Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
[![Build Status](https://travis-ci.org/hunterloftis/stoppable.svg?branch=master)](https://travis-ci.org/hunterloftis/stoppable)
The 'stoppable' npm package allows you to gracefully stop an HTTP server, ensuring that all active connections are properly closed before the server shuts down. This is particularly useful for applications that need to handle shutdowns gracefully without abruptly terminating ongoing requests.
Graceful Shutdown
This feature allows you to stop an HTTP server gracefully. The code sample demonstrates how to create a stoppable server and then stop it gracefully, ensuring that all active connections are properly closed.
const http = require('http');
const stoppable = require('stoppable');
const server = http.createServer((req, res) => {
res.end('Hello, world!');
});
const stoppableServer = stoppable(server);
server.listen(3000, () => {
console.log('Server is listening on port 3000');
});
// To stop the server gracefully
stoppableServer.stop((err, gracefully) => {
if (err) {
console.error('Error during shutdown:', err);
} else {
console.log('Server has been stopped gracefully:', gracefully);
}
});
The 'http-shutdown' package provides similar functionality to 'stoppable' by allowing you to gracefully shut down an HTTP server. It ensures that all active connections are properly closed before the server shuts down. Compared to 'stoppable', 'http-shutdown' offers a similar API but may have different internal implementations and additional features.
The 'graceful-server' package is another alternative for gracefully shutting down an HTTP server. It provides mechanisms to handle server shutdowns gracefully, ensuring that ongoing requests are completed before the server stops. This package offers a more comprehensive solution with additional features like handling process signals and timeouts.
Node's
server.close()
the way you probably expected it to work by default.
const server = stoppable(http.createServer(handler))
server.stop()
Stoppable stops accepting new connections and closes existing, idle connections (including keep-alives) without killing requests that are in-flight.
Node.js v4.x is unofficially supported.
yarn add stoppable
(or use npm)
constructor
stoppable(server, grace)
Decorates the server instance with a stop
method.
Returns the server instance, so can be chained, or can be run as a standalone statement.
grace
defaults to Infinity (don't force-close).
If you want to immediately kill all sockets you can use a grace of 0.
stop()
server.stop(callback)
Closes the server.
server.close
function to auto-register a 'close' event.
The first agrument is an error, and the second argument is a boolean that indicates whether it stopped gracefully.grace
could be specified on stop
, but it's better to match the existing server.close
API.FIN
packets first.stop
method.There's no way to provide this functionality without bookkeeping on connection, disconnection, request, and response. However, Stoppable strives to do minimal work in hot code paths and to use optimal data structures.
I'd be interested to see real-world performance benchmarks; the simple loopback artillery benchmark included in the lib shows very little overhead from using a stoppable server:
Scenarios launched: 10000
Scenarios completed: 10000
Requests completed: 10000
RPS sent: 939.85
Request latency:
min: 0.5
max: 51.3
median: 2.1
p95: 3.7
p99: 15.3
Scenario duration:
min: 1
max: 60.7
median: 3.6
p95: 7.6
p99: 19
Scenario counts:
0: 10000 (100%)
Codes:
200: 10000
Scenarios launched: 10000
Scenarios completed: 10000
Requests completed: 10000
RPS sent: 940.73
Request latency:
min: 0.5
max: 43.4
median: 2.1
p95: 3.8
p99: 15.5
Scenario duration:
min: 1.1
max: 57
median: 3.7
p95: 8
p99: 19.4
Scenario counts:
0: 10000 (100%)
Codes:
200: 10000
MIT
FAQs
[![Build Status](https://travis-ci.org/hunterloftis/stoppable.svg?branch=master)](https://travis-ci.org/hunterloftis/stoppable)
The npm package stoppable receives a total of 3,240,749 weekly downloads. As such, stoppable popularity was classified as popular.
We found that stoppable demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.