http-server
A simple zero-configuration command-line http server
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): html-encoding-sniffer is a reputable WHATWG/jsdom ecosystem package with a clear, benign purpose consistent with http-server's HTML-serving functionality. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): http-proxy is a well-known, long-standing npm package; its use in http-server for proxy functionality is expected and stable across versions. | ai | |
| phantom-deps | phantom-dep:colors | AI (phantom-deps): colors is declared as a dependency and used indirectly via other deps; this phantom pattern is consistent with http-server's architecture and stable across versions. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is a declared runtime dependency used in this CLI tool; phantom detection is a false positive due to import pattern analysis limitations. | ai | |
| phantom-deps | phantom-dep:portfinder | AI (phantom-deps): portfinder is a declared runtime dependency for port discovery; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:opener | AI (phantom-deps): opener is a declared runtime dependency used to open URLs from the CLI; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:minimist | AI (phantom-deps): minimist is a declared runtime dependency for CLI argument parsing; phantom detection is a false positive. | ai |
Versions (showing 49 of 49)
| Version | Deps | Published |
|---|---|---|
| 14.1.1 | 13 / 6 | |
| 14.1.0 | 13 / 6 | |
| 14.0.0 | 13 / 6 | |
| 13.1.0 | 12 / 6 | |
| 13.0.2 | 12 / 6 | |
| 13.0.1 | 12 / 6 | |
| 13.0.0 | 12 / 6 | |
| 0.13.0 | 12 / 6 | |
| 0.12.3 | 10 / 3 | |
| 0.12.2 | 10 / 3 | |
| 0.12.1 | 10 / 3 | |
| 0.12.0 | 10 / 3 | |
| 0.11.2 | 8 / 3 | |
| 0.11.1 | 8 / 3 | |
| 0.11.0 | 8 / 3 | |
| 0.10.0 | 8 / 3 | |
| 0.9.0 | 8 / 3 | |
| 0.8.5 | 8 / 3 | |
| 0.8.4 | 8 / 3 | |
| 0.8.3 | 8 / 3 | |
| 0.8.2 | 8 / 3 | |
| 0.8.1 | 8 / 3 | |
| 0.8.0 | 8 / 3 | |
| 0.7.5 | 6 / 3 | |
| 0.7.4 | 6 / 3 | |
| 0.7.3 | 6 / 2 | |
| 0.7.2 | 6 / 2 | |
| 0.7.1 | 6 / 2 | |
| 0.7.0 | 6 / 2 | |
| 0.6.1 | 6 / 2 | |
| 0.6.0 | 6 / 2 | |
| 0.5.5 | 5 / 2 | |
| 0.5.3 | 5 / 2 | |
| 0.5.2 | 5 / 2 | |
| 0.5.1 | 4 / 2 | |
| 0.5.0 | 4 / 2 | |
| 0.4.1 | 6 / 2 | |
| 0.4.0 | 6 / 2 | |
| 0.3.0 | 3 / 2 | |
| 0.2.9 | 3 / 0 | |
| 0.2.6 | 3 / 0 | |
| 0.2.5 | 2 / 0 | |
| 0.2.4 | 2 / 0 | |
| 0.2.3 | 2 / 0 | |
| 0.2.2 | 2 / 0 | |
| 0.2.1 | 2 / 0 | |
| 0.1.3 | 0 / 0 | |
| 0.1.1 | 0 / 0 | |
| 0.1.0 | 0 / 0 |
v14.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.