{"id":15390223,"url":"https://github.com/gajus/express-tus","last_synced_at":"2025-08-23T16:08:31.566Z","repository":{"id":66001175,"uuid":"262860074","full_name":"gajus/express-tus","owner":"gajus","description":"Express middleware for tus protocol.","archived":false,"fork":false,"pushed_at":"2020-05-21T23:10:56.000Z","size":71,"stargazers_count":16,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-08-09T05:56:24.162Z","etag":null,"topics":["file","resumable","tus-protocol","upload"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gajus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-10T19:27:09.000Z","updated_at":"2024-05-14T22:13:40.000Z","dependencies_parsed_at":"2023-02-23T03:00:58.354Z","dependency_job_id":null,"html_url":"https://github.com/gajus/express-tus","commit_stats":{"total_commits":63,"total_committers":1,"mean_commits":63.0,"dds":0.0,"last_synced_commit":"ab6d8634f300b91c3e065e985f466902a8033781"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/gajus/express-tus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gajus%2Fexpress-tus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gajus%2Fexpress-tus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gajus%2Fexpress-tus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gajus%2Fexpress-tus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gajus","download_url":"https://codeload.github.com/gajus/express-tus/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gajus%2Fexpress-tus/sbom","scorecard":{"id":417305,"data":{"date":"2025-08-11","repo":{"name":"github.com/gajus/express-tus","commit":"ab6d8634f300b91c3e065e985f466902a8033781"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-19T00:14:58.839Z","repository_id":66001175,"created_at":"2025-08-19T00:14:58.839Z","updated_at":"2025-08-19T00:14:58.839Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271755406,"owners_count":24815398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-23T02:00:09.327Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["file","resumable","tus-protocol","upload"],"created_at":"2024-10-01T15:05:00.443Z","updated_at":"2025-08-23T16:08:31.524Z","avatar_url":"https://github.com/gajus.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"## express-tus 🏋️\n\n[![Travis build status](http://img.shields.io/travis/gajus/express-tus/master.svg?style=flat-square)](https://travis-ci.org/gajus/express-tus)\n[![Coveralls](https://img.shields.io/coveralls/gajus/express-tus.svg?style=flat-square)](https://coveralls.io/github/gajus/express-tus)\n[![NPM version](http://img.shields.io/npm/v/express-tus.svg?style=flat-square)](https://www.npmjs.org/package/express-tus)\n[![Canonical Code Style](https://img.shields.io/badge/code%20style-canonical-blue.svg?style=flat-square)](https://github.com/gajus/canonical)\n[![Twitter Follow](https://img.shields.io/twitter/follow/kuizinas.svg?style=social\u0026label=Follow)](https://twitter.com/kuizinas)\n\n[Express](https://expressjs.com/) middleware for [tus protocol](https://tus.io/) (v1.0.0).\n\n---\n\n* [Motivation](#motivation)\n* [API](#api)\n  * [Rejecting file uploads](#rejecting-file-uploads)\n* [Storage](#storage)\n  * [Memory Storage](#memory-storage)\n* [CORS](#cors)\n* [Supported extensions](#supported-extensions)\n  * [Checksum](#checksum)\n  * [Creation](#creation)\n  * [Expiration](#expiration)\n  * [Termination](#termination)\n* [Implementation considerations](#implementation-considerations)\n  * [Resumable uploads using Google Storage](#resumable-uploads-using-google-storage)\n  * [Restrict minimum chunk size](#restrict-minimum-chunk-size)\n\n## Motivation\n\nConceptually, [tus](https://tus.io/) is a great initiative. However, the existing implementations are lacking:\n\n* [tus-node-server](https://github.com/tus/tus-node-server) has a big warning stating that usage is discouraged in favour of tusd.\n* [tusd](https://github.com/tus/tusd) has bugs and opinionated limitations (just browse [issues](https://github.com/tus/tusd/issues)).\n\n`express-tus` provides a high-level abstraction that implements tus protocol, but leaves the actual handling of uploads to the implementer. This approach has the benefit of granular control over the file uploads while being compatible with the underlying (tus) protocol.\n\n## API\n\n```js\n// @flow\n\nimport {\n  createTusMiddleware,\n  formatUploadMetadataHeader,\n} from 'express-tus';\nimport type {\n  ConfigurationInputType,\n  IncomingMessageType,\n  ResponseType,\n  StorageType,\n  UploadInputType,\n  UploadMetadataType,\n  UploadType,\n  UploadUpdateInputType,\n} from 'express-tus';\n\n/**\n * Formats Tus compliant metadata header.\n */\nformatUploadMetadataHeader(uploadMetadata: UploadMetadataType): string;\n\n/**\n * @property uploadExpires UNIX timestamp (in milliseconds) after which the upload will be deleted.\n * @property uploadLength Indicates the size of the entire upload in bytes.\n * @property uploadMetadata Key-value meta-data about the upload.\n * @property uploadOffset Indicates a byte offset within a resource.\n */\ntype UploadType = {|\n  +uploadExpires?: number,\n  +uploadLength: number,\n  +uploadMetadata: UploadMetadataType,\n  +uploadOffset: number,\n|};\n\n/**\n * @property createUpload Approves file upload. Defaults to allowing all uploads.\n * @property delete Deletes upload.\n * @property getUpload Retrieves progress information about an existing upload.\n * @property upload Applies bytes contained in the incoming message at the given offset.