← Overnight Audit · sample report

http-server · Overnight Audit

This is a public sample report. Forgehaven Labs ran the Overnight Audit process against http-party/http-server, a widely used MIT-licensed OSS project, to show exactly what a paying customer receives. Nothing here is private, nothing is filed against the maintainers, and every finding is reproducible from the commands in Section 7. http-server is a mature, well-run project; a real customer report on a young private repo is usually longer.

Prepared for: Public sample (http-party/http-server maintainers, unsolicited)

Prepared by: Forgehaven Labs LLC · forgehavenlabs.com/audit

Date: 2026-07-01 · Turnaround: sample (process normally completes in under 24 h)

Tier: Repo Audit ($149)

Scope: github.com/http-party/http-server @ 0d3b7bb (default branch, 2026-03-13)

1. The verdict (read this first)

Overall grade: B · A mature, genuinely well-tested static file server (532 assertions pass on a fresh clone). The issues are not crashes or exploits in the happy path; they are two developer-facing footguns in the programmatic API and a supply-chain layer that has drifted out of date. None of them should scare a CLI user; two of them will surprise anyone who embeds http-server as a library or serves a directory that contains secrets.

If you fix only one thing: run npm audit fix to clear the production dependency CVEs (Section 3, P2-1), then read P1-1 if you ever pass options to createServer() from code.

2. Scorecard

AreaGradeOne-line summary
SecurityBNo injection or path-traversal in the served path; the risks are dotfile exposure and stale transitive CVEs
Correctness & error handlingB-showDir/autoIndex mis-handle a real boolean false in the library API (proven live)
Dependencies & supply chainC4 CVEs in production deps, 51 total incl. dev; two core deps effectively unmaintained
Build, test & CIA-Fresh clone builds; 532 assertions / 42 suites pass; SECURITY.md + CI present
Code health & maintainabilityB+Small, readable, CRLF-injection guard already in place
Docs & onboardingAREADME is thorough; every flag documented

Verification statement: every grade is backed by commands we actually ran on a fresh clone at 0d3b7bb. Section 7 lists them.

3. Findings

Severity: P0 fix before you ship · P1 fix this month · P2 fix when nearby · P3 note.

P1-1 · showDir: false (a real boolean) does not disable directory listing in the library API

P1-2 · Dotfiles are directly served even though directory listings hide them

P2-1 · Production dependencies carry 4 known CVEs; 51 advisories across the full tree

P2-2 · Two core dependencies are effectively unmaintained

P3-1 · main carries an unreleased version bump

5. The fix plan (next 30 days)

Session 1 (30 min): npm audit fix (P2-1); bump minimatch; re-run tests.
Session 2 (1 h): Fix the showDir/autoIndex boolean handling (P1-1) with tests; decide dotfile-deny policy (P1-2) and either implement or add the README warning.
Later / opportunistic: Plan the http-proxy/union migration (P2-2); cut a release to align npm with main (P3-1).
Explicitly fine to ignore: Nothing here blocks day-to-day CLI use.

6. Quick wins (under 30 minutes each)

7. What we checked (methodology & reproducibility)

Fleet + human: an automated agent fleet ran the passes below on a fresh clone of 0d3b7bb; a human engineer reviewed and reproduced every finding. Nothing here is an unread scanner dump.

PassKey commands (all run on a fresh clone)
Fresh-clone buildnpm install (48 prod packages, then full tree)
Test suitenpm test532 assertions pass, 42/42 suites, 0 fail
Dependency scannpm audit --package-lock-only and --omit=dev
Dep maintenancenpm view <pkg> version time.modified
Library-API reviewnode -e harness constructing HttpServer with boolean vs string options
Dotfile behaviorlive server on a temp dir; curl /.env
Code reviewtargeted read of lib/http-server.js, lib/core/index.js, lib/core/show-dir/

Limits (honest): we did not run a full penetration test or load test, and we did not audit the http-proxy reverse-proxy path against a live upstream. Findings are from static review, the test suite, dependency data, and the runtime probes shown above.

Forgehaven Labs LLC · Overnight Audit · fixed price, 24-hour turnaround.
Want this run against your repo? forgehavenlabs.com/audit