations like:
Sample app that will log all requests to a file using Apache format, but error responses are logged to the console:
1var express = require('express') 2var fs = require('fs') 3var morgan = require('morgan') 4var path = require('path') 5 6var app = express() 7 8// log only 4xx and 5xx responses to console 9app.use(morgan('dev', { 10 skip: function (req, res) { return res.statusCode < 400 } 11})) 12 13// log all requests to access.log 14app.use(morgan('common', { 15 stream: fs.createWriteStream(path.join(__dirname, 'access.log'), { flags: 'a' }) 16})) 17 18app.get('/', function (req, res) { 19 res.send('hello, world!') 20})
Sample app that will use custom token formats. This adds an ID to all requests and displays it using the :id
token.
1var express = require('express') 2var morgan = require('morgan') 3var uuid = require('node-uuid') 4 5morgan.token('id', function getId (req) { 6 return req.id 7}) 8 9var app = express() 10 11app.use(assignId) 12app.use(morgan(':id :method :url :response-time')) 13 14app.get('/', function (req, res) { 15 res.send('hello, world!') 16}) 17 18function assignId (req, res, next) { 19 req.id = uuid.v4() 20 next() 21}
Stable Version
1
9.8/10
Summary
Code Injection in morgan
Affected Versions
< 1.9.1
Patched Versions
1.9.1
Reason
no binaries found in the repo
Reason
6 different organizations found -- score normalized to 10
Details
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
Reason
no vulnerabilities detected
Reason
found 22 unreviewed changesets out of 30 -- score normalized to 2
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
0 out of 8 merged PRs checked by a CI test -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
0 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 0
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
security policy file not detected
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Score
Last Scanned on 2024-12-02T21:24:07Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More