express 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
express 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
express 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 View license
开发语言 JavaScript
操作系统 跨平台
软件类型 开源软件
所属分类 Web应用开发
地区 不详
投 递 者 首席测试
适用人群 未知
收录时间 2021-11-30


Serverless Components

Serverless Express ⎯⎯⎯ This Serverless Framework Component enables you to take existing Express.js apps and deploy them onto cheap, auto-scaling, serverless infrastructure on AWS (specifically AWS HTTP API and AWS Lambda), easily. It's packed with production-ready features, like custom domains, SSL certificates, canary deployments, and costs an average of $0.000003 per request.

  • Never Pay For Idle - No HTTP requests, no cost. Averages ~$0.000003 per request.
  • Zero Configuration - All we need is your code, then just deploy (advanced config options are available).
  • Fast Deployments - Deploy changes to the cloud in seconds.
  • Realtime Logging - Rapidly develop on the cloud w/ real-time logs and errors in the CLI.
  • Canary Deployments - Deploy your app gradually to a subset of your traffic overtime.
  • Custom Domain + SSL - Auto-configure a custom domain w/ a free AWS ACM SSL certificate.
  • Team Collaboration - Collaborate with your teamates with shared state and outputs.
  • Built-in Monitoring - Monitor your express app right from the Serverless Dashboard.

Check out the Serverless Fullstack Application for a ready-to-use boilerplate and overall great example of how to use this Component.

Get Started:

  1. Install
  2. Initialize
  3. Deploy
  4. Configure
  5. Dev Mode
  6. Monitor
  7. Remove




To get started with this component, install the latest version of the Serverless Framework:

$ npm install -g serverless

After installation, make sure you connect your AWS account by setting a provider in the org setting page on the Serverless Dashboard.


The easiest way to start using the express component is by initializing the express-starter template. Just run this command:

$ serverless init express-starter
$ cd express-starter

This will also run npm install for you. You should now have a directory that looks something like this:

|- app.js
|- node_modules
|- package.json
|- serverless.yml


Once you have the directory set up, you're now ready to deploy. Just run serverless deploy from within the directory containing the serverless.yml file. Your first deployment might take a little while, but subsequent deployment would just take few seconds. After deployment is done, you should see your express app's URL. Visit that URL to see your new app live.

Note: If you see an internal server error, it probably means you did not run npm install after serverless create. See above for more info.

For more information on what's going on during deployment, you could specify the serverless deploy --debug flag, which would view deployment logs in realtime.


The Express component is a zero configuration component, meaning that it'll work out of the box with no configuration and sane defaults. With that said, there are still a lot of optional configuration that you can specify.

Here's a complete reference of the serverless.yml file for the express component:

component: express               # (required) name of the component. In that case, it's express.  You will want to pin this to a specific version in production via semantic versioning, like this: express@1.0.10.  Run 'serverless registry express' to see available versions.
name: express-api                # (required) name of your express component instance.
org: serverlessinc               # (optional) serverless dashboard org. default is the first org you created during signup.
app: myApp                       # (optional) serverless dashboard app. default is the same as the name property.
stage: dev                       # (optional) serverless dashboard stage. default is dev.

  src: ./                        # (optional) path to the source folder. default is a hello world app.
  memory: 512                    # (optional) lambda memory size.
  timeout: 10                    # (optional) lambda timeout.
  description: My Express App    # (optional) lambda & api gateway description.
  env:                           # (optional) env vars.
    DEBUG: 'express:*'           #            this express specific env var will print express debug logs.
  roleName: my-custom-role-name  # (optional) custom AWS IAM Role name for setting custom permissions.
  traffic: 0.2                   # (optional) traffic percentage to apply to this deployment.
  layers:                        # (optional) list of lambda layer arns to attach to your lambda function.
    - arn:aws:first:layer
    - arn:aws:second:layer
  domain:     # (optional) if the domain was registered via AWS Route53 on the account you are deploying to, it will automatically be set-up with your Express app's API Gateway, as well as a free AWS ACM SSL Cert.
  vpc:                           # (optional) vpc configuration to apply on the express lambda function
      - abc
      - xyz
      - abc
      - xyz
  region: us-east-2              # (optional) aws region to deploy to. default is us-east-1.

Once you've chosen your configuration, run serverless deploy again (or simply just serverless) to deploy your changes.

