Gathering detailed insights and metrics for send
Gathering detailed insights and metrics for send
Streaming static file server with Range and conditional-GET support
Installations
npm install sendDeveloper Guide
BETA
Typescript
No
Module System
N/A
Min. Node Version
>= 18
Node Version
22.10.0
NPM Version
10.9.0
Score
97.5
Supply Chain
99.5
Quality
83.3
Maintenance
100
Vulnerability
100
License
Releases
3
Languages
1
JavaScript
JavaScript (100%)
Developer
pillarjs
Download Statistics
Total Downloads
8,249,924,629
Last Day
2,721,259
Last Week
44,279,352
Last Month
195,515,642
Last Year
1,865,327,562
GitHub Statistics
MIT License
807 Stars
588 Commits
194 Forks
21 Watchers
11 Branches
49 Contributors
Updated on Jun 30, 2025
Maintainers
4
Package Meta Information
Latest Version
1.2.0
Package Id
send@1.2.0
Unpacked Size
45.82 kB
Size
14.32 kB
File Count
5
NPM Version
10.9.0
Node Version
22.10.0
Published on
Mar 27, 2025
Total Downloads
Cumulative downloads
Total Downloads
8,249,924,629
Last Day
-2.5%
2,721,259
Compared to previous day
Last Week
-7.3%
44,279,352
Compared to previous week
Last Month
10.4%
195,515,642
Compared to previous month
Last Year
21%
1,865,327,562
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
send
Send is a library for streaming files from the file system as a http response supporting partial responses (Ranges), conditional-GET negotiation (If-Match, If-Unmodified-Since, If-None-Match, If-Modified-Since), high test coverage, and granular events which may be leveraged to take appropriate actions in your application or framework.
Looking to serve up entire folders mapped to URLs? Try serve-static.
Installation
This is a Node.js module available through the
npm registry. Installation is done using the
npm install command:
1$ npm install send
API
1var send = require('send')
send(req, path, [options])
Create a new SendStream for the given path to send to a res. The req is
the Node.js HTTP request and the path is a urlencoded path to send (urlencoded,
not the actual file-system path).
Options
acceptRanges
Enable or disable accepting ranged requests, defaults to true.
Disabling this will not send Accept-Ranges and ignore the contents
of the Range request header.
cacheControl
Enable or disable setting Cache-Control response header, defaults to
true. Disabling this will ignore the immutable and maxAge options.
dotfiles
Set how "dotfiles" are treated when encountered. A dotfile is a file
or directory that begins with a dot ("."). Note this check is done on
the path itself without checking if the path actually exists on the
disk. If root is specified, only the dotfiles above the root are
checked (i.e. the root itself can be within a dotfile when set
to "deny").
'allow'No special treatment for dotfiles.'deny'Send a 403 for any request for a dotfile.'ignore'Pretend like the dotfile does not exist and 404.
The default value is similar to 'ignore', with the exception that
this default will not ignore the files within a directory that begins
with a dot, for backward-compatibility.
end
Byte offset at which the stream ends, defaults to the length of the file
minus 1. The end is inclusive in the stream, meaning end: 3 will include
the 4th byte in the stream.
etag
Enable or disable etag generation, defaults to true.
extensions
If a given file doesn't exist, try appending one of the given extensions,
in the given order. By default, this is disabled (set to false). An
example value that will serve extension-less HTML files: ['html', 'htm'].
This is skipped if the requested file already has an extension.
immutable
Enable or disable the immutable directive in the Cache-Control response
header, defaults to false. If set to true, the maxAge option should
also be specified to enable caching. The immutable directive will prevent
supported clients from making conditional requests during the life of the
maxAge option to check if the file has changed.
index
By default send supports "index.html" files, to disable this
set false or to supply a new index pass a string or an array
in preferred order.
lastModified
Enable or disable Last-Modified header, defaults to true. Uses the file
system's last modified value.
maxAge
Provide a max-age in milliseconds for http caching, defaults to 0. This can also be a string accepted by the ms module.
root
Serve files relative to path.
start
Byte offset at which the stream starts, defaults to 0. The start is inclusive,
meaning start: 2 will include the 3rd byte in the stream.
Events
The SendStream is an event emitter and will emit the following events:
erroran error occurred(err)directorya directory was requested(res, path)filea file was requested(path, stat)headersthe headers are about to be set on a file(res, path, stat)streamfile streaming has started(stream)endstreaming has completed
.pipe
The pipe method is used to pipe the response into the Node.js HTTP response
object, typically send(req, path, options).pipe(res).
Error-handling
By default when no error listeners are present an automatic response will be
made, otherwise you have full control over the response, aka you may show a 5xx
page etc.
Caching
It does not perform internal caching, you should use a reverse proxy cache such as Varnish for this, or those fancy things called CDNs. If your application is small enough that it would benefit from single-node memory caching, it's small enough that it does not need caching at all ;).
Debugging
To enable debug() instrumentation output export DEBUG:
$ DEBUG=send node app
Running tests
$ npm install
$ npm test
Examples
Serve a specific file
This simple example will send a specific file to all requests.
1var http = require('http') 2var send = require('send') 3 4var server = http.createServer(function onRequest (req, res) { 5 send(req, '/path/to/index.html') 6 .pipe(res) 7}) 8 9server.listen(3000)
Serve all files from a directory
This simple example will just serve up all the files in a
given directory as the top-level. For example, a request
GET /foo.txt will send back /www/public/foo.txt.
