8.2.1
Fixed
- Don’t log ERR_ERL_UNKNOWN_OPTION when used with express-rate-limit
8.2.0
Added
- New
knownOptionsvalidation check, intended to catch typos in configuration, such aswindowMSinstead ofwindowMs.
8.1.0
Fixed
RateLimit-Resetis now always set whenstandardHeadersis set to'draft-6'and the store supports it.
Added
- New
windowMsvalidation check that ensures it’s in the valid range when using the built-in Memory store. - New
forwardedHeadervalidation check to warn when theForwardedheader is present but ignored.
8.0.1
Fixed
ipKeyGeneratorfunction is now correctly exported in CommonJS build- express’s
RequestandResponsetypes are once again correctly referenced in .d.ts files
Changed
-
Replaced
iplibrary withip-addressdue to a vulnerability inip. Note that express-rate-limit did not use the vulnerable code path, but we swapped the library to prevent users from getting vulnerability warnings and reports.
8.0.0
Breaking
-
IPv6 addresses are now masked with a /56 subnet by default. For example, the
following two IP addresses will now be considered to be the same user and
grouped together for rate-limiting:
0123:4567:89ab:cd11:1111:1111:1111:11110123:4567:89ab:cd22:2222:2222:2222:2222
123:4567:89ab:cd00::/56)
Fixed
- Fixed a vulnerability where IPv6 users could bypass rate limiting by iterating through multiple IP addresses in their ISP-assigned subnet.
Added
ipv6Subnetconfiguration option used by the defaultkeyGenerator, defaults to56ipKeyGenerator(ip, ipv6Subnet)helper method to apply the desired subnet to IPv6 addresses (returns IPv4 unchanged)ipv6Subnetvalidation check on above configuration option’s value (allowed range is 32-64)ipv6SubnetOrKeyGeneratorvalidation check to warn of an incompatible combination ofipv6SubnetandkeyGeneratorsettings.keyGeneratorIpFallbackvalidation check on customkeyGenerators to ensure they’re usingipKeyGeneratorif they referencereq.iporrequest.ip
7.5.1
Changed
- Narrowed type of
standardHeadersfromstringto just the supported values via a TypeScriptconstassertion (#506)
7.5.0
Added
- Implemented the combined
RateLimitheader according to the eighth draft of the IETF RateLimit header specification. Enable by settingstandardHeaders: 'draft-8'. - Added a new
identifieroption, used as the name for the quota policy in thedraft-8headers. - Added a new
headersDraftVersionvalidation check to identifies cases where an unsupported version string is passed to thestandardHeadersoption.
7.4.1
Fixed
- Made the
passOnStoreErrorreturn after callingnext()rather than continuing execution.
7.4.0
Added
- Added
passOnStoreErroroption to allow a way to “fail open” in the event of a backend error.
7.3.1
Fixed
- Changed error displayed for the
creationStackvalidation check when a store withlocalKeysset to false is used. - Improved documentation for the
creationStackcheck.
7.3.0
Added
- Added a new
unsharedStorevalidation check that identifies cases where a single store instance is shared across multiple limiters.
7.2.0
Added
- Added a new
creationStackvalidation check that looks for instances created in a request handler.
7.1.5
Fixed
- Enable
asyncrequestWasSuccessfulmethods to work as documented.
7.1.4
Fixed
- Ensure header values are strings rather than numbers, for compatibility with Bun.
7.1.3
Changed
- Loosened peer dependencies to explicitly allow the Express 5 beta. (See #415)
7.1.2
Changed
- Re-organized documentation from readme into docs/ folder and added documentation website.
v7.1.1
Added
- Enabled provenance statement generation, see https://github.com/express-rate-limit/express-rate-limit#406.
7.1.0
Changed
- The
getKeymethod is now always defined. If the store does not have the requiredgetmethod,getKeywill throw an error explaining this.
7.0.2
Added
- Added
cluster-memory-storeto the readme and made a couple of other minor clarifications.
7.0.1
Added
- Added
rate-limit-postgresqlto thestoreslist in the readme.
