A node.js module for parsing form data, especially file uploads. 

kornel

grossacasacs

tunnckocore

felixge

quantumsheep

formidable

svnlto

superjoe

tim-smart

Error

Ignore

Warn

License

Maintenance

Miscellaneous

Quality

Supply chain risk

Vulnerability

Admins only

Organization members

Dashboard

<upgradeLink>Upgrade</upgradeLink> to access this feature

About

Blog

Socket CLI

Customers

Socket Dependency Search

Docs

Socket for GitHub

Love

Impersonation Mode Active

Update your browser to the latest version for the best experience.

Your web browser is outdated

Use another browser for the best experience.

Your web browser is unsupported

{{count, number}} commits last two months

{{count, number}} critical severity alert

{{count, number}} critical severity alerts

{{count, number}} dependency vulnerability

{{count, number}} dependency vulnerabilities

{{count, number}} development dependencies

{{count, number}} transitive dependencies

{{count, number}} version published last month

{{count, number}} versions published last month

{{count, number}} version published in last two months

{{count, number}} versions published in last two months

{{count, number}} version published last week

{{count, number}} versions published last week

{{count, number}} version published last year

{{count, number}} versions published last year

Socket undergoes annual SOC2 Type II audits. Socket customers can request a copy of the full SOC2 Type II report.

Allows organization owners and admins to access detailed records of actions taken by members of their organization, complete with timestamps.

Prevent compromised packages from infiltrating your supply chain by monitoring for changes in real-time.

Join our Discord community to get help from Socket engineers and other Socket users.

Compare millions of open source packages on socket.dev

Detect malicious code and risky behavior (e.g. network) in your dependencies using "deep package inspection"

All data is encrypted in transit and at rest using industry standard encryption algorithms.

Get a dedicated Socket account manager and access to Socket’s Customer Success team.

Get dedicated support from Socket engineers via email and Slack.

"Shift left" with the Socket Chrome extension and give intervene early, before developers choose risky or low quality dependencies.

Catch developers using risky dependencies and give them a "speed bump" to encourage good behavior

Install the Socket GitHub app to receive real-time dependency scanning and reports with every pull request.

Integrate Socket into your GitHub SCM to prevent risky dependencies from being installed.

Socket scans for vulnerabilities in your dependencies, including CVEs, security advisories, and more.

Socket supports dependencies in many languages, with most popular ecosystems coming in 2024. We've got you covered no matter what languages you use.

Enforce license policies across your organization

Receive a Microsoft Teams message to the channel of your choice anytime Socket runs a new analysis, has a new finding, or a policy has changed.

Get help migrating from Socket's free plan to Socket's paid plans.

Run Socket on-premises or in your own cloud environment.

Query for any dependency (at any version) across your entire organization

Integrate Socket into your CI/CD pipeline to prevent risky dependencies from being deployed to production.

Analyze an entire project to find supply chain risks

Tag projects to organize and filter your projects

Restrict access based on the roles of individual users within an organization.

Receive a Slack message to the channel of your choice anytime Socket runs a new analysis, has a new finding, or a policy has changed.

Socket is SOC2 Type II compliant and undergoes annual audits.

The Socket CLI allows teams to prevent risky dependencies from being installed, and to get dependency insights from the command line.

Socket supports SAML SSO for single sign-on and identity management.

Integrate Socket into your VS Code IDE to prevent risky dependencies from being installed.

Get a POST request anytime Socket runs a new analysis, has a new finding, or a policy has changed.

Socket will analyzed your SBOMs up to a maximum number of dependencies.

API that allows you to analyze a project, lookup package scores and alerts, and more.

Create API tokens to authenticate with the Socket API and CLI.

The number of developers in your team. A developer is someone who made a commit to your organization's repositories scanned by Socket in the past month.

Use Socket to protect your private repositories.

Socket is always free for open source projects.

Socket retains all reporting data for 3 months, 1 year, or a custom term of your choice.

Access the threat feed that powers Socket.

Unlimited scale, self-hosting, and priority support for large teams.

For open-source projects, individuals, and small teams.

For growing teams with enhanced scale, security, and support.

There is a package with a similar name that is downloaded much more often.

There are packages with similar names that are downloaded much more often.

This may not be the package you want!

