diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2eaea5a..9030ed5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,189 +1,98 @@ name: ci on: -- pull_request -- push + push: + branches: + - master + paths-ignore: + - '*.md' + pull_request: + paths-ignore: + - '*.md' + +permissions: + contents: read + +# Cancel in progress workflows +# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run +concurrency: + group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true jobs: - test: + lint: + name: Lint runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "lts/*" + + - name: Install dependencies + run: npm install --ignore-scripts --include=dev + + - name: Run lint + run: npm run lint + + test: + name: Test - Node.js ${{ matrix.node-version }} - ${{ matrix.os }} + runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: - name: - - Node.js 0.8 - - Node.js 0.10 - - Node.js 0.12 - - io.js 1.x - - io.js 2.x - - io.js 3.x - - Node.js 4.x - - Node.js 5.x - - Node.js 6.x - - Node.js 7.x - - Node.js 8.x - - Node.js 9.x - - Node.js 10.x - - Node.js 11.x - - Node.js 12.x - - Node.js 13.x - - Node.js 14.x - - Node.js 15.x - - Node.js 16.x - - Node.js 17.x - - include: - - name: Node.js 0.8 - node-version: "0.8" - npm-i: mocha@2.5.3 supertest@1.1.0 - npm-rm: nyc - - - name: Node.js 0.10 - node-version: "0.10" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: Node.js 0.12 - node-version: "0.12" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 1.x - node-version: "1.8" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 2.x - node-version: "2.5" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 3.x - node-version: "3.3" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: Node.js 4.x - node-version: "4.9" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 5.x - node-version: "5.12" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 6.x - node-version: "6.17" - npm-i: mocha@6.2.3 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 7.x - node-version: "7.10" - npm-i: mocha@6.2.3 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 8.x - node-version: "8.16" - npm-i: mocha@7.2.0 - - - name: Node.js 9.x - node-version: "9.11" - npm-i: mocha@7.2.0 - - - name: Node.js 10.x - node-version: "10.24" - npm-i: mocha@8.4.0 - - - name: Node.js 11.x - node-version: "11.15" - npm-i: mocha@8.4.0 - - - name: Node.js 12.x - node-version: "12.22" - - - name: Node.js 13.x - node-version: "13.14" - - - name: Node.js 14.x - node-version: "14.19" - - - name: Node.js 15.x - node-version: "15.14" - - - name: Node.js 16.x - node-version: "16.14" - - - name: Node.js 17.x - node-version: "17.8" - + os: [ubuntu-latest, windows-latest] + # Node.js release schedule: https://nodejs.org/en/about/releases/ + node-version: [18, 19, 20, 21, 22, 23] steps: - - uses: actions/checkout@v2 - - - name: Install Node.js ${{ matrix.node-version }} - shell: bash -eo pipefail -l {0} - run: | - nvm install --default ${{ matrix.node-version }} - if [[ "${{ matrix.node-version }}" == 0.* && "$(cut -d. -f2 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then - nvm install --alias=npm 0.10 - nvm use ${{ matrix.node-version }} - sed -i '1s;^.*$;'"$(printf '#!%q' "$(nvm which npm)")"';' "$(readlink -f "$(which npm)")" - npm config set strict-ssl false - fi - dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - - - name: Configure npm - run: npm config set shrinkwrap false - - - name: Remove npm module(s) ${{ matrix.npm-rm }} - run: npm rm --silent --save-dev ${{ matrix.npm-rm }} - if: matrix.npm-rm != '' - - - name: Install npm module(s) ${{ matrix.npm-i }} - run: npm install --save-dev ${{ matrix.npm-i }} - if: matrix.npm-i != '' - - - name: Setup Node.js version-specific dependencies - shell: bash - run: | - # eslint for linting - # - remove on Node.js < 10 - if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then - node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ - grep -E '^eslint(-|$)' | \ - sort -r | \ - xargs -n1 npm rm --silent --save-dev - fi - - - name: Install Node.js dependencies - run: npm install - - - name: List