wrangler-publisher

@cloudflare/kv-asset-handler

Error

Ignore

Warn

License

Maintenance

Miscellaneous

Quality

Supply chain risk

Vulnerability

Admins only

Organization members

Dashboard

<upgradeLink>Upgrade</upgradeLink> to access this feature

About

Blog

Socket CLI

Customers

Socket Dependency Search

Docs

Socket for GitHub

Love

Impersonation Mode Active

Update your browser to the latest version for the best experience.

Your web browser is outdated

Use another browser for the best experience.

Your web browser is unsupported

{{count, number}} commits last two months

{{count, number}} critical severity alert

{{count, number}} critical severity alerts

{{count, number}} dependency vulnerability

{{count, number}} dependency vulnerabilities

{{count, number}} development dependencies

{{count, number}} transitive dependencies

{{count, number}} version published last month

{{count, number}} versions published last month

{{count, number}} version published in last two months

{{count, number}} versions published in last two months

{{count, number}} version published last week

{{count, number}} versions published last week

{{count, number}} version published last year

{{count, number}} versions published last year

Socket undergoes annual SOC2 Type II audits. Socket customers can request a copy of the full SOC2 Type II report.

Allows organization owners and admins to access detailed records of actions taken by members of their organization, complete with timestamps.

Prevent compromised packages from infiltrating your supply chain by monitoring for changes in real-time.

Join our Discord community to get help from Socket engineers and other Socket users.

Compare millions of open source packages on socket.dev

Detect malicious code and risky behavior (e.g. network) in your dependencies using "deep package inspection"

All data is encrypted in transit and at rest using industry standard encryption algorithms.

Get a dedicated Socket account manager and access to Socket’s Customer Success team.

Get dedicated support from Socket engineers via email and Slack.

"Shift left" with the Socket Chrome extension and give intervene early, before developers choose risky or low quality dependencies.

Catch developers using risky dependencies and give them a "speed bump" to encourage good behavior

Install the Socket GitHub app to receive real-time dependency scanning and reports with every pull request.

Integrate Socket into your GitHub SCM to prevent risky dependencies from being installed.

Socket scans for vulnerabilities in your dependencies, including CVEs, security advisories, and more.

Socket supports dependencies in many languages, with most popular ecosystems coming in 2024. We've got you covered no matter what languages you use.

Enforce license policies across your organization

Receive a Microsoft Teams message to the channel of your choice anytime Socket runs a new analysis, has a new finding, or a policy has changed.

Get help migrating from Socket's free plan to Socket's paid plans.

Run Socket on-premises or in your own cloud environment.

Query for any dependency (at any version) across your entire organization

Integrate Socket into your CI/CD pipeline to prevent risky dependencies from being deployed to production.

Analyze an entire project to find supply chain risks

Tag projects to organize and filter your projects

Restrict access based on the roles of individual users within an organization.

Receive a Slack message to the channel of your choice anytime Socket runs a new analysis, has a new finding, or a policy has changed.

Socket is SOC2 Type II compliant and undergoes annual audits.

The Socket CLI allows teams to prevent risky dependencies from being installed, and to get dependency insights from the command line.

Socket supports SAML SSO for single sign-on and identity management.

Integrate Socket into your VS Code IDE to prevent risky dependencies from being installed.

Get a POST request anytime Socket runs a new analysis, has a new finding, or a policy has changed.

Socket will analyzed your SBOMs up to a maximum number of dependencies.

API that allows you to analyze a project, lookup package scores and alerts, and more.

Create API tokens to authenticate with the Socket API and CLI.

The number of developers in your team. A developer is someone who made a commit to your organization's repositories scanned by Socket in the past month.

Use Socket to protect your private repositories.

Socket is always free for open source projects.

Socket retains all reporting data for 3 months, 1 year, or a custom term of your choice.

Access the threat feed that powers Socket.

Unlimited scale, self-hosting, and priority support for large teams.

For open-source projects, individuals, and small teams.

For growing teams with enhanced scale, security, and support.

