ipKeyGenerator
function is now correctly exported in CommonJS buildRequest
and Response
types are once again correctly referenced
in .d.ts filesip
library with ip-address
due to a vulnerability in ip
.
Note that express-rate-limit did not use the vulnerable code path, but we
swapped the library to prevent users from getting vulnerability warnings and
reports.
0123:4567:89ab:cd11:1111:1111:1111:1111
0123:4567:89ab:cd22:2222:2222:2222:2222
123:4567:89ab:cd00::/56
)
ipv6Subnet
configuration option used by the default keyGenerator
, defaults
to 56
ipKeyGenerator(ip, ipv6Subnet)
helper method to apply the desired subnet to
IPv6 addresses (returns IPv4 unchanged)ipv6Subnet
validation check on above configuration option’s value (allowed
range is 32-64)ipv6SubnetOrKeyGenerator
validation check to warn of an incompatible
combination of ipv6Subnet
and keyGenerator
settings.keyGeneratorIpFallback
validation check on custom keyGenerator
s to ensure
they’re using ipKeyGenerator
if they reference req.ip
or request.ip
standardHeaders
from string
to just the supported values
via a TypeScript
const
assertion
(#506)RateLimit
header according to the eighth draft of
the
IETF RateLimit header specification.
Enable by setting standardHeaders: 'draft-8'
.identifier
option, used as the name for the quota policy in the
draft-8
headers.headersDraftVersion
validation check to identifies cases where
an unsupported version string is passed to the standardHeaders
option.passOnStoreError
return after calling next()
rather than
continuing execution.passOnStoreError
option to allow a way to “fail open” in the event of
a backend error.creationStack
validation check when a store
with localKeys
set to false is used.creationStack
check.unsharedStore
validation check that identifies cases where a
single store instance is shared across multiple limiters.creationStack
validation check that looks for instances created
in a request handler.async
requestWasSuccessful
methods to work as documented.getKey
method is now always defined. If the store does not have the
required get
method, getKey
will throw an error explaining this.cluster-memory-store
to the readme and made a couple of other minor
clarifications.rate-limit-postgresql
to the stores
list in the readme.max
is set to 0:
max: 0
was treated as a ‘disable’ flag and would allow all
requests through.req.rateLimit.current
to req.rateLimit.used
.
current
is now a hidden getter that will return the used
value, but it
will not appear when iterating over the keys or calling JSON.stringify()
.express-rate-limit
now targets es2022
in TypeScript/ESBuild.dts-bundle-generator
from v7 to v8.draft_polli_ratelimit_headers
option (it was deprecated in v6).
standardHeaders: 'draft-6'
instead.onLimitReached
option (it was deprecated in v6).
handler
option.MemoryStore
now uses precise, per-user reset times rather than a global
window that resets all users at once.limit
configuration option is now preferred to max
.
max
is still supported. The change
was made to better align with terminology used in the IETF standard drafts.validate
config option can now be an object with keys to enable or
disable specific validation checks. For more information, see
this.IncrementResponse
TypeScript type (See
#397)RateLimit
header from the
RateLimit header fields for HTTP standardization draft
adopted by the IETF. Enable by setting standardHeaders: 'draft-7'
.standardHeaders: 'draft-6'
option, treated equivalent to
standardHeaders: true
from previous releases. Note that true
and false
are still supported.RateLimit-Policy
header added when standardHeaders
is set to
'draft-6'
, 'draft-7'
, or true
.draft_polli_ratelimit_headers
option.onLimitReached
option.totalHits
value returned from Store is invalid.validate: false
in
the configuration. Automatically disables after the first request. (See
#358).node16
module
resolution strategy (See
#355).node
20 to list of versions the CI jobs run on.express-rate-limit
organization on GitHub.readme.md
for project sponsor
Zuplo.typescript
version 5 and bumped other dependencies.node
12, and added node
19 to the list of versions the CI jobs run
on.shutdown
method to the Store interface and the MemoryStore.5.0.0-beta.1
) as a supported peer dependency (#304)undefined
is passed to the rate
limiter.MemoryStore
, so it can now be imported as a named import
(import { MemoryStore } from 'express-rate-limit'
).onLimitReached
option (this was supposed to be deprecated in
v6.0.0 itself); developers should use a custom handler function that checks if
the rate limit has been exceeded instead.rateLimit
in case the default import does not work.default
, so Typescript CommonJS developers can
default-import the library (import rateLimit from 'express-rate-limit'
).esModuleInterop
flag in their Typescript compiler configuration..tgz
to GitHub releases. main
and module
fields to package.json
. This helps tools such as
ESLint that do not yet support the exports
field.package-lock.json
to match
package.json
package.json
because the
transpiled output uses the nullish coalescing operator (??
), which
isn’t supported in node.js prior to 14.x.js-cjs
, js-esm
, ts-cjs
, ts-esm
environments.redis
, mongo
, memcached
,
precise
).esbuild
to generate ESM and CJS output.
This reduces the size of the built package from 138 kb to 13kb and build time
to 4 ms! :rocket:dts-bundle-generator
to generate a single Typescript declaration file.express
4.x as a peer dependency..tgz
file) on GitHub releases as well as the npm
registry.draft_polli_ratelimit_headers
option to standardHeaders
.headers
option to legacyHeaders
.Retry-After
header is now sent if either legacyHeaders
or
standardHeaders
is set.keyGenerator
to be an async function/return a promise.init
method for stores to set themselves up using options passed
to the middleware.incr
method to increment
.increment
, decrement
, resetKey
and resetAll
methods to
return a promise.onLimitReached
configuration option is now deprecated. Replace it with a
custom handler
that checks the number of hits.limiter.resetIp
method (use the limiter.resetKey
method instead).delayMs
, delayAfter
(the delay functionality
was moved to the
express-slow-down
package)
and global
(use a key generator that returns a constant value).request.ip
is undefined.handler
function so that it no longer changes the
response format. The default handler also uses
response.send.onLimitReached
now only triggers once for a client and window. However, the
handle
method is called for every blocked request.delayAfter
and delayMs
options; they were moved to the
express-slow-down package.limiter.resetKey()
method to reset the hit counter for a particular clientglobal
option.