Gathering detailed insights and metrics for multiparty
Gathering detailed insights and metrics for multiparty
A node.js module for parsing multipart-form data requests which supports streams2
Installations
npm install multipartyDeveloper Guide
BETA
Typescript
No
Module System
N/A
Min. Node Version
>= 0.10
Node Version
16.13.1
NPM Version
8.1.2
Score
99.1
Supply Chain
99.5
Quality
79
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Languages
1
JavaScript
JavaScript (100%)
Developer
pillarjs
Download Statistics
Total Downloads
206,772,510
Last Day
38,555
Last Week
555,107
Last Month
2,459,133
Last Year
29,003,430
GitHub Statistics
MIT License
1,298 Stars
708 Commits
168 Forks
35 Watchers
8 Branches
65 Contributors
Updated on Jun 16, 2025
Bundle Size
18.50 kB
Minified
6.37 kB
Minified + Gzipped
Maintainers
2
Package Meta Information
Latest Version
4.2.3
Package Id
multiparty@4.2.3
Unpacked Size
38.68 kB
Size
12.16 kB
File Count
5
NPM Version
8.1.2
Node Version
16.13.1
Total Downloads
Cumulative downloads
Total Downloads
206,772,510
Dependencies
3
multiparty
Parse http requests with content-type multipart/form-data, also known as file uploads.
See also busboy - a faster alternative which may be worth looking into.
Installation
This is a Node.js module available through the
npm registry. Installation is done using the
npm install command:
npm install multiparty
Usage
- See examples.
Parse an incoming multipart/form-data request.
1var multiparty = require('multiparty'); 2var http = require('http'); 3var util = require('util'); 4 5http.createServer(function(req, res) { 6 if (req.url === '/upload' && req.method === 'POST') { 7 // parse a file upload 8 var form = new multiparty.Form(); 9 10 form.parse(req, function(err, fields, files) { 11 res.writeHead(200, { 'content-type': 'text/plain' }); 12 res.write('received upload:\n\n'); 13 res.end(util.inspect({ fields: fields, files: files })); 14 }); 15 16 return; 17 } 18 19 // show a file upload form 20 res.writeHead(200, { 'content-type': 'text/html' }); 21 res.end( 22 '<form action="/upload" enctype="multipart/form-data" method="post">'+ 23 '<input type="text" name="title"><br>'+ 24 '<input type="file" name="upload" multiple="multiple"><br>'+ 25 '<input type="submit" value="Upload">'+ 26 '</form>' 27 ); 28}).listen(8080);
API
multiparty.Form
1var form = new multiparty.Form(options)
Creates a new form. Options:
encoding- sets encoding for the incoming form fields. Defaults toutf8.maxFieldsSize- Limits the amount of memory all fields (not files) can allocate in bytes. If this value is exceeded, anerrorevent is emitted. The default size is 2MB.maxFields- Limits the number of fields that will be parsed before emitting anerrorevent. A file counts as a field in this case. Defaults to 1000.maxFilesSize- Only relevant whenautoFilesistrue. Limits the total bytes accepted for all files combined. If this value is exceeded, anerrorevent is emitted. The default isInfinity.autoFields- Enablesfieldevents and disablespartevents for fields. This is automatically set totrueif you add afieldlistener.autoFiles- Enablesfileevents and disablespartevents for files. This is automatically set totrueif you add afilelistener.uploadDir- Only relevant whenautoFilesistrue. The directory for placing file uploads in. You can move them later usingfs.rename(). Defaults toos.tmpdir().
form.parse(request, [cb])
Parses an incoming node.js request containing form data.This will cause
form to emit events based off the incoming request.
1var count = 0; 2var form = new multiparty.Form(); 3 4// Errors may be emitted 5// Note that if you are listening to 'part' events, the same error may be 6// emitted from the `form` and the `part`. 7form.on('error', function(err) { 8 console.log('Error parsing form: ' + err.stack); 9}); 10 11// Parts are emitted when parsing the form 12form.on('part', function(part) { 13 // You *must* act on the part by reading it 14 // NOTE: if you want to ignore it, just call "part.resume()" 15 16 if (part.filename === undefined) { 17 // filename is not defined when this is a field and not a file 18 console.log('got field named ' + part.name); 19 // ignore field's content 20 part.resume(); 21 } 22 23 if (part.filename !== undefined) { 24 // filename is defined when this is a file 25 count++; 26 console.log('got file named ' + part.name); 27 // ignore file's content here 28 part.resume(); 29 } 30 31 part.on('error', function(err) { 32 // decide what to do 33 }); 34}); 35 36// Close emitted after form parsed 37form.on('close', function() { 38 console.log('Upload completed!'); 39 res.setHeader('text/plain'); 40 res.end('Received ' + count + ' files'); 41}); 42 43// Parse req 44form.parse(req);
If cb is provided, autoFields and autoFiles are set to true and all
fields and files are collected and passed to the callback, removing the need to
listen to any events on form. This is for convenience when you want to read
everything, but be sure to write cleanup code, as this will write all uploaded
files to the disk, even ones you may not be interested in.