There is a package with a similar name that is downloaded much more often.

There are packages with similar names that are downloaded much more often.

This may not be the package you want!

Instance

Alert Locations

Package

The {{ecosystem}} package {{- packageName}} receives a total of <strong>{{numWeeklyDownloadCount, number}}</strong> weekly downloads. As such, {{- packageName}} popularity was classified as <strong>{{popularity}}</strong>.

Is {{- packageName}} popular?

Is {{- packageName}} safe to use?

Is {{- packageName}} well maintained?

What is {{- packageName}}?

{{packageDescription}}Version: {{versionString}} was published by {{publisherName}}. Start using Socket to analyze {{- packageName}} and its {{dependencyCount, number}} dependencies to secure your app from supply chain attacks.

Sorry, it seems this package was removed from the registry

Package was removed

This package version has been unpublished, mostly likely due to security reasons

Package version was removed

Provide a detailed description of the malware...

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.

Socket - Secure your dependencies. Ship with confidence.

Compare versions

{{- packageName}} - npm Package Compare versions

Object.defineProperty(exports, "__esModule", { value: true });

exports.InternalError = exports.NotFoundError = exports.MethodNotAllowedError = exports.serveSinglePageApp = exports.mapRequestToAsset = exports.getAssetFromKV = void 0;

Object.defineProperty(exports, "MethodNotAllowedError", { enumerable: true, get: function () { return types_1.MethodNotAllowedError; } });

Object.defineProperty(exports, "NotFoundError", { enumerable: true, get: function () { return types_1.NotFoundError; } });

Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return types_1.InternalError; } });

    bypassCache: false, // do not bypass Cloudflare's cache

const parseStringAsObject = (maybeString) => typeof maybeString === 'string' ? JSON.parse(maybeString) : maybeString;

    ASSET_NAMESPACE: typeof __STATIC_CONTENT !== 'undefined' ? __STATIC_CONTENT : undefined,

    ASSET_MANIFEST: typeof __STATIC_CONTENT_MANIFEST !== 'undefined'

        ? parseStringAsObject(__STATIC_CONTENT_MANIFEST)

    // Assign any missing options passed in to the default

    // options.mapRequestToAsset is handled manually later

    return Object.assign({}, getAssetFromKVDefaultOptions, options);

 * maps the path of incoming request to the request pathKey to look up

 * e.g.  for a path '/' returns '/index.html' which serves

 * @param {Request} request incoming request

const mapRequestToAsset = (request, options) => {

    const parsedUrl = new URL(request.url);

        // If path looks like a directory append options.defaultDocument

        // e.g. If path is /about/ -> /about/index.html

        pathname = pathname.concat(options.defaultDocument);

        // If path doesn't look like valid content

        //  e.g. /about.me ->  /about.me/index.html

        pathname = pathname.concat('/' + options.defaultDocument);

    return new Request(parsedUrl.toString(), request);

exports.mapRequestToAsset = mapRequestToAsset;

 * maps the path of incoming request to /index.html if it evaluates to

function serveSinglePageApp(request, options) {

    // First apply the default handler, which already has logic to detect

    // paths that should map to HTML files.

    request = mapRequestToAsset(request, options);

    // Detect if the default handler decided to map to

    // a HTML file in some specific directory.

    if (parsedUrl.pathname.endsWith('.html')) {

        // If expected HTML file was missing, just return the root index.html (or options.defaultDocument)

        return new Request(`${parsedUrl.origin}/${options.defaultDocument}`, request);

        // The default handler decided this is not an HTML page. It's probably

        // an image, CSS, or JS file. Leave it as-is.

exports.serveSinglePageApp = serveSinglePageApp;

const getAssetFromKV = async (event, options) => {

    const ASSET_NAMESPACE = options.ASSET_NAMESPACE;

    const ASSET_MANIFEST = parseStringAsObject(options.ASSET_MANIFEST);

    if (typeof ASSET_NAMESPACE === 'undefined') {

        throw new types_1.InternalError(`there is no KV namespace bound to the script`);

    const rawPathKey = new URL(request.url).pathname.replace(/^\/+/, ''); // strip any preceding /'s

    let pathIsEncoded = options.pathIsEncoded;

