Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
A better static asset handler for Node.js / express.js.
Provides helpers to add a version identifier to your static asset's public URLs, and to remove the hash before serving the file from the file system.
How your URLs are transformed:
/home.css --> /home.<md5 hash of contents>.css
For example:
/home.css --> /home.ae2b1fca515949e5d54fb22b8ed95575.css
/js/script.js --> /js/script.3205c0ded576131ea255ad2bd38b0fb2.js
The version hashes are the md5 of the contents of the static asset. Thus, every file has it's own unique version identifier. When a file changes, only it's own hash changes. This lets you have a far-futures expires header for your static assets without worrying about cache-invalidation, while ensuring that the user only downloads the files that have changed since your last deployment.
var path = require('path');
var staticify = require('staticify')(path.join(__dirname, 'public'));
...
app.use(staticify.middleware);
app.helpers({getVersionedPath: staticify.getVersionedPath});
And in your template:
<link href="${getVersionedPath('/home.css')}" rel="stylesheet">
Include all files when scanning the public directory. By default, the directories from ignore-by-default are ignored.
false
Generate a short (7-digit) md5 hash instead of the full (32-digit) one.
true
sendOptions: { maxAge: '1y' }
for hashed assets or maxAge: 0
for non-hashed assets.You can pass any send options; used in middleware
and serve
functions.
Install from npm:
npm install staticify
Initialise the staticify helper with the path of your public directory:
var path = require('path');
var statificy = require('staticify')(path.join(__dirname, 'public'));
This returns an object with the following helpers:
Does the following transformation to the path
, and returns immediately:
staticify.getVersionedPath('/path/to/file.ext'); // --> /path/to/file.<md5 of the contents of file.ext>.ext
This method is meant to be used inside your templates.
This method is really fast (simply an in-memory lookup) and returns immediately. When you initialize this module, it crawls your public folder synchronously at startup, and pre-determines all the md5 hashes for your static files. This slows down application startup slightly, but it keeps the runtime performance at its peak.
Convenience wrapper over .serve
to handle static files in express.js.
app.use(staticify.middleware); // `app` is your express instance
Takes the input string, and replaces any paths it can understand. For example:
staticify.replacePaths('body { background: url("/index.js") }');
returns
"body { background: url('/index.d766c4a983224a3696bc4913b9e47305.js') }"
Perfect for use in your build script, to modify references to external paths within your CSS files.
Removes the md5 identifier in a path.
staticify.stripVersion('/path/to/file.ae2b1fca515949e5d54fb22b8ed95575.ext'); // --> /path/to/file.ext
Note, this function doesn't verify that the hash is valid. It simply finds what looks like a hash and strips it from the path.
Rebuilds the md5 version cache described above. Use this method sparingly. This crawls your public folder synchronously (in a blocking fashion) to rebuild the cache. This is typically only useful when you are doing some kind of live-reloading during development.
Handles an incoming request for the file. Internally calls .stripVersion
to strip the version identifier, and serves the file with a maxAge
of one year, using send. Returns a stream that can be .pipe
d to a http response stream. See here for the options you can pass.
staticify.serve(req, {
sendOptions: {
maxAge: 3600 * 1000 // milliseconds
}
}).pipe(res);
MIT
FAQs
A better static asset handler for Node.js/Express.js
The npm package staticify receives a total of 610 weekly downloads. As such, staticify popularity was classified as not popular.
We found that staticify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.