Gathering detailed insights and metrics for serve-static
Gathering detailed insights and metrics for serve-static
Installations
npm install serve-staticScore
94.5
Supply Chain
98.4
Quality
82.7
Maintenance
100
Vulnerability
100
License
Developer
expressjs
Developer Guide
BETA
Module System
Unable to determine the module system for this package.
Min. Node Version
>= 0.8.0
Typescript Support
No
Node Version
22.2.0
NPM Version
10.7.0
Statistics
1,401 Stars
371 Commits
230 Forks
32 Watching
13 Branches
37 Contributors
Updated on 26 Nov 2024
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
6,912,932,772
Last day
-6.9%
6,369,125
Compared to previous day
Last week
1.8%
37,369,422
Compared to previous week
Last month
7.3%
156,009,314
Compared to previous month
Last year
5.3%
1,571,718,235
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
serve-static
Install
This is a Node.js module available through the
npm registry. Installation is done using the
npm install command:
1$ npm install serve-static
API
1var serveStatic = require('serve-static')
serveStatic(root, options)
Create a new middleware function to serve files from within a given root
directory. The file to serve will be determined by combining req.url
with the provided root directory. When a file is not found, instead of
sending a 404 response, this module will instead call next() to move on
to the next middleware, allowing for stacking and fall-backs.
Options
acceptRanges
Enable or disable accepting ranged requests, defaults to true.
Disabling this will not send Accept-Ranges and ignore the contents
of the Range request header.
cacheControl
Enable or disable setting Cache-Control response header, defaults to
true. Disabling this will ignore the immutable and maxAge options.
dotfiles
Set how "dotfiles" are treated when encountered. A dotfile is a file
or directory that begins with a dot ("."). Note this check is done on
the path itself without checking if the path actually exists on the
disk. If root is specified, only the dotfiles above the root are
checked (i.e. the root itself can be within a dotfile when set
to "deny").
'allow'No special treatment for dotfiles.'deny'Deny a request for a dotfile and 403/next().'ignore'Pretend like the dotfile does not exist and 404/next().
The default value is 'ignore'.
etag
Enable or disable etag generation, defaults to true.
extensions
Set file extension fallbacks. When set, if a file is not found, the given
extensions will be added to the file name and search for. The first that
exists will be served. Example: ['html', 'htm'].
The default value is false.
fallthrough
Set the middleware to have client errors fall-through as just unhandled
requests, otherwise forward a client error. The difference is that client
errors like a bad request or a request to a non-existent file will cause
this middleware to simply next() to your next middleware when this value
is true. When this value is false, these errors (even 404s), will invoke
next(err).
Typically true is desired such that multiple physical directories can be
mapped to the same web address or for routes to fill in non-existent files.
The value false can be used if this middleware is mounted at a path that
is designed to be strictly a single file system directory, which allows for
short-circuiting 404s for less overhead. This middleware will also reply to
all methods.
The default value is true.
immutable
Enable or disable the immutable directive in the Cache-Control response
header, defaults to false. If set to true, the maxAge option should
also be specified to enable caching. The immutable directive will prevent
supported clients from making conditional requests during the life of the
maxAge option to check if the file has changed.
index
By default this module will send "index.html" files in response to a request
on a directory. To disable this set false or to supply a new index pass a
string or an array in preferred order.
lastModified
Enable or disable Last-Modified header, defaults to true. Uses the file
system's last modified value.
maxAge
Provide a max-age in milliseconds for http caching, defaults to 0. This can also be a string accepted by the ms module.
redirect
Redirect to trailing "/" when the pathname is a dir. Defaults to true.
setHeaders
Function to set custom headers on response. Alterations to the headers need to
occur synchronously. The function is called as fn(res, path, stat), where
the arguments are:
resthe response objectpaththe file path that is being sentstatthe stat object of the file that is being sent
Examples
Serve files with vanilla node.js http server
1var finalhandler = require('finalhandler') 2var http = require('http') 3var serveStatic = require('serve-static') 4 5// Serve up public/ftp folder 6var serve = serveStatic('public/ftp', { index: ['index.html', 'index.htm'] }) 7 8// Create server 9var server = http.createServer(function onRequest (req, res) { 10 serve(req, res, finalhandler(req, res)) 11}) 12 13// Listen 14server.listen(3000)
Serve all files as downloads
1var contentDisposition = require('content-disposition') 2var finalhandler = require('finalhandler') 3var http = require('http') 4var serveStatic = require('serve-static') 5 6// Serve up public/ftp folder 7var serve = serveStatic('public/ftp', { 8 index: false, 9 setHeaders: setHeaders 10}) 11 12// Set header to force download 13function setHeaders (res, path) { 14 res.setHeader('Content-Disposition', contentDisposition(path)) 15} 16 17// Create server 18var server = http.createServer(function onRequest (req, res) { 19 serve(req, res, finalhandler(req, res)) 20}) 21 22// Listen 23server.listen(3000)
Serving using express
Simple
This is a simple example of using Express.