Dev Mode

Now that you've got your basic express app up and running, it's time to develop that into a real world application. Instead of having to run serverless deploy everytime you make changes you wanna test, run serverless dev, which allows the CLI to watch for changes in your source directory as you develop, and deploy instantly on save.

To enable dev mode, simply run serverless dev from within the directory containing the serverless.yml file.

Dev mode also enables live streaming logs from your express app so that you can see the results of your code changes right away on the CLI as they happen.


Anytime you need to know more about your running express instance, you can run serverless info to view the most critical info. This is especially helpful when you want to know the outputs of your instances so that you can reference them in another instance. You will also see a url where you'll be able to view more info about your instance on the Serverless Dashboard.

It also shows you the status of your instance, when it was last deployed, and how many times it was deployed. To dig even deeper, you can pass the --debug flag to view the state of your component instance in case the deployment failed for any reason.


If you wanna tear down your entire express infrastructure that was created during deployment, just run serverless remove in the directory containing the serverless.yml file. The express component will then use all the data it needs from the built-in state storage system to delete only the relavent cloud resources that it created.

Just like deployment, you could also specify a --debug flag for realtime logs from the express component running in the cloud.


This is the AWS serverless infrastructure that is created by this Component:

  • AWS HTTP API - The API Gateway which receives all requests and proxies them to AWS Lambda.
  • AWS Lambda - A single AWS Lambda function runs your Express.js application.
  • AWS IAM - An AWS IAM role is automatically created, if you do not provide a custom one.
  • AWS Route53 - If you enter a domain input and the domain already exists on your AWS account, a Route53 hosted zone will be created and integrated into your API Gateway.
  • AWS ACM SSL Certificate - If you enter a domain input and the domain already exists on your AWS account, a free AWS ACM SSL certificate will be created.


Setting Up A Custom Domain & SSL Certificate

The Express Component can easily set up a custom domain and free SSL certificate for you.

First, register your custom domain via Route53 on the AWS Acccount you are deploying to.

Next, add the domain to the domain in inputs in serverless.yml, like this:

  src: ./

You can also use a subdomain:

  src: ./

Run serverless deploy.

Keep in mind, it will take AWS CloudFront and AWS Route53 and DNS up to 24 hours to propagate these changes and make your custom domain globally accessible. However, with recent AWS CloudFront speed increases, your domain should be accessible within ~20 minutes.

Setting up domains registered outside of AWS

If your domain is not on AWS Route53, you will have to set this up manually because the component does not have access to your registrar. Here are the general steps involved:

  1. Create an AWS ACM certificate for your domain. Make sure you set the "Additional Names" field to * as well to include all subdomains as well.
  2. After you create the certificate, it should be in a PENDING_VALIDATION status. Now you will need to validate your domain. We suggest you follow the DNS steps by adding the validation CNAME record you see on the AWS console to your domain via your registrar dashboard.
  3. After you add the validation record, it might take a while, but eventually the certificate should change status to ISSUED. Usually it takes around 5 minutes.
  4. Add your domain to the serverless.yml file as shown above and deploy. This step is important as it adds your domain to API Gateway.
  5. Notice the regional url that is returned as an output. Copy this URL, get back to your registrar and add another CNAME record with your domain or subdomain name and a value of this regional url. This ensures that your domain points to that cloudfront URL.
  6. After around 20 mins, your SSL certificate and domain should all be working and pointing to your URL. Keep in mind that if you change the name, stage, app or org properties in serverless.yml, this would result in a completely new instance with a new cloudfront url. This allows you to setup different domains for each stage or instance

Canary Deployments

At scale, when you want to push changes out to a small set of users, Serverless Express offers easy Canary Deployments out of the box!

This enables you to push out a version of your app (containing code changes you deem risky) which is only served to a percentage of traffic that you specificy (0-99%). This allows you to test big changes with little risk.

To perform a canary deployment, first update your code with the potentially risky change.

Next, set a traffic weighting in your serverless.yml inputs:

  src: ./
  traffic: 0.5 # 50%

This tells Serverless Express to serve the new (potentially risky) code to 50% of the API requests, and the old (stable) code to the other 50% of requests.

Run serverless deploy. After deployment is complete, 50% of your requests will be randomly handled by the new experimental code.

You can slowly increment the percentage over time, just continue to re-deploy it.

If things aren't working, revert your code to the old code, remove the traffic configuration option, and deploy.

If things are working, keep the new code, remove the traffic configuration option, and deploy.

How To Debug CORS Errors

The Express Component uses AWS HTTP API, which can offer an API with CORS enabled or not enabled based on the headers you set in your code's responses.