Instance

Alert Locations

Package

The {{ecosystem}} package {{- packageName}} receives a total of <strong>{{numWeeklyDownloadCount, number}}</strong> weekly downloads. As such, {{- packageName}} popularity was classified as <strong>{{popularity}}</strong>.

Is {{- packageName}} popular?

Is {{- packageName}} safe to use?

Is {{- packageName}} well maintained?

What is {{- packageName}}?

{{packageDescription}}Version: {{versionString}} was published by {{publisherName}}. Start using Socket to analyze {{- packageName}} and its {{dependencyCount, number}} dependencies to secure your app from supply chain attacks.

Sorry, it seems this package was removed from the registry

Package was removed

This package version has been unpublished, mostly likely due to security reasons

Package version was removed

Provide a detailed description of the malware...

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.

Socket - Secure your dependencies. Ship with confidence.

Compare versions

{{- packageName}} - npm Package Compare versions

if (global.GENTLY) require = GENTLY.hijack(require);

    MultipartParser = require('./multipart_parser').MultipartParser,

    QuerystringParser = require('./querystring_parser').QuerystringParser,

    OctetParser       = require('./octet_parser').OctetParser,

    JSONParser = require('./json_parser').JSONParser,

    StringDecoder = require('string_decoder').StringDecoder,

    EventEmitter = require('events').EventEmitter,

  if (!(this instanceof IncomingForm)) return new IncomingForm(opts);

  this.maxFields = opts.maxFields || 1000;

  this.maxFieldsSize = opts.maxFieldsSize || 2 * 1024 * 1024;

  this.keepExtensions = opts.keepExtensions || false;

  this.uploadDir = opts.uploadDir || os.tmpDir();

  this.encoding = opts.encoding || 'utf-8';

  this.multiples = opts.multiples || false;

util.inherits(IncomingForm, EventEmitter);

IncomingForm.prototype.parse = function(req, cb) {

        // before it was completed, crash & burn

  // Setup callback first, so we don't miss anything from data events emitted

      .on('field', function(name, value) {

            if (!Array.isArray(files[name])) {

              files[name] = [files[name]];

IncomingForm.prototype._uploadPath = function(filename) {

    name += Math.floor(Math.random() * 16).toString(16);

    name += ('0' + buf[i].toString(16)).slice(-2);

    ext     = ext.replace(/(\.[a-z0-9]+).*/i, '$1');

  return path.join(this.uploadDir, name);

IncomingForm.prototype._maybeEnd = function() {

  if (!this.ended || this._flushing || this.error) {

  "description": "A node.js module for parsing form data, especially file uploads.",

  "homepage": "https://github.com/felixge/node-formidable",

    "url": "git://github.com/felixge/node-formidable.git"

    "url": "http://github.com/felixge/node-formidable/issues"

[![Build Status](https://secure.travis-ci.org/felixge/node-formidable.png?branch=master)](http://travis-ci.org/felixge/node-formidable)

This module was developed for [Transloadit](http://transloadit.com/), a service focused on uploading

and encoding images and videos. It has been battle-tested against hundreds of GB of file uploads from

a large variety of clients and is considered production-ready.

* Fast (~500mb/sec), non-buffering multipart parser

* Automatically writing file uploads to disk

This is a low level package, and if you're using a high level framework such as Express, chances are it's already included in it. You can [read this discussion](http://stackoverflow.com/questions/11295554/how-to-disable-express-bodyparser-for-file-uploads-node-js) about how Formidable is integrated with Express.

git clone git://github.com/felixge/node-formidable.git formidable

# var formidable = require('./formidable');

Note: Formidable requires [gently](http://github.com/felixge/node-gently) to run the unit tests, but you won't need it for just using the library.

  if (req.url == '/upload' && req.method.toLowerCase() == 'post') {

    var form = new formidable.IncomingForm();

    form.parse(req, function(err, fields, files) {

      res.writeHead(200, {'content-type': 'text/plain'});

      res.end(util.inspect({fields: fields, files: files}));

  res.writeHead(200, {'content-type': 'text/html'});

    '<form action="/upload" enctype="multipart/form-data" method="post">'+

    '<input type="text" name="title"><br>'+

    '<input type="file" name="upload" multiple="multiple"><br>'+

    '<input type="submit" value="Upload">'+

Sets the directory for placing file uploads in. You can move them later on using

`fs.rename()`. The default is `os.tmpDir()`.

