Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New fork resolving vulnerabilities and incorporating most current PRs

See original GitHub issue

Issue Description


As issues had not received feedback here and the latest commit 3 years ago, I went ahead to make a fork and publish it as @brettz9/node-static.

Besides making a few of my own changes:

  • (Breaking change) npm: Set engines to 10.11.0+ (allowing native URL to fix an issue and better flexibility in language features)
  • Security Update/fix: Use URL constructor over deprecated url.parse; should fix Open Redirect issue
  • Optimization: ‘use strict’ directive
  • Refactoring: Use safer non-prototype version of colors
  • (Also some plain, dev-facing changes; see our

…the fork also incorporates the following, indicating also the PR numbers here that they close:



I also made some updates/improvements to the PRs:

  1. Expanded the fs.stat checking, adding one beyond that covered in the original fs.stat PR (#223), and covering the newly-added one in the defaultExtension PR (#173).
  2. Updated minimatch (#183)
  3. I avoided the Travis addition, as figured might use GitHub Actions if someone wants to do so.

These remaining prexisting PRs were not fully incorporated:

  1. #189 - the PR for #138 allowed for disabling of cache already; if you still want the f and false aliases, feel free to file an issue
  2. #184 - Looked like there were concerns
  3. #177 on README improvements; I figure some would be good, but would like to continue showing output and keeping headings (useful in navigation for users of HeadingsMap type browser add-ons, as well as for accessibility in general)
  4. #172 - There is no longer a need for avoiding the reserved static keyword, as I renamed the examples (to use statik).
  5. #166 - I guess we could protect overwrites to writeHead, but what’s to prevent someone from rewriting setHeader? If it’s a common enough use case to overwrite writeHead, I could add the preventative measure, esp. with a test.

Remaining steps:

  1. The Unauthorized File Access issue does not appear to be an issue per testing (if it ever was); if you can provide a test case where it fails, please report
  2. I’ve added nyc for coverage, but I’m not sure that with vows, we can do binary file testing. I’m thinking whether we should switch to mocha for this (I prefer that to jest for the ecosystem). Ideally we’d get to full coverage, including the binary.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:6
  • Comments:33 (15 by maintainers)

github_iconTop GitHub Comments

cloudheadcommented, May 24, 2021

I’m well aware of supply chain attacks… but basically a big part of that responsibility is on users auditing their dependencies. I did my duty of making sure @brettz9 is a legitimate contributor to the open source community (which he clearly is), and so I think he will do a great job. I wouldn’t have given write access to someone with no credentials or github history!

Zarelcommented, Aug 10, 2021

@cloudhead I did it! I converted all history since 2018 (i.e. everything @brettz9 pushed) into a linear tree. You can take my cleaned history with:

git checkout -b zarel-master master
git pull zarel-master
git checkout master
git reset --hard 6efac07ba8c01

You can then go ahead and do an interactive rebase with git rebase -i 83aac2e to clean the history to your liking.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Test your PRs for vulnerabilities before merging - Snyk's docs
Test your PRs for vulnerabilities before merging. Snyk integrates with your preferred Git repository to scan your manifest files for any new code...
Read more >
Mitigating known security risks in open source libraries - O'Reilly
This chapter focuses on all you should know about fixing vulnerable packages, including remediation options, tooling, and various nuances. Note ...
Read more >
Getting started with Semgrep App
Get started with Semgrep App to scan for security vulnerabilities on both local and remote repositories hosted on GitHub and GitLab.
Read more >
A summary number of filtered clients grouped by their update pattern ...
Fixatives, Vulnerability and Propagation | ResearchGate, the professional ... On the other hand, External PRs also cover new features (380 out of 384...
Read more >
Keep all your packages up to date with Dependabot
With the launch of version updates, security alerts for vulnerable dependencies and automated security updates have new names: Dependabot alerts ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found