Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
mvc-webapp node module
A simple framework for MVC web applications and RESTful APIs.
Features
- Docker container ready
- Express 5 based HTTP handling and routes
- Familiar MVC folder structure and URL paths (controller per file, public folder for static content, etc)
- Optional shared session management using Redis
- CORS support (HTTP OPTIONS)
- Flexible logging formatting using Morgan (defaults to Apache style)
- Out of the box support for EJS templates in Views, and partials
- Use any Node based data access module for storage
- Custom error handling
- Tiny and clean; outside of NPM dependencies, the code is about ~200 lines
Setup and First Webapp
- Follow these steps to get started with your first mvc-webapp:
mkdir test-app
cd test-app
npm init
npm install express@5 --save
npm install mvc-webapp --save
mkdir -p application/models
mkdir -p application/controllers
mkdir -p application/views
mkdir -p application/adapters
mkdir -p application/public
At some point this will be automated by a script, for now, it will involve some keystrokes.
- Add an entry point app.js on the root folder. This contains your app options and can be configurable via env-vars for container usage:
#!/usr/bin/env node
const webapp = require('mvc-webapp')
webapp.run({
applicationRoot: process.env.PWD,
listenPort: process.env.PORT || '3000',
sessionRedisUrl: process.env.REDISCLOUD_URL || undefined,
sessionSecret: process.env.SESSION_SECRET || undefined,
redirectSecure: true,
allowCORS: false,
viewEngine: 'ejs', // Optional: Pug, Handlebars, EJS, etc
loggerFormat: 'common', // Morgan formats
trustProxy: true,
notfoundMiddleware: (request, response, next) => {
response.status(404).json({
code: 404,
message: 'Sorry! File Not Found'
})
},
errorMiddleware: (error, request, response, _) => {
if (request.xhr) {
response.status(500).json({
code: 500,
message: (error.message)? error.message : error,
stack: request.app.get('env') === 'development' ? error.stack : ''
})
} else {
response.render('error', {
pageTitle: 'Oops!',
status: 500,
message: (error.message)? error.message : error,
stack: request.app.get('env') === 'development' ? error.stack : '',
})
}
},
})
This is the minimal amount of options you can give, sensible and secure default values are given for everything else:
#!/usr/bin/env node
const webapp = require('mvc-webapp')
webapp.run({
// Mandatory
applicationRoot: process.env.PWD,
listenPort: process.env.PORT || '3000',
// Optional Redis Session Management
// sessionRedisUrl: undefined,
// sessionSecret: undefined,
// Optional Security Related
// redirectSecure: false,
// allowCORS: false,
// trustProxy: false,
// Optional Framework
// viewEngine: undefined, // Pug, Handlebars, EJS, etc
// loggerFormat: 'common', // Morgan formats
// Optional Error Handling
// notfoundMiddleware: undefined,
// errorMiddleware: undefined,
})
The error handling can be customized to return plain JSON, HTTP codes or an EJS rendered page, your choice.
- Add an initial controller, this will be automatically mapped to a path (login.js becomes /login//):
exports.actions = controller => {
controller.get('/', (request, response, _) => {
response.json({
status: 'Sample status...',
data: null,
})
})
controller.get('/async', async (request, response) => {
const hi = await Promise.resolve('Hi!')
response.send(hi)
})
controller.get('/fail', async (request, response) => {
await Promise.reject('REJECTED!')
})
controller.get('/denied', async (request, response) => {
response.status(403).send('Not here')
})
return controller
}
This should be familiar to any Express user. A special exception is made for the index.js controller file, this is mapped to the root / folder. Additionally, any routes inside that controller, get appended as a method.
In order to render a view, invoke the view (file)name in the res.render call:
response.render('index', {
title: 'Homepage',
user: 'octopie'
})
- Run using npm start or node app.js - added the env var DEBUG="mvc-webapp:*" to see what the framework is doing behind the scenes.
Docker Support
Add the following file to the root folder and docker build:
FROM node:latest
WORKDIR /app
ADD . /app
RUN npm install
CMD ["npm","start"]
Also Checkout
- EJS Templates - this is what the views use
- Express - this is what powers the HTTP communication
FAQs
A simple framework for MVC web applications and RESTful APIs.
We found that mvc-webapp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 0 open source maintainers collaborating on the project.
Package last updated on 13 Sep 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025