Gathering detailed insights and metrics for serve-static
Gathering detailed insights and metrics for serve-static
Gathering detailed insights and metrics for serve-static
Gathering detailed insights and metrics for serve-static
npm install serve-static
Module System
Unable to determine the module system for this package.
Min. Node Version
Typescript Support
Node Version
NPM Version
1,401 Stars
371 Commits
230 Forks
32 Watching
13 Branches
37 Contributors
Updated on 26 Nov 2024
JavaScript (100%)
Cumulative downloads
Total Downloads
Last day
-6.9%
6,369,125
Compared to previous day
Last week
1.8%
37,369,422
Compared to previous week
Last month
7.3%
156,009,314
Compared to previous month
Last year
5.3%
1,571,718,235
Compared to previous year
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
1$ npm install serve-static
1var serveStatic = require('serve-static')
Create a new middleware function to serve files from within a given root
directory. The file to serve will be determined by combining req.url
with the provided root directory. When a file is not found, instead of
sending a 404 response, this module will instead call next()
to move on
to the next middleware, allowing for stacking and fall-backs.
Enable or disable accepting ranged requests, defaults to true.
Disabling this will not send Accept-Ranges
and ignore the contents
of the Range
request header.
Enable or disable setting Cache-Control
response header, defaults to
true. Disabling this will ignore the immutable
and maxAge
options.
Set how "dotfiles" are treated when encountered. A dotfile is a file
or directory that begins with a dot ("."). Note this check is done on
the path itself without checking if the path actually exists on the
disk. If root
is specified, only the dotfiles above the root are
checked (i.e. the root itself can be within a dotfile when set
to "deny").
'allow'
No special treatment for dotfiles.'deny'
Deny a request for a dotfile and 403/next()
.'ignore'
Pretend like the dotfile does not exist and 404/next()
.The default value is 'ignore'
.
Enable or disable etag generation, defaults to true.
Set file extension fallbacks. When set, if a file is not found, the given
extensions will be added to the file name and search for. The first that
exists will be served. Example: ['html', 'htm']
.
The default value is false
.
Set the middleware to have client errors fall-through as just unhandled
requests, otherwise forward a client error. The difference is that client
errors like a bad request or a request to a non-existent file will cause
this middleware to simply next()
to your next middleware when this value
is true
. When this value is false
, these errors (even 404s), will invoke
next(err)
.
Typically true
is desired such that multiple physical directories can be
mapped to the same web address or for routes to fill in non-existent files.
The value false
can be used if this middleware is mounted at a path that
is designed to be strictly a single file system directory, which allows for
short-circuiting 404s for less overhead. This middleware will also reply to
all methods.
The default value is true
.
Enable or disable the immutable
directive in the Cache-Control
response
header, defaults to false
. If set to true
, the maxAge
option should
also be specified to enable caching. The immutable
directive will prevent
supported clients from making conditional requests during the life of the
maxAge
option to check if the file has changed.
By default this module will send "index.html" files in response to a request
on a directory. To disable this set false
or to supply a new index pass a
string or an array in preferred order.
Enable or disable Last-Modified
header, defaults to true. Uses the file
system's last modified value.
Provide a max-age in milliseconds for http caching, defaults to 0. This can also be a string accepted by the ms module.
Redirect to trailing "/" when the pathname is a dir. Defaults to true
.
Function to set custom headers on response. Alterations to the headers need to
occur synchronously. The function is called as fn(res, path, stat)
, where
the arguments are:
res
the response objectpath
the file path that is being sentstat
the stat object of the file that is being sent1var finalhandler = require('finalhandler') 2var http = require('http') 3var serveStatic = require('serve-static') 4 5// Serve up public/ftp folder 6var serve = serveStatic('public/ftp', { index: ['index.html', 'index.htm'] }) 7 8// Create server 9var server = http.createServer(function onRequest (req, res) { 10 serve(req, res, finalhandler(req, res)) 11}) 12 13// Listen 14server.listen(3000)
1var contentDisposition = require('content-disposition') 2var finalhandler = require('finalhandler') 3var http = require('http') 4var serveStatic = require('serve-static') 5 6// Serve up public/ftp folder 7var serve = serveStatic('public/ftp', { 8 index: false, 9 setHeaders: setHeaders 10}) 11 12// Set header to force download 13function setHeaders (res, path) { 14 res.setHeader('Content-Disposition', contentDisposition(path)) 15} 16 17// Create server 18var server = http.createServer(function onRequest (req, res) { 19 serve(req, res, finalhandler(req, res)) 20}) 21 22// Listen 23server.listen(3000)
This is a simple example of using Express.
1var express = require('express') 2var serveStatic = require('serve-static') 3 4var app = express() 5 6app.use(serveStatic('public/ftp', { index: ['default.html', 'default.htm'] })) 7app.listen(3000)
This example shows a simple way to search through multiple directories.
Files are searched for in public-optimized/
first, then public/
second
as a fallback.
1var express = require('express') 2var path = require('path') 3var serveStatic = require('serve-static') 4 5var app = express() 6 7app.use(serveStatic(path.join(__dirname, 'public-optimized'))) 8app.use(serveStatic(path.join(__dirname, 'public'))) 9app.listen(3000)
This example shows how to set a different max age depending on the served file. In this example, HTML files are not cached, while everything else is for 1 day.
1var express = require('express') 2var path = require('path') 3var serveStatic = require('serve-static') 4 5var app = express() 6 7app.use(serveStatic(path.join(__dirname, 'public'), { 8 maxAge: '1d', 9 setHeaders: setCustomCacheControl 10})) 11 12app.listen(3000) 13 14function setCustomCacheControl (res, file) { 15 if (path.extname(file) === '.html') { 16 // Custom Cache-Control for HTML files 17 res.setHeader('Cache-Control', 'public, max-age=0') 18 } 19}
The latest stable version of the package.
Stable Version
4
5/10
Summary
serve-static vulnerable to template injection that can lead to XSS
Affected Versions
>= 2.0.0, < 2.1.0
Patched Versions
2.1.0
5/10
Summary
serve-static vulnerable to template injection that can lead to XSS
Affected Versions
< 1.16.0
Patched Versions
1.16.0
3.1/10
Summary
Open Redirect in serve-static
Affected Versions
>= 1.7.0, < 1.7.2
Patched Versions
1.7.2
3.1/10
Summary
Open Redirect in serve-static
Affected Versions
< 1.6.5
Patched Versions
1.7.2
Reason
no binaries found in the repo
Reason
16 different organizations found -- score normalized to 10
Details
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
Reason
security policy file detected
Details
Reason
no vulnerabilities detected
Reason
7 out of 8 merged PRs checked by a CI test -- score normalized to 8
Reason
4 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 3
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
Reason
found 15 unreviewed changesets out of 19 -- score normalized to 2
Reason
branch protection not enabled on development/release branches
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
no update tool detected
Details
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Score
Last Scanned on 2024-11-25T21:22:25Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More