If you want the files written to `form.uploadDir` to include the extensions of the original files, set this property to `true`.

Either 'multipart' or 'urlencoded' depending on the incoming request.

Limits the amount of memory a field (not file) can allocate in bytes.

Limits the amount of memory all fields together (except files) can allocate in bytes.

If this value is exceeded, an `'error'` event is emitted. The default

Limits the number of fields that the querystring parser will decode. Defaults

If you want checksums calculated for incoming files, set this to either `'sha1'` or `'md5'`.

If this option is enabled, when you call `form.parse`, the `files` argument will contain arrays of files for inputs which submit multiple files using the HTML5 `multiple` attribute.

The amount of bytes received for this form so far.

The expected number of bytes in this form.

Parses an incoming node.js `request` containing form data. If `cb` is provided, all fields and files are collected and passed to the callback:

form.parse(req, function(err, fields, files) {

You may overwrite this method if you are interested in directly accessing the multipart stream. Doing so will disable any `'field'` / `'file'` events  processing which would occur otherwise, making you fully responsible for handling the processing.

If you want to use formidable to only handle certain parts for you, you can do so:

    // let formidable handle all non-file parts

Check the code in this method for further inspiration.

The size of the uploaded file in bytes. If the file is still being uploaded (see `'fileBegin'` event), this property says how many bytes of the file have been written to disk yet.

The path this file is being written to. You can modify this in the `'fileBegin'` event in

case you are unhappy with the way formidable generates a temporary path for your files.

The name this file had according to the uploading client.

The mime type of this file, according to the uploading client.

A date object (or `null`) containing the time this file was last written to. Mostly

here for compatibility with the [W3C File API Draft](http://dev.w3.org/2006/webapi/FileAPI/).

If hash calculation was set, you can read the hex digest out of this var.

  This method returns a JSON-representation of the file, allowing you to

  `JSON.stringify()` the file which is useful for logging and responding

Emitted when the request was aborted by the user. Right now this can be due to a 'timeout' or 'close' event on the socket. In the future there will be a separate 'timeout' event (needs a change in the node core).

Emitted when the request was aborted by the user. Right now this can be due to a 'timeout' or 'close' event on the socket. After this event is emitted, an `error` event will follow. In the future there will be a separate 'timeout' event (needs a change in the node core).

Emitted when the entire request has been received, and all contained files have finished flushing to disk. This is a great place for you to send your response.

* Enable hash calculation again (Eugene Girshov)

* Test for immediate data events (Tim Smart)

* Re-arrange IncomingForm#parse (Tim Smart)

* Only update hash if update method exists (Sven Lito)

		if (global.GENTLY) require = GENTLY.hijack(require);

		var crypto = require('crypto');
		var fs = require('fs');
		@@ -531,5 +532,6 @@ var util = require('util'),
		IncomingForm.prototype._uploadPath = function(filename) {
		var name = '';
		for (var i = 0; i < 32; i++) {
		name += Math.floor(Math.random() * 16).toString(16);
		var name = 'upload_';
		var buf = crypto.randomBytes(16);
		for (var i = 0; i < buf.length; ++i) {
		name += ('0' + buf[i].toString(16)).slice(-2);
		}
		@@ -536,0 +538,0 @@

		@@ -5,3 +5,3 @@ {
		"homepage": "https://github.com/felixge/node-formidable",
		"version": "1.0.15",
		"version": "1.0.16",
		"devDependencies": {
		@@ -8,0 +8,0 @@ "gently": "0.8.0",

Fixed alerts

Improved metrics

		@@ -105,3 +105,3 @@ # Formidable
		```
		Limits the amount of memory a field (not file) can allocate in bytes.
		Limits the amount of memory all fields together (except files) can allocate in bytes.
		If this value is exceeded, an `'error'` event is emitted. The default
		@@ -253,3 +253,3 @@ size is 2MB.

		Emitted when the request was aborted by the user. Right now this can be due to a 'timeout' or 'close' event on the socket. In the future there will be a separate 'timeout' event (needs a change in the node core).
		Emitted when the request was aborted by the user. Right now this can be due to a 'timeout' or 'close' event on the socket. After this event is emitted, an `error` event will follow. In the future there will be a separate 'timeout' event (needs a change in the node core).
		```javascript
		@@ -256,0 +256,0 @@ form.on('aborted', function() {