Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
By Kush Pandya - Jun 06, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
stoppable
[](https://travis-ci.org/hunterloftis/stoppable)
What is stoppable?
The 'stoppable' npm package allows you to gracefully stop an HTTP server, ensuring that all active connections are properly closed before the server shuts down. This is particularly useful for applications that need to handle shutdowns gracefully without abruptly terminating ongoing requests.
What are stoppable's main functionalities?
Graceful Shutdown
This feature allows you to stop an HTTP server gracefully. The code sample demonstrates how to create a stoppable server and then stop it gracefully, ensuring that all active connections are properly closed.
const http = require('http');
const stoppable = require('stoppable');
const server = http.createServer((req, res) => {
res.end('Hello, world!');
});
const stoppableServer = stoppable(server);
server.listen(3000, () => {
console.log('Server is listening on port 3000');
});
// To stop the server gracefully
stoppableServer.stop((err, gracefully) => {
if (err) {
console.error('Error during shutdown:', err);
} else {
console.log('Server has been stopped gracefully:', gracefully);
}
});Other packages similar to stoppable
http-shutdown
The 'http-shutdown' package provides similar functionality to 'stoppable' by allowing you to gracefully shut down an HTTP server. It ensures that all active connections are properly closed before the server shuts down. Compared to 'stoppable', 'http-shutdown' offers a similar API but may have different internal implementations and additional features.
graceful-server
The 'graceful-server' package is another alternative for gracefully shutting down an HTTP server. It provides mechanisms to handle server shutdowns gracefully, ensuring that ongoing requests are completed before the server stops. This package offers a more comprehensive solution with additional features like handling process signals and timeouts.
Stoppable
Node's
server.close()the way you probably expected it to work by default.
Summary
const server = stoppable(http.createServer(handler))
server.stop()
Stoppable stops accepting new connections and closes existing, idle connections (including keep-alives) without killing requests that are in-flight.
Requirements
- Node.js v6+
Node.js v4.x is unofficially supported.
Installation
yarn add stoppable
(or use npm)
Usage
constructor
stoppable(server, grace)
Decorates the server instance with a stop method.
Returns the server instance, so can be chained, or can be run as a standalone statement.
- server: Any HTTP or HTTPS Server instance
- grace: Milliseconds to wait before force-closing connections
grace defaults to Infinity (don't force-close).
If you want to immediately kill all sockets you can use a grace of 0.
stop()
server.stop(callback)
Closes the server.
- callback: passed along to the existing
server.closefunction to auto-register a 'close' event. The first agrument is an error, and the second argument is a boolean that indicates whether it stopped gracefully.
Design decisions
- Monkey patching generally sucks, but in this case it's the nicest API. Let's call it "decorating."
gracecould be specified onstop, but it's better to match the existingserver.closeAPI.- Clients should be handled respectfully, so we aren't just destroying sockets, we're sending
FINpackets first. - Any solution to this problem requires bookkeeping on every connection and request/response.
We're doing a minimum of work on these "hot" code paths and delaying as much as possible to the actual
stopmethod.
Performance
There's no way to provide this functionality without bookkeeping on connection, disconnection, request, and response. However, Stoppable strives to do minimal work in hot code paths and to use optimal data structures.
I'd be interested to see real-world performance benchmarks; the simple loopback artillery benchmark included in the lib shows very little overhead from using a stoppable server:
Without Stoppable
Scenarios launched: 10000
Scenarios completed: 10000
Requests completed: 10000
RPS sent: 939.85
Request latency:
min: 0.5
max: 51.3
median: 2.1
p95: 3.7
p99: 15.3
Scenario duration:
min: 1
max: 60.7
median: 3.6
p95: 7.6
p99: 19
Scenario counts:
0: 10000 (100%)
Codes:
200: 10000
With Stoppable
Scenarios launched: 10000
Scenarios completed: 10000
Requests completed: 10000
RPS sent: 940.73
Request latency:
min: 0.5
max: 43.4
median: 2.1
p95: 3.8
p99: 15.5
Scenario duration:
min: 1.1
max: 57
median: 3.7
p95: 8
p99: 19.4
Scenario counts:
0: 10000 (100%)
Codes:
200: 10000
License
MIT
FAQs
[](https://travis-ci.org/hunterloftis/stoppable)
The npm package stoppable receives a total of 2,689,952 weekly downloads. As such, stoppable popularity was classified as popular.
We found that stoppable demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 10 Nov 2018
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Socket Now Supports pylock.toml Files
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
By Trevor Norris - Jun 05, 2025
Security News
Research
Destructive npm Packages Disguised as Utilities Enable Remote System Wipe
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.
By Kush Pandya - Jun 05, 2025