1var http = require('http') 2var parseUrl = require('parseurl') 3var send = require('send') 4 5var server = http.createServer(function onRequest (req, res) { 6 send(req, parseUrl(req).pathname, { root: '/www/public' }) 7 .pipe(res) 8}) 9 10server.listen(3000)
Custom file types
1var extname = require('path').extname 2var http = require('http') 3var parseUrl = require('parseurl') 4var send = require('send') 5 6var server = http.createServer(function onRequest (req, res) { 7 send(req, parseUrl(req).pathname, { root: '/www/public' }) 8 .on('headers', function (res, path) { 9 switch (extname(path)) { 10 case '.x-mt': 11 case '.x-mtt': 12 // custom type for these extensions 13 res.setHeader('Content-Type', 'application/x-my-type') 14 break 15 } 16 }) 17 .pipe(res) 18}) 19 20server.listen(3000)
Custom directory index view
This is an example of serving up a structure of directories with a custom function to render a listing of a directory.
1var http = require('http') 2var fs = require('fs') 3var parseUrl = require('parseurl') 4var send = require('send') 5 6// Transfer arbitrary files from within /www/example.com/public/* 7// with a custom handler for directory listing 8var server = http.createServer(function onRequest (req, res) { 9 send(req, parseUrl(req).pathname, { index: false, root: '/www/public' }) 10 .once('directory', directory) 11 .pipe(res) 12}) 13 14server.listen(3000) 15 16// Custom directory handler 17function directory (res, path) { 18 var stream = this 19 20 // redirect to trailing slash for consistent url 21 if (!stream.hasTrailingSlash()) { 22 return stream.redirect(path) 23 } 24 25 // get directory list 26 fs.readdir(path, function onReaddir (err, list) { 27 if (err) return stream.error(err) 28 29 // render an index for the directory 30 res.setHeader('Content-Type', 'text/plain; charset=UTF-8') 31 res.end(list.join('\n') + '\n') 32 }) 33}
Serving from a root directory with custom error-handling
1var http = require('http') 2var parseUrl = require('parseurl') 3var send = require('send') 4 5var server = http.createServer(function onRequest (req, res) { 6 // your custom error-handling logic: 7 function error (err) { 8 res.statusCode = err.status || 500 9 res.end(err.message) 10 } 11 12 // your custom headers 13 function headers (res, path, stat) { 14 // serve all files for download 15 res.setHeader('Content-Disposition', 'attachment') 16 } 17 18 // your custom directory handling logic: 19 function redirect () { 20 res.statusCode = 301 21 res.setHeader('Location', req.url + '/') 22 res.end('Redirecting to ' + req.url + '/') 23 } 24 25 // transfer arbitrary files from within 26 // /www/example.com/public/* 27 send(req, parseUrl(req).pathname, { root: '/www/public' }) 28 .on('error', error) 29 .on('directory', redirect) 30 .on('headers', headers) 31 .pipe(res) 32}) 33 34server.listen(3000)
License
Moderate
5.3/10
Summary
Root Path Disclosure in send
Affected Versions
< 0.11.1
Patched Versions
0.11.1
Moderate
0/10
Summary
Moderate severity vulnerability that affects send
Affected Versions
< 0.8.4
Patched Versions
0.8.4
Low
5/10
Summary
send vulnerable to template injection that can lead to XSS
Affected Versions
< 0.19.0
Patched Versions
0.19.0
Low
0/10
Summary
Directory Traversal in send
Affected Versions
< 0.8.4
Patched Versions
0.8.4
Reason
no binaries found in the repo
Reason
16 out of 16 merged PRs checked by a CI test -- score normalized to 10
Reason
30 different organizations found -- score normalized to 10
Details
- Info: contributors work for ExpressGateway,MusicMapIo,Netflix,Node-Ops,apex,clibs,cojs,component,crypto-utils,expressjs,gohttp,jshttp,jstrace,koajs,migratejs,mysqljs,nanodb,netflix,nodejs,pillarjs,pkgjs,repo-utils,restify,reworkcss,senchalabs,slate,sprengnetter austria gmbh,stream-utils,visionmedia,zeromq
Reason
no dangerous workflow patterns detected
Reason
update tool detected
Details
- Info: tool 'Dependabot' is used: .github/dependabot.yml:1
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:14
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:78
- Warn: jobLevel 'checks' permission set to 'write': .github/workflows/ci.yml:79: Verify which permissions are needed and consider whether you can reduce them. (High effort)
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:19
Reason
no vulnerabilities detected
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/pillarjs/.github/SECURITY.md:1
- Info: Found linked content: github.com/pillarjs/.github/SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Info: Found text in security policy: github.com/pillarjs/.github/SECURITY.md:1
Reason
found 5 unreviewed changesets out of 19 -- score normalized to 7
Reason
SAST tool detected but not run on all commits
Details
- Warn: 3 commits out of 27 are checked with a SAST tool
- Info: SAST tool detected: CodeQL
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/send/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:63
- Info: 6 out of 13 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 2 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
3 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 2
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
- Warn: branch protection not enabled for branch 'v0.x'
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project: QuickCheck: https://hackage.haskell.org/package/QuickCheck hedgehog: https://hedgehog.qa/ validity: https://github.com/NorfairKing/validity smallcheck: https://hackage.haskell.org/package/smallcheck hspec: https://hspec.github.io/ tasty: https://hackage.haskell.org/package/tasty (High effort)
- Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
- Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
Score
6.9
/10
Last Scanned on 2025-06-30T21:29:54Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More