{"id":49453584,"url":"https://github.com/google/node-h2-auto-push","last_synced_at":"2026-05-16T16:01:44.889Z","repository":{"id":39033907,"uuid":"117716979","full_name":"google/node-h2-auto-push","owner":"google","description":"HTTP/2 automatic server push","archived":true,"fork":false,"pushed_at":"2024-06-20T20:46:54.000Z","size":1578,"stargazers_count":327,"open_issues_count":17,"forks_count":20,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-08T22:38:02.942Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-01-16T17:31:07.000Z","updated_at":"2026-02-23T14:26:41.000Z","dependencies_parsed_at":"2024-06-18T16:41:12.676Z","dependency_job_id":"eb215caf-a5b1-4e97-9a57-2ac82d1ca7a3","html_url":"https://github.com/google/node-h2-auto-push","commit_stats":{"total_commits":120,"total_committers":11,"mean_commits":"10.909090909090908","dds":0.6666666666666667,"last_synced_commit":"67a36c04cbbd6da7b066a4e8d361c593d38853a4"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/google/node-h2-auto-push","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnode-h2-auto-push","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnode-h2-auto-push/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnode-h2-auto-push/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnode-h2-auto-push/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/node-h2-auto-push/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnode-h2-auto-push/sbom","scorecard":{"id":437550,"data":{"date":"2025-08-11","repo":{"name":"github.com/google/node-h2-auto-push","commit":"67a36c04cbbd6da7b066a4e8d361c593d38853a4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":9,"reason":"Found 28/29 approved changesets -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/google/node-h2-auto-push/ci.yaml/master?enable=pin","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   3 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/google/.github/SECURITY.md:1","Info: Found linked content: github.com/google/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1","Info: Found text in security policy: github.com/google/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"24 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6","Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g","Warn: Project is vulnerable to: GHSA-px4h-xg32-q955","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v","Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T05:01:58.869Z","repository_id":39033907,"created_at":"2025-08-19T05:01:58.869Z","updated_at":"2025-08-19T05:01:58.869Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33109461,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T04:41:52.686Z","status":"ssl_error","status_checked_at":"2026-05-16T04:41:52.009Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-30T04:01:03.701Z","updated_at":"2026-05-16T16:01:44.884Z","avatar_url":"https://github.com/google.png","language":"TypeScript","funding_links":[],"categories":["📦 Legacy \u0026 Inactive Projects"],"sub_categories":[],"readme":"# HTTP/2 automatic server push\n\n[![Greenkeeper badge](https://badges.greenkeeper.io/google/node-h2-auto-push.svg)](https://greenkeeper.io/)\n\n**This is not an official Google product.**\n\n[HTTP/2](https://tools.ietf.org/html/rfc7540) is a major revision of the HTTP\nprotocol. One of its differences from HTTP/1 is [*server\npush*](https://tools.ietf.org/html/rfc7540#section-8.2), which allows a\nserver to pre-emptively send responses to a client in association with a\nprevious client-initiated request. This can be useful when the server knows\nthe client will need to have those responses available in order to fully\nprocess the response to the original request.\n\nIt sounds simple and easy but is quite tricky for service developers to\nmanually figure out and configure what resources to push in association with\nanother resource. There are also many pitfalls the implementors must know\nabout. See [Rules of Thumb for HTTP/2\nPush](https://docs.google.com/document/d/1K0NykTXBbbbTlv60t5MyJvXjqKGsCVNYHyLEXIxYMv0/edit?usp=sharing)\nfor the details.\n\nThis project is for automating server push and getting rid of the need for\nmanual configurations from service developers. It is meant as a helper\nlibrary for building middlewares for various [Node.js](https://nodejs.org)\nweb servers, such as [Express](http://expressjs.com/),\n[fastify](https://www.fastify.io/), etc.