For CORS support you do not need to configure it within the HTTP API infrastructure. You have complete control the CORS behavior of your application via setting traditional CORS headers, like this:

 * Configure Express.js Middleware

// Enable CORS
app.use(function (req, res, next) {
  res.header('Access-Control-Allow-Origin', '*')
  res.header('Access-Control-Allow-Methods', '*')
  res.header('Access-Control-Allow-Headers', '*')
  res.header('x-powered-by', 'serverless-express')

If you run into a CORS issue, ensure you are setting up your Express app to return the right headers, like above.

THe biggest reason why CORS errors can happen is because users do not capture errors correctly, and then return a correct HTTP response (with the headers above) in that error response. It may look like a CORS error, but actually, your code is crashing and the automatic error response from HTTP API does not contain the CORS headers.




点击引领话题📣 发布并加入讨论🔥
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
Yargs Y18n 输入验证错误漏洞
Yargs Y18n是Yargs个人开发者的一个类似I18n的由Js编写的代码库。 y18n before 3.2.2, 4.0.1 and 5.0.5版本存在输入验证错误漏洞,该漏洞源于网络系统或产品未对输入的数据进行正确的验证。
CVE-2020-7774 MPS-2020-17543
2022-08-08 19:28
adm-zip 存在路径遍历漏洞
adm-zip 是用于 NodeJS 的 zip 数据压缩的 JavaScript 实现。此软件包的受影响版本容易受到目录遍历的影响。
2022-08-08 19:28
tar 存在拒绝服务漏洞
tar 是用于 Node.js 的全功能 Tar。此软件包的受影响版本容易受到正则表达式拒绝服务 (ReDoS) 的攻击。
2022-08-08 19:28
Npm Ini 资源管理错误漏洞
Npm Ini是美国Npm公司的一个基于Javascript的用于解析和序列化Ini格式文件的代码库。 Npm ini before 1.3.6 存在资源管理错误漏洞,该漏洞允许攻击者可利用该漏洞向应用程序提交恶意的INI文件,该应用程序将用INI解析该文件。这可以根据上下文进一步加以利用。
CVE-2020-7788 MPS-2020-17544
2022-08-08 19:28
Npm Node-tar 后置链接漏洞
node-tar是一款用于文件压缩/解压缩的软件包。 Npm Node-tar 中存在后置链接漏洞,该漏洞源于产品未对特殊字符做有效验证。攻击者可通过该漏洞在其他路径创建恶意文件。
CVE-2021-37701 MPS-2021-28486
2022-08-08 19:28
Npm Node-tar 后置链接漏洞
node-tar是一款用于文件压缩/解压缩的软件包。 Npm Node-tar 中存在后置链接漏洞,该漏洞源于产品未对特殊字符做有效验证。攻击者可通过该漏洞在其他路径创建恶意文件。
CVE-2021-37712 MPS-2021-28488
2022-08-08 19:28
node-tar 路径遍历漏洞
node-tar是一款用于文件压缩/解压缩的软件包。 npm node-tar 存在路径遍历漏洞,该漏洞源于4.4.18、5.0.10和6.1.9之前的npm包“tar”(又名node-tar)存在任意文件创建覆盖和任意代码执行漏洞。攻击者可利用该漏洞访问受限目录之外的位置。
CVE-2021-37713 MPS-2021-28489
2022-08-08 19:28
Moment.js 正则拒绝服务漏洞
Moment.js 是一个 JavaScript 日期库。用于解析、验证、操作和格式化日期。 Moment.js 在处理嵌套 rfc2822 注释内容时正则表达式执行时间不断的指数增大,导致服务不可用。 攻击者可利用该漏洞使目标服务停止响应甚至崩溃。
CVE-2022-31129 MPS-2022-11159
2022-08-08 19:28
ramda 存在拒绝服务漏洞
此软件包的受影响版本容易受到源/修剪中的正则表达式拒绝服务 (ReDoS) 的攻击。
2022-08-08 19:28
Moment.js 路径遍历漏洞
Moment.js 是一个 JavaScript 日期库。用于解析、验证、操作和格式化日期。 Moment.js 的 npm 版本中处理目录遍历序列时对于输入验证不严格导致可以构造特制的 HTTP 请求读取系统上的任意文件。 攻击者可利用该漏洞访问系统敏感文件。
CVE-2022-24785 MPS-2022-3752
2022-08-08 19:28
0 评论
0 收藏