environment - id: list_env - shell: bash - run: | - echo "node@$(node -v)" - echo "npm@$(npm -v)" - npm -s ls ||: - (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }' - - - name: Run tests - shell: bash - run: | - if npm -ps ls nyc | grep -q nyc; then - npm run test-ci - else - npm test - fi - - - name: Lint code - if: steps.list_env.outputs.eslint != '' - run: npm run lint - - - name: Collect code coverage - uses: coverallsapp/github-action@master - if: steps.list_env.outputs.nyc != '' - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - flag-name: run-${{ matrix.test_number }} - parallel: true + - uses: actions/checkout@v4 + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + check-latest: true + node-version: ${{ matrix.node-version }} + + - name: Configure npm loglevel + run: npm config set loglevel error + + - name: Install dependencies + run: npm install + + - name: Run tests + run: npm run test-ci + + - name: Upload code coverage + uses: actions/upload-artifact@v4 + with: + name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }} + path: ./coverage/lcov.info + retention-days: 1 coverage: needs: test runs-on: ubuntu-latest + permissions: + contents: read + checks: write steps: - - name: Uploade code coverage - uses: coverallsapp/github-action@master - with: - github-token: ${{ secrets.github_token }} - parallel-finished: true + - uses: actions/checkout@v4 + + - name: Install lcov + run: sudo apt-get -y install lcov + + - name: Collect coverage reports + uses: actions/download-artifact@v4 + with: + path: ./coverage + pattern: coverage-node-* + + - name: Merge coverage reports + run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info + + - name: Upload coverage report + uses: coverallsapp/github-action@v2 + with: + file: ./lcov.info diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..9d1b304 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + languages: javascript + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + # - name: Autobuild + # uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + category: "/language:javascript" \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..0b5ddcc --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,70 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security + +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '16 21 * * 1' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 + with: + sarif_file: results.sarif diff --git a/HISTORY.md b/HISTORY.md index 6b58456..a3f174e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,48 @@ +2.2.0 / 2025-03-27 +================== + +* deps: send@^1.2.0 + +2.1.0 / 2024-09-10 +=================== + +* Changes from 1.16.0 +* deps: send@^1.2.0 + +2.0.0 / 2024-08-23 +================== + +* deps: + * parseurl@^1.3.3 + * excape-html@^1.0.3 + * encodeurl@^2.0.0 + * supertest@^6.3.4 + * safe-buffer@^5.2.1 + * nyc@^17.0.0 + * mocha@^10.7.0 +* Changes from 1.x + +2.0.0-beta.2 / 2024-03-20 +========================= + + * deps: send@1.0.0-beta.2 + +2.0.0-beta.1 / 2022-02-05 +========================= + + * Change `dotfiles` option default to `'ignore'` + * Drop support for Node.js 0.8 + * Remove `hidden` option; use `dotfiles` option instead + * Remove `mime` export; use `mime-types` package instead + * deps: send@1.0.0-beta.1 + - Use `mime-types` for file to content type mapping + - deps: debug@3.1.0 + +1.16.0 / 2024-09-10 +=================== + +* Remove link renderization in html while redirecting + 1.15.0 / 2022-03-24 =================== diff --git a/README.md b/README.md index 262d944..70f01c3 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,7 @@ [![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][npm-url] -[![Linux Build][github-actions-ci-image]][github-actions-ci-url] -[![Windows Build][appveyor-image]][appveyor-url] +[![CI][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] ## Install @@ -45,7 +44,7 @@ true. Disabling this will ignore the `immutable` and `maxAge` options. ##### dotfiles - Set how "dotfiles" are treated when encountered. A dotfile is a file +Set how "dotfiles" are