\n\nThis library assumes that the middlewares built on top of it act as a static\nfile server. That is because static file serving is one of the most common\nuse cases for HTTP/2 server push.\n\nSee https://github.com/google/node-fastify-auto-push for an example. It is a\n[fastify](https://www.fastify.io/) plugin for supporting auto-push.\n\n**This package currently works only with Node \u003e=9.4.0.**\n\n## Interface\n\n### `class AutoPush`\n\n#### Constructor\n\n```typescript\nconstructor(rootDir: string, cacheConfig?: AssetCacheConfig);\n```\n\nConstructs an `AutoPush` object.\n\n*   `rootDir`: Top-level directory that contains the static files to be served.\n*   `cacheConfig`: Configuration options for customizing the caching behavior.\n\n#### `preprocessRequest()`\n\n```typescript\npreprocessRequest(\n    reqPath: string,\n    stream: http2.ServerHttp2Stream,\n    cacheCookie?: string): Promise\u003cPreprocessResult\u003e;\n\ninterface PreprocessResult {\n  newCacheCookie: string;\n  pushFn: () =\u003e Promise\u003cvoid\u003e;\n}\n```\n\nThis method must be called for every request from the client. It determines\nwhich other resources must be pushed, if any, in association with the current\nrequest path. It also checks whether any resources to be pushed are already\ncached in the browser side. It is done by storing and reading the related\ninformation in a cookie value.\n\n*   `reqPath`: The request path given from the client.\n*   `stream`: The current `ServerHttp2Stream` object.\n*   `cacheCookie`: The value of the cookie used for storing the information on\n    which resources are cached in the browser. It is up to the middleware\n    which cookie to use for this.\n\nReturns a promise for the result (`PreprocessResult`). The middleware must\nuse the `newCacheCookie` value to store it in the browser cookie, and use\n`pushFn` to push static resources that are associated with the current\nrequest.\n\nThis method (and `recordRequestPath()` described below) must be called for\nnon-static file requests as well as static files that are being served by the\nmiddleware. That's because there may be cases where a set of static files\nmust be pushed in association with a non-static resource. For example, when\n`index.html` is a non-static file that is dynamically generated by the\napplication, it probably wants to push related resources such as stylesheets,\nimages, JavaScript files, etc. that are needed for the browser to render the\npage.\n\nWhen there is an error while pushing resources, a `'pushError'` will be\nemitted on the parent `stream`, whose argument is an error object that caused\nit.\n\n#### `recordRequestPath()`\n\n```typescript\nrecordRequestPath(\n    session: http2.Http2Session,\n    reqPath: string,\n    isStatic: boolean): void;\n```\n\nThis method must be called for every request from the client. It must be\ncalled for non-static file requests as well as static files, as explained for\n`preprocessRequest()` above.\n\n*   `session`: The current session object.\n*   `reqPath`: The request path given from the client.\n*   `isStatic`: `true` if the request is for a static file that is being served\n    by the middleware, `false` otherwise.\n\n### `AssetCacheConfig`\n\nThis can be passed to the constructor of `AutoPush` to customize the caching\nbehavior.\n\n```typescript\ninterface AssetCacheConfig {\n  warmupDuration: number;\n  promotionRatio: number;\n  demotionRatio: number;\n  minimumRequests: number;\n}\n```\n\n#### `warmupDuration`\n\nThe time duration (in milliseconds) after a client request during which to\nrecord additional requests. That record will be used for determining the\nassociated resources that may be pushed for a request path.\n\n#### `promotionRatio`\n\nIf an additional request is frequently made for a certain original request\nand its hit ratio is over the `promotionRatio` value, that request path is\nconsidered one of the associated resources of the original request, and it'll\nbe pushed when a request is made for the same original request path later.\n\n#### `demotionRatio`\n\nSimilar to `promotionRatio`, but if the hit ratio is lower than\n`demotionRatio`, the request path will not be considered an associated\nresource anymore.\n\n#### `minimumRequests`\n\nThe minimum number of requests for a certain path before being considered as\na candidate for an associated resource.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fnode-h2-auto-push","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fnode-h2-auto-push","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fnode-h2-auto-push/lists"}