    // if options.mapRequestToAsset is explicitly passed in, always use it and assume user has own intentions

    // otherwise handle request as normal, with default mapRequestToAsset below

        requestKey = options.mapRequestToAsset(request);

    else if (ASSET_MANIFEST[rawPathKey]) {

    else if (ASSET_MANIFEST[decodeURIComponent(rawPathKey)]) {

        const mappedRequest = mapRequestToAsset(request);

        const mappedRawPathKey = new URL(mappedRequest.url).pathname.replace(/^\/+/, '');

        if (ASSET_MANIFEST[decodeURIComponent(mappedRawPathKey)]) {

            // use default mapRequestToAsset

            requestKey = mapRequestToAsset(request, options);

	"description": "Routes requests to KV assets",

		"format": "prettier --write \"**/*.{js,ts,json,md}\"",

		"lint:code": "prettier --check \"**/*.{js,ts,json,md}\"",

		"lint:markdown": "markdownlint \"**/*.md\" --ignore node_modules",

		"url": "git+https://github.com/cloudflare/kv-asset-handler.git"

		"url": "https://github.com/cloudflare/kv-asset-handler/issues"

	"homepage": "https://github.com/cloudflare/kv-asset-handler#readme",

		"@cloudflare/workers-types": "^4.20221111.1",

		"@cloudflare/workers-types": "^4.20231218.0",

[![npm](https://img.shields.io/npm/v/@cloudflare/kv-asset-handler.svg)](https://www.npmjs.com/package/@cloudflare/kv-asset-handler) &nbsp;

[![Run npm tests](https://github.com/cloudflare/kv-asset-handler/actions/workflows/test.yml/badge.svg)](https://github.com/cloudflare/kv-asset-handler/actions/workflows/test.yml) &nbsp;

[![Lint Markdown](https://github.com/cloudflare/kv-asset-handler/actions/workflows/lint.yml/badge.svg)](https://github.com/cloudflare/kv-asset-handler/actions/workflows/lint.yml) &nbsp;

`kv-asset-handler` is an open-source library for managing the retrieval of static assets from [Workers KV](https://developers.cloudflare.com/workers/runtime-apis/kv) inside of a [Cloudflare Workers](https://workers.dev) function. `kv-asset-handler` is designed for use with [Workers Sites](https://developers.cloudflare.com/workers/platform/sites), a feature included in [Wrangler](https://github.com/cloudflare/wrangler), our command-line tool for deploying Workers projects.

`kv-asset-handler` runs as part of a Cloudflare Workers function, so it allows you to customize _how_ and _when_ your static assets are loaded, as well as customize how those assets behave before they're sent to the client.

Most users and sites will not need these customizations, and just want to serve their statically built applications. For that simple use-case, you can check out [Cloudflare Pages](https://pages.cloudflare.com), our batteries-included approach to deploying static sites on Cloudflare's edge network. Workers Sites was designed as a precursor to Cloudflare Pages, so check out Pages if you just want to deploy your static site without any special customizations!

For users who _do_ want to customize their assets, and want to build complex experiences on top of their static assets, `kv-asset-handler` (and the default [Workers Sites template](https://github.com/cloudflare/worker-sites-template), which is provided for use with Wrangler + Workers Sites) allows you to customize caching behavior, headers, and anything else about how your Workers function loads the static assets for your site stored in Workers KV.

The Cloudflare Workers Discord server is an active place where Workers users get help, share feedback, and collaborate on making our platform better. The `#workers` channel in particular is a great place to chat about `kv-asset-handler`, and building cool experiences for your users using these tools! If you have questions, want to share what you're working on, or give feedback, [join us in Discord and say hello](https://discord.gg/cloudflaredev)!