7.0.0
Breaking
- Changed behavior when
maxis set to 0:- Previously,
max: 0was treated as a ‘disable’ flag and would allow all requests through. - Starting with v7, all requests will be blocked when max is set to 0.
- To replicate the old behavior, use the skip function instead.
- Previously,
- Renamed
req.rateLimit.currenttoreq.rateLimit.used.currentis now a hidden getter that will return theusedvalue, but it will not appear when iterating over the keys or callingJSON.stringify().
- Changed the minimum required Node version from v14 to v16.
express-rate-limitnow targetses2022in TypeScript/ESBuild.
- Bumped TypeScript from v4 to v5 and
dts-bundle-generatorfrom v7 to v8.
Deprecated
- Removed the
draft_polli_ratelimit_headersoption (it was deprecated in v6).- Use
standardHeaders: 'draft-6'instead.
- Use
- Removed the
onLimitReachedoption (it was deprecated in v6).- This
is an example of how to replicate it’s behavior with a custom
handleroption.
- This
is an example of how to replicate it’s behavior with a custom
Changed
- The
MemoryStorenow uses precise, per-user reset times rather than a global window that resets all users at once. - The
limitconfiguration option is now preferred tomax.- It still shows the same behavior, and
maxis still supported. The change was made to better align with terminology used in the IETF standard drafts.
- It still shows the same behavior, and
Added
- The
validateconfig option can now be an object with keys to enable or disable specific validation checks. For more information, see this.
6.11.2
Fixed
- Restored
IncrementResponseTypeScript type (See #397)
6.11.1
Fixed
- Check for prefixed keys when validating that the stores have single counted keys (See #395).
6.11.0
Added
- Support for retrieving the current hit count and reset time for a given key from a store (See #390).
6.10.0
Added
- Support for combined
RateLimitheader from the RateLimit header fields for HTTP standardization draft adopted by the IETF. Enable by settingstandardHeaders: 'draft-7'. - New
standardHeaders: 'draft-6'option, treated equivalent tostandardHeaders: truefrom previous releases. Note thattrueandfalseare still supported. - New
RateLimit-Policyheader added whenstandardHeadersis set to'draft-6','draft-7', ortrue. - Warning when using deprecated
draft_polli_ratelimit_headersoption. - Warning when using deprecated
onLimitReachedoption. - Warning when
totalHitsvalue returned from Store is invalid.
6.9.0
Added
- New validaion check for double-counted requests.
- Added help link to each validation error, directing users to the appropriate wiki page for more info.
Changed
- Miscellaneous documentation improvements.
6.8.1 & 6.7.2
Changed
- Revert 6.7.1 change that bumped typescript from 5.x to 4.x and dts-bundle-generator from 8.x to 7.x (See #360).
6.8.0
Added
- Added a set of validation checks that will log an error if failed. See
https://github.com/express-rate-limit/express-rate-limit/wiki/Error-Codes for
a list of potential errors. Can be disabled by setting
validate: falsein the configuration. Automatically disables after the first request. (See #358).
6.7.1
Fixed
- Fixed compatibility with TypeScript’s TypeScript new
node16module resolution strategy (See #355).
Changed
- Bumped development dependencies
- This initially include bumping typescript from 4.x to 5.x and dts-bundle-generator from 7.x to 8.x
- Added
node20 to list of versions the CI jobs run on.
6.7.0
Changed
- Updated links to point to the new
express-rate-limitorganization on GitHub. - Added advertisement to
readme.mdfor project sponsor Zuplo. - Updated to
typescriptversion 5 and bumped other dependencies. - Dropped
node12, and addednode19 to the list of versions the CI jobs run on.
6.6.0
Added
- Added
shutdownmethod to the Store interface and the MemoryStore.
6.5.2
Fixed
- Fixed an issue with missing types in ESM monorepos.
6.5.1
Added
- The message option can now be a (sync/asynx) function that returns a value (#311)
Changed
- Updated all dependencies
6.4.0
Added
- Adds Express 5 (
5.0.0-beta.1) as a supported peer dependency (#304)
Changed
- Tests are now run on Node 12, 14, 16 and 18 on CI (#305)
- Updated all development dependencies (#306)
6.3.0
Changed
- Changes the build target to es2019 so that ESBuild outputs code that can run with Node 12.