1form.parse(req, function(err, fields, files) { 2 Object.keys(fields).forEach(function(name) { 3 console.log('got field named ' + name); 4 }); 5 6 Object.keys(files).forEach(function(name) { 7 console.log('got file named ' + name); 8 }); 9 10 console.log('Upload completed!'); 11 res.setHeader('text/plain'); 12 res.end('Received ' + files.length + ' files'); 13});
fields is an object where the property names are field names and the values
are arrays of field values.
files is an object where the property names are field names and the values
are arrays of file objects.
form.bytesReceived
The amount of bytes received for this form so far.
form.bytesExpected
The expected number of bytes in this form.
Events
'error' (err)
Unless you supply a callback to form.parse, you definitely want to handle
this event. Otherwise your server will crash when users submit bogus
multipart requests!
Only one 'error' event can ever be emitted, and if an 'error' event is emitted, then 'close' will not be emitted.
If the error would correspond to a certain HTTP response code, the err object
will have a statusCode property with the value of the suggested HTTP response
code to send back.
Note that an 'error' event will be emitted both from the form and from the
current part.
'part' (part)
Emitted when a part is encountered in the request. part is a
ReadableStream. It also has the following properties:
headers- the headers for this part. For example, you may be interested incontent-type.name- the field name for this partfilename- only if the part is an incoming filebyteOffset- the byte offset of this part in the request bodybyteCount- assuming that this is the last part in the request, this is the size of this part in bytes. You could use this, for example, to set theContent-Lengthheader if uploading to S3. If the part had aContent-Lengthheader then that value is used here instead.
Parts for fields are not emitted when autoFields is on, and likewise parts
for files are not emitted when autoFiles is on.
part emits 'error' events! Make sure you handle them.
'aborted'
Emitted when the request is aborted. This event will be followed shortly
by an error event. In practice you do not need to handle this event.
'progress' (bytesReceived, bytesExpected)
Emitted when a chunk of data is received for the form. The bytesReceived
argument contains the total count of bytes received for this form so far. The
bytesExpected argument contains the total expected bytes if known, otherwise
null.
'close'
Emitted after all parts have been parsed and emitted. Not emitted if an error
event is emitted.
If you have autoFiles on, this is not fired until all the data has been
flushed to disk and the file handles have been closed.
This is typically when you would send your response.
'file' (name, file)
By default multiparty will not touch your hard drive. But if you add this
listener, multiparty automatically sets form.autoFiles to true and will
stream uploads to disk for you.
The max bytes accepted per request can be specified with maxFilesSize.
name- the field name for this filefile- an object with these properties:fieldName- same asname- the field name for this fileoriginalFilename- the filename that the user reports for the filepath- the absolute path of the uploaded file on diskheaders- the HTTP headers that were sent along with this filesize- size of the file in bytes
'field' (name, value)
name- field namevalue- string field value
License
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
25 different organizations found -- score normalized to 10
Details
- Info: contributors work for DataDog,ExpressGateway,LMMS,NixOS,PistonDevelopers,PrismarineJS,atlassian,bower,crypto-utils,datadog,doctape,expressjs,hoodiehq,llvm,mysqljs,nock,nodecopter,nodejs,open-telemetry,recursecenter,repo-utils,stream-utils,total expert inc,wrangr,ziglang
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
no vulnerabilities detected
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/multiparty/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/multiparty/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/multiparty/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:85
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:101
- Info: 3 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
0 out of 1 merged PRs checked by a CI test -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
found 29 unreviewed changesets out of 30 -- score normalized to 0
Reason
no update tool detected
Details
- Warn: tool 'RenovateBot' is not used: Follow the instructions from https://docs.renovatebot.com/configuration-options/. (Low effort)
- Warn: tool 'Dependabot' is not used: Follow the instructions from https://docs.github.com/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates. (Low effort)
- Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs. (Low effort)
- Warn: tool 'Sonatype Lift' is not used: Follow the instructions from https://help.sonatype.com/lift/getting-started. (Low effort)
Reason
project is not fuzzed
Details
- Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project: QuickCheck: https://hackage.haskell.org/package/QuickCheck hedgehog: https://hedgehog.qa/ validity: https://github.com/NorfairKing/validity smallcheck: https://hackage.haskell.org/package/smallcheck hspec: https://hspec.github.io/ tasty: https://hackage.haskell.org/package/tasty (High effort)
- Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
- Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
Reason
0 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 0
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 1 are checked with a SAST tool
- Warn: CodeQL tool not detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. For additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Provide a point of contact in your SECURITY.md. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1: Visit https://app.stepsecurity.io/secureworkflow/pillarjs/multiparty/ci.yml/master?enable=permissions Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:19
- Info: no jobLevel write permissions found
Score
3.4
/10
Last Scanned on 2024-11-11T21:28:06Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More