  * [Optional Arguments](#optional-arguments)

    - [`mapRequestToAsset`](#-maprequesttoasset)

    - [`mapRequestToAsset`](#maprequesttoasset)

    - [`ASSET_NAMESPACE` (required for ES Modules)](#asset_namespace-required-for-es-modules)

    - [`ASSET_MANIFEST` (required for ES Modules)](#asset_manifest-required-for-es-modules)

    - [`defaultETag`](#defaultetag-optional)

  - [`mapRequestToAsset`](#maprequesttoasset-1)

  - [`serveSinglePageApp`](#servesinglepageapp)

* [Cache revalidation and etags](#cache-revalidation-and-etags)

Add this package to your `package.json` by running this in the root of your

This package was designed to work with [Worker Sites](https://workers.cloudflare.com/sites).

`getAssetFromKV` is an async function that takes an `Evt` object (containing a `Request` and a [`waitUntil`](https://developers.cloudflare.com/workers/runtime-apis/fetch-event#waituntil)) and returns a `Response` object if the request matches an asset in KV, otherwise it will throw a `KVError`.

This example checks for the existence of a value in KV, and returns it if it's there, and returns a 404 if it is not. It also serves index.html from `/`.

`getAssetFromKV` returns a `Promise<Response>` with `Response` being the body of the asset requested.

import { getAssetFromKV, NotFoundError, MethodNotAllowedError } from '@cloudflare/kv-asset-handler'

import manifestJSON from '__STATIC_CONTENT_MANIFEST'

const assetManifest = JSON.parse(manifestJSON)

						ASSET_NAMESPACE: env.__STATIC_CONTENT,

				} else if (e instanceof MethodNotAllowedError) {

					return new Response('An unexpected error occurred', { status: 500 })

	if (event.request.url.includes('/docs')) {

			} else if (e instanceof MethodNotAllowedError) {

		@@ -11,3 +11,3 @@ "use strict";
		browserTTL: null,
		edgeTTL: 2 * 60 * 60 * 24,
		edgeTTL: 2 * 60 * 60 * 24, // 2 days
		bypassCache: false, // do not bypass Cloudflare's cache
		@@ -14,0 +14,0 @@ };

		{
		"name": "@cloudflare/kv-asset-handler",
		"version": "0.3.0",
		"version": "0.3.1",
		"description": "Routes requests to KV assets",
		@@ -30,2 +30,4 @@ "main": "dist/index.js",
		"dist",
		"!src/test",
		"!dist/test",
		"LICENSE_APACHE",
		@@ -44,11 +46,11 @@ "LICENSE_MIT"
		"devDependencies": {
		"@ava/typescript": "^3.0.1",
		"@cloudflare/workers-types": "^4.20221111.1",
		"@types/mime": "^3.0.1",
		"@ava/typescript": "^4.1.0",
		"@cloudflare/workers-types": "^4.20231218.0",
		"@types/mime": "^3.0.4",
		"@types/node": "^18.11.12",
		"ava": "^5.1.0",
		"prettier": "^2.8.1",
		"ava": "^6.0.1",
		"prettier": "^3.2.2",
		"service-worker-mock": "^2.0.5",
		"typescript": "^4.9.4"
		"typescript": "^5.3.3"
		}
		}
		}

		@@ -19,9 +19,9 @@ # @cloudflare/kv-asset-handler
		- [Usage](#usage)
		- [`getAssetFromKV`](#-getassetfromkv)
		- [`getAssetFromKV`](#getassetfromkv)
		- [Example](#example)
		* [Return](#return)
		* [Optional Arguments](#optional-arguments)
		- [`mapRequestToAsset`](#-maprequesttoasset)
		- [`mapRequestToAsset`](#maprequesttoasset)
		- [Example](#example-1)
		- [`cacheControl`](#-cachecontrol)
		- [`cacheControl`](#cachecontrol)
		- [`browserTTL`](#browserttl)
		@@ -28,0 +28,0 @@ - [`edgeTTL`](#edgettl)

New alerts

Worsened metrics