treated when encountered. A dotfile is a file or directory that begins with a dot ("."). Note this check is done on the path itself without checking if the path actually exists on the disk. If `root` is specified, only the dotfiles above the root are @@ -56,8 +55,7 @@ to "deny"). - `'deny'` Deny a request for a dotfile and 403/`next()`. - `'ignore'` Pretend like the dotfile does not exist and 404/`next()`. -The default value is similar to `'ignore'`, with the exception that this -default will not ignore the files within a directory that begins with a dot. +The default value is `'ignore'`. ##### etag @@ -215,7 +213,7 @@ app.listen(3000) #### Different settings for paths This example shows how to set a different max age depending on the served -file type. In this example, HTML files are not cached, while everything else +file. In this example, HTML files are not cached, while everything else is for 1 day. ```js @@ -232,8 +230,8 @@ app.use(serveStatic(path.join(__dirname, 'public'), { app.listen(3000) -function setCustomCacheControl (res, path) { - if (serveStatic.mime.lookup(path) === 'text/html') { +function setCustomCacheControl (res, file) { + if (path.extname(file) === '.html') { // Custom Cache-Control for HTML files res.setHeader('Cache-Control', 'public, max-age=0') } @@ -244,8 +242,6 @@ function setCustomCacheControl (res, path) { [MIT](LICENSE) -[appveyor-image]: https://badgen.net/appveyor/ci/dougwilson/serve-static/master?label=windows -[appveyor-url]: https://ci.appveyor.com/project/dougwilson/serve-static [coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/serve-static/master [coveralls-url]: https://coveralls.io/r/expressjs/serve-static?branch=master [github-actions-ci-image]: https://badgen.net/github/checks/expressjs/serve-static/master?label=linux diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index d1d6862..0000000 --- a/appveyor.yml +++ /dev/null @@ -1,95 +0,0 @@ -environment: - matrix: - - nodejs_version: "0.10" - - nodejs_version: "0.12" - - nodejs_version: "1.8" - - nodejs_version: "2.5" - - nodejs_version: "3.3" - - nodejs_version: "4.9" - - nodejs_version: "5.12" - - nodejs_version: "6.17" - - nodejs_version: "7.10" - - nodejs_version: "8.16" - - nodejs_version: "9.11" - - nodejs_version: "10.24" - - nodejs_version: "11.15" - - nodejs_version: "12.22" - - nodejs_version: "13.14" - - nodejs_version: "14.19" - - nodejs_version: "15.14" - - nodejs_version: "16.14" - - nodejs_version: "17.8" -cache: - - node_modules -install: - # Install Node.js - - ps: >- - try { Install-Product node $env:nodejs_version -ErrorAction Stop } - catch { Update-NodeJsInstallation (Get-NodeJsLatestBuild $env:nodejs_version) } - # Configure npm - - ps: | - # Skip updating shrinkwrap / lock - npm config set shrinkwrap false - # Remove all non-test dependencies - - ps: | - # Remove coverage dependency - npm rm --silent --save-dev nyc - # Remove lint dependencies - cmd.exe /c "node -pe `"Object.keys(require('./package').devDependencies).join('\n')`"" | ` - sls "^eslint(-|$)" | ` - %{ npm rm --silent --save-dev $_ } - # Setup Node.js version-specific dependencies - - ps: | - # mocha for testing - # - use 2.x for Node.js < 0.10 - # - use 3.x for Node.js < 4 - # - use 5.x for Node.js < 6 - # - use 6.x for Node.js < 8 - # - use 7.x for Node.js < 10 - # - use 8.x for Node.js < 12 - if ([int]$env:nodejs_version.split(".")[0] -eq 0 -and [int]$env:nodejs_version.split(".")[1] -lt 10) { - npm install --silent --save-dev mocha@2.5.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev mocha@3.5.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev mocha@5.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev mocha@6.2.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 10) { - npm install --silent --save-dev mocha@7.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 12) { - npm install --silent --save-dev mocha@8.4.0 - } - - ps: | - # supertest for http calls - # - use 1.1.0 for Node.js < 0.10 - # - use 2.0.0 for Node.js < 4 - # - use 3.4.2 for Node.js < 6 - # - use 6.1.6 for Node.js < 8 - if ([int]$env:nodejs_version.split(".")