\n */\ntype StorageType = {|\n  +createUpload: (input: UploadInputType) =\u003e MaybePromiseType\u003cUploadType\u003e,\n  +delete: (uid: string) =\u003e MaybePromiseType\u003cvoid\u003e,\n  +getUpload: (uid: string) =\u003e MaybePromiseType\u003cUploadType\u003e,\n  +upload: (input: UploadUpdateInputType) =\u003e MaybePromiseType\u003cvoid\u003e,\n|};\n\n/**\n * @property basePath Path to where the tus middleware is mounted. Used for redirects. Defaults to `/`.\n * @property createUid Generates unique identifier for each upload request. Defaults to UUID v4.\n */\ntype ConfigurationInputType = {|\n  +basePath?: string,\n  +createUid?: () =\u003e Promise\u003cstring\u003e,\n  ...StorageType,\n|};\n\ncreateTusMiddleware(configuration: ConfigurationInputType);\n\n```\n\n### Rejecting file uploads\n\n`createUpload`, `upload` and `getUpload` can throw an error at any point to reject an upload. The error will propagate through usual express error handling path.\n\nAs an example, this is what [Memory Storage](#memory-storage) errors handler could be implemented:\n\n```js\nimport {\n  createMemoryStorage,\n  createTusMiddleware,\n  ExpressTusError,\n  NotFoundError,\n  UserError,\n} from 'express-tus';\n\napp.use(createTusMiddleware({\n  ...createMemoryStorage(),\n}));\n\napp.use((error, incomingMessage, outgoingMessage, next) =\u003e {\n  // `incomingMessage.tus.uid` contains the upload UID.\n  incomingMessage.tus.uid;\n\n  if (error instanceof ExpressTusError) {\n    if (error instanceof NotFoundError) {\n      outgoingMessage\n        .status(404)\n        .end('Upload not found.');\n\n      return;\n    }\n\n    if (error instanceof UserError) {\n      outgoingMessage\n        .status(500)\n        .end(error.message);\n\n      return;\n    }\n\n    outgoingMessage\n      .status(500)\n      .end('Internal server error.');\n  } else {\n    next();\n\n    return;\n  }\n});\n\n```\n\n## Storage\n\n`express-tus` does not provide any default storage engines.\n\n### Memory Storage\n\nRefer to the [example](./src/factories/createMemoryStorage.js), in-memory, storage engine.\n\n## CORS\n\n`express-tus` configures [`access-control-allow-headers`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) and [`access-control-expose-headers`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers), but does not configure [`access-control-allow-origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n\nUse [`cors`](https://www.npmjs.com/package/cors) to configure the necessary headers for cross-site communication.\n\n## Supported extensions\n\n### Checksum\n\n[creation](https://tus.io/protocols/resumable-upload.html#checksum)\n\nSupported algorithms:\n\n* crc32\n* md5\n* sha1\n* sha256\n\n### Creation\n\n[creation](https://tus.io/protocols/resumable-upload.html#creation)\n\n### Expiration\n\n[expiration](https://tus.io/protocols/resumable-upload.html#expiration)\n\nNote that it is the responsibility of the storage engine to detect and delete expired uploads.\n\n### Termination\n\n[termination](https://tus.io/protocols/resumable-upload.html#termination)\n\n## Implementation considerations\n\n### Resumable uploads using Google Storage\n\nOne of the original goals for writing `express-tus` was to have an abstraction that will allow to uploads files to Google Storage using their [resumable uploads protocol](https://cloud.google.com/storage/docs/performing-resumable-uploads). However, it turns out that, due to [arbitrary restrictions](https://github.com/googleapis/nodejs-storage/issues/1192#issuecomment-629042176) imposed by their API, this is not possible.\n\nSpecifically, the challenge is that Google resumable uploads (1) do not guarantee that they will upload the entire chunk that you send to the server and (2) do not allow to upload individual chunks lesser than 256 KB. Therefore, if you receive upload chunks on a different service instances, then individual instances are not going to be able to complete their upload without being aware of the chunks submitted to the other instances.\n\nThe only [workaround](https://github.com/googleapis/nodejs-storage/issues/1192#issuecomment-628873851) is to upload chunks individually (as separate files) and then using Google Cloud API to concatenate files. However, this approach results in [significant cost increase](https://github.com/googleapis/gcs-resumable-upload/issues/132#issuecomment-603493772).\n\n### Restrict minimum chunk size\n\ntus protocol does not dictate any restrictions about individual chunk size. However, this leaves your service open to DDoS attack.\n\nWhen implementing `upload` method, restrict each chunk to a desired minimum size (except the last one), e.g.\n\n```js\n{\n  // [..]\n\n  upload: async (input) =\u003e {\n    if (input.uploadOffset + input.chunkLength \u003c input.uploadLength \u0026\u0026 input.chunkLength \u003c MINIMUM_CHUNK_SIZE) {\n      throw new UserError('Each chunk must be at least ' + filesize(MINIMUM_CHUNK_SIZE) + ' (except the last one).');\n    }\n\n    // [..]\n  },\n}\n\n```\n\nGoogle restricts their uploads to a [minimum of 256 KB per chunk](https://cloud.google.com/storage/docs/performing-resumable-uploads#json-api), which is a reasonable default. However, even with 256 KB restriction, a 1 GB upload would result in 3906 write operations. Therefore, if you are allowing large file uploads, adjust the minimum chunk size dynamically based on the input size.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgajus%2Fexpress-tus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgajus%2Fexpress-tus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgajus%2Fexpress-tus/lists"}