1var express = require('express') 2var serveStatic = require('serve-static') 3 4var app = express() 5 6app.use(serveStatic('public/ftp', { index: ['default.html', 'default.htm'] })) 7app.listen(3000)
Multiple roots
This example shows a simple way to search through multiple directories.
Files are searched for in public-optimized/ first, then public/ second
as a fallback.
1var express = require('express') 2var path = require('path') 3var serveStatic = require('serve-static') 4 5var app = express() 6 7app.use(serveStatic(path.join(__dirname, 'public-optimized'))) 8app.use(serveStatic(path.join(__dirname, 'public'))) 9app.listen(3000)
Different settings for paths
This example shows how to set a different max age depending on the served file. In this example, HTML files are not cached, while everything else is for 1 day.
1var express = require('express') 2var path = require('path') 3var serveStatic = require('serve-static') 4 5var app = express() 6 7app.use(serveStatic(path.join(__dirname, 'public'), { 8 maxAge: '1d', 9 setHeaders: setCustomCacheControl 10})) 11 12app.listen(3000) 13 14function setCustomCacheControl (res, file) { 15 if (path.extname(file) === '.html') { 16 // Custom Cache-Control for HTML files 17 res.setHeader('Cache-Control', 'public, max-age=0') 18 } 19}
License
Stable Version
The latest stable version of the package.
Stable Version
2.1.0
LOW
4
LOW
5/10
Summary
serve-static vulnerable to template injection that can lead to XSS
Affected Versions
>= 2.0.0, < 2.1.0
Patched Versions
2.1.0
LOW
5/10
Summary
serve-static vulnerable to template injection that can lead to XSS
Affected Versions
< 1.16.0
Patched Versions
1.16.0
LOW
3.1/10
Summary
Open Redirect in serve-static
Affected Versions
>= 1.7.0, < 1.7.2
Patched Versions
1.7.2
LOW
3.1/10
Summary
Open Redirect in serve-static
Affected Versions
< 1.6.5
Patched Versions
1.7.2
Reason
no binaries found in the repo
Reason
16 different organizations found -- score normalized to 10
Details
- Info: contributors work for ExpressGateway,MusicMapIo,Netflix,Node-Ops,crypto-utils,expressjs,jshttp,migratejs,mysqljs,netflix,nodejs,pillarjs,pkgjs,repo-utils,restify,stream-utils
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no vulnerabilities detected
Reason
7 out of 8 merged PRs checked by a CI test -- score normalized to 8
Reason
4 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 3
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/serve-static/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/serve-static/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/serve-static/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:48
- Info: 3 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
found 15 unreviewed changesets out of 19 -- score normalized to 2
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
- Warn: branch protection not enabled for branch '1.x'
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
no update tool detected
Details
- Warn: tool 'RenovateBot' is not used: Follow the instructions from https://docs.renovatebot.com/configuration-options/. (Low effort)
- Warn: tool 'Dependabot' is not used: Follow the instructions from https://docs.github.com/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates. (Low effort)
- Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs. (Low effort)
- Warn: tool 'Sonatype Lift' is not used: Follow the instructions from https://help.sonatype.com/lift/getting-started. (Low effort)
Reason
project is not fuzzed
Details
- Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project: QuickCheck: https://hackage.haskell.org/package/QuickCheck hedgehog: https://hedgehog.qa/ validity: https://github.com/NorfairKing/validity smallcheck: https://hackage.haskell.org/package/smallcheck hspec: https://hspec.github.io/ tasty: https://hackage.haskell.org/package/tasty (High effort)
- Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
- Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 19 are checked with a SAST tool
- Warn: CodeQL tool not detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1: Visit https://app.stepsecurity.io/secureworkflow/expressjs/serve-static/ci.yml/master?enable=permissions Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:19
- Info: no jobLevel write permissions found
Score
4.6
/10
Last Scanned on 2024-11-25T21:22:25Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More