[0] -eq 0 -and [int]$env:nodejs_version.split(".")[1] -lt 10) { - npm install --silent --save-dev supertest@1.1.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev supertest@2.0.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev supertest@3.4.2 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev supertest@6.1.6 - } - # Update Node.js modules - - ps: | - # Prune & rebuild node_modules - if (Test-Path -Path node_modules) { - npm prune - npm rebuild - } - # Install Node.js modules - - npm install -build: off -test_script: - # Output version data - - ps: | - node --version - npm --version - # Run test script - - npm test -version: "{build}" diff --git a/index.js b/index.js index b7d3984..1bee463 100644 --- a/index.js +++ b/index.js @@ -26,7 +26,6 @@ var url = require('url') */ module.exports = serveStatic -module.exports.mime = send.mime /** * @param {string} root @@ -195,8 +194,7 @@ function createRedirectDirectoryListener () { // reformat the URL var loc = encodeUrl(url.format(originalUrl)) - var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + - escapeHtml(loc) + '') + var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc)) // send redirect response res.statusCode = 301 diff --git a/package.json b/package.json index 9d935f5..38d3365 100644 --- a/package.json +++ b/package.json @@ -1,15 +1,15 @@ { "name": "serve-static", "description": "Serve static files", - "version": "1.15.0", + "version": "2.2.0", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static", "dependencies": { - "encodeurl": "~1.0.2", - "escape-html": "~1.0.3", - "parseurl": "~1.3.3", - "send": "0.18.0" + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" }, "devDependencies": { "eslint": "7.32.0", @@ -19,10 +19,9 @@ "eslint-plugin-node": "11.1.0", "eslint-plugin-promise": "5.2.0", "eslint-plugin-standard": "4.1.0", - "mocha": "9.2.2", - "nyc": "15.1.0", - "safe-buffer": "5.2.1", - "supertest": "6.2.2" + "mocha": "^10.7.0", + "nyc": "^17.0.0", + "supertest": "^6.3.4" }, "files": [ "LICENSE", @@ -30,7 +29,7 @@ "index.js" ], "engines": { - "node": ">= 0.8.0" + "node": ">= 18" }, "scripts": { "lint": "eslint .", diff --git a/scripts/version-history.js b/scripts/version-history.js index b8a2b0e..7938e69 100644 --- a/scripts/version-history.js +++ b/scripts/version-history.js @@ -30,7 +30,7 @@ if (historyFileLines[0].indexOf('x') !== -1) { } historyFileLines[0] = VERSION + ' / ' + getLocaleDate() -historyFileLines[1] = repeat('=', historyFileLines[0].length) +historyFileLines[1] = '='.repeat(historyFileLines[0].length) fs.writeFileSync(HISTORY_FILE_PATH, historyFileLines.join('\n')) @@ -42,22 +42,6 @@ function getLocaleDate () { zeroPad(now.getDate(), 2) } -function repeat (str, length) { - var out = '' - - for (var i = 0; i < length; i++) { - out += str - } - - return out -} - function zeroPad (number, length) { - var num = number.toString() - - while (num.length < length) { - num = '0' + num - } - - return num + return number.toString().padStart(length, '0') } diff --git a/test/test.js b/test/test.js index e1e3fd1..9933eed 100644 --- a/test/test.js +++ b/test/test.js @@ -1,6 +1,5 @@ var assert = require('assert') -var Buffer = require('safe-buffer').Buffer var http = require('http') var path = require('path') var request = require('supertest') @@ -41,7 +40,7 @@ describe('serveStatic()', function () { it('should set Content-Type', function (done) { request(server) .get('/todo.txt') - .expect('Content-Type', 'text/plain; charset=UTF-8') + .expect('Content-Type', 'text/plain; charset=utf-8') .expect(200, done) }) @@ -483,7 +482,7 @@ describe('serveStatic()', function () { request(server) .get('/users') .expect('Location', '/users/') - .expect(301, //, done) + .expect(301, /\/users\//, done) }) it('should redirect directories with query string', function (done) { @@ -505,7 +504,7 @@ describe('serveStatic()', function () { .get('/snow') .expect('Location', '/snow%20%E2%98%83/') .expect('Content-Type', /html/) - .expect(301, />Redirecting to \/snow%20%E2%98%83\/<\/a>Redirecting to \/snow%20%E2%98%83\/