- Changes the minimum required Node version to 12.9.0.
6.2.1
Fixed
- Use the default value for an option when
undefinedis passed to the rate limiter.
6.2.0
Added
- Export the
MemoryStore, so it can now be imported as a named import (import { MemoryStore } from 'express-rate-limit').
Fixed
- Deprecate the
onLimitReachedoption (this was supposed to be deprecated in v6.0.0 itself); developers should use a custom handler function that checks if the rate limit has been exceeded instead.
6.1.0
Added
- Added a named export
rateLimitin case the default import does not work.
Fixed
- Added a named export
default, so Typescript CommonJS developers can default-import the library (import rateLimit from 'express-rate-limit').
6.0.5
Fixed
- Use named imports for ExpressJS types so users do not need to enable the
esModuleInteropflag in their Typescript compiler configuration.
6.0.4
Fixed
- Upload the built package as a
.tgzto GitHub releases.
Changed
- Add
mainandmodulefields topackage.json. This helps tools such as ESLint that do not yet support theexportsfield. - Bumped the minimum node.js version in
package-lock.jsonto matchpackage.json
6.0.3
Changed
- Bumped minimum Node version from 12.9 to 14.5 in
package.jsonbecause the transpiled output uses the nullish coalescing operator (??), which isn’t supported in node.js prior to 14.x.
6.0.2
Fixed
- Ensure CommonJS projects can import the module.
Added
- Add additional tests that test:
- importing the library in
js-cjs,js-esm,ts-cjs,ts-esmenvironments. - usage of the library with external stores (
redis,mongo,memcached,precise).
- importing the library in
Changed
- Use
esbuildto generate ESM and CJS output. This reduces the size of the built package from 138 kb to 13kb and build time to 4 ms! :rocket: - Use
dts-bundle-generatorto generate a single Typescript declaration file.
6.0.1
Fixed
- Ensure CommonJS projects can import the module.
6.0.0
Added
express4.x as a peer dependency.- Better Typescript support (the library was rewritten in Typescript).
- Export the package as both ESM and CJS.
- Publish the built package (
.tgzfile) on GitHub releases as well as the npm registry. - Issue and PR templates.
- A contributing guide.
Changed
- Rename the
draft_polli_ratelimit_headersoption tostandardHeaders. - Rename the
headersoption tolegacyHeaders. Retry-Afterheader is now sent if eitherlegacyHeadersorstandardHeadersis set.- Allow
keyGeneratorto be an async function/return a promise. - Change the way custom stores are defined.
- Add the
initmethod for stores to set themselves up using options passed to the middleware. - Rename the
incrmethod toincrement. - Allow the
increment,decrement,resetKeyandresetAllmethods to return a promise. - Old stores will automatically be promisified and used.
- Add the
- The package can now only be used with NodeJS version 12.9.0 or greater.
- The
onLimitReachedconfiguration option is now deprecated. Replace it with a customhandlerthat checks the number of hits.
Removed
- Remove the deprecated
limiter.resetIpmethod (use thelimiter.resetKeymethod instead). - Remove the deprecated options
delayMs,delayAfter(the delay functionality was moved to theexpress-slow-downpackage) andglobal(use a key generator that returns a constant value).
5.x
Added
- The middleware
throwslogs an error ifrequest.ipis undefined.
Removed
- Removes typescript typings. (See #138)
4.x
Changed
- The library no longer modifies the passed-in options object, it instead makes a clone of it.
3.x
Added
- Simplifies the default
handlerfunction so that it no longer changes the response format. The default handler also uses response.send.
Changes
onLimitReachednow only triggers once for a client and window. However, thehandlemethod is called for every blocked request.
Removed
- The
delayAfteranddelayMsoptions; they were moved to the express-slow-down package.
2.x
Added
- Support external stores (from version 2.3.0) onwards.
- A
limiter.resetKey()method to reset the hit counter for a particular client
Changes
- The rate limiter now uses a less precise but less resource intensive method of tracking hits from a client.
Removed
- The
globaloption.