Back to Explore

express-rate-limit/express-rate-limit

GitHub
6 updates · last 90 days1 watchersOpen source

Last release: 3 weeks ago

express-rate-limit is a basic rate-limiting middleware for the Express web server. It helps limit repeated requests to public APIs or endpoints (for example, password reset), with configurable limits, response behavior when exceeded, and support for in-memory and external data stores.

Project status

  • Actively maintained: the repo has recent activity (last upstream push on 2026-06-05) and multiple tagged updates in May 2026 (v8.5.0, v8.5.1, v8.5.2).
  • Update cadence appears steady and fairly frequent recently, with about weekly gaps between v8.5.0 (2026-05-04) and v8.5.1 (2026-05-06), then about 8 days to v8.5.2 (2026-05-14).

AI summary generated Today

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • v8.5.2

    3 weeks ago

    v8.5.2 makes a small runtime change to IPv6 key generation in ipKeyGenerator, alongside multiple lockfile updates. Most of the diff volume is dependency/tooling version changes rather than feature work.

    Breaking

  • v8.5.1

    1 month ago

    Release v8.5.1 primarily updates the `ip-address` dependency to address a reported security issue. The provided release notes do not enumerate any changes beyond a link to an external changelog.

  • v8.5.0

    1 month ago

    v8.5.0 introduces support for store initialization that can be async, by allowing store.init to return a promise and by handling init failures gracefully. The core middleware now catches synchronous throws and promise rejections from store.init and logs them without blocking the middleware from being created or used.

    Features

  • v8.4.1

    1 month ago

    v8.4.1 introduces a new `logger` option to control how express-rate-limit logs validation errors and store errors. The implementation routes internal warnings and errors through the provided logger (defaulting to a console-based logger) and adds runtime validation of the logger shape.

    BreakingFeatures

  • v8.4.0

    1 month ago

    Although the provided release notes only link to an external changelog, the code diff shows this version (v8.4.0) primarily adds documentation for a new `logger` configuration option for express-rate-limit. The diff also includes a change to a middleware test to increase timeout and skip a flaky test on macOS (darwin).

    Features

  • v8.3.2

    2 months ago

    v8.3.2 primarily updates the middleware internals and dev tooling. The code change focuses on ensuring decrement logic is not missed when requests close very early while `skipFailedRequests` is enabled.

  • v8.3.1

    3 months ago

    v8.3.1 is presented as a maintenance release, with changelog entries indicating fixes for npm provenance on automated releases and a broken readme link. The actual diff provided shows no changes to the runtime Express middleware implementation, but does include updates to tooling, CI configuration, and development dependencies.

  • v8.3.0

    3 months ago

    v8.3.0 updates the project tooling and documentation site config, and includes an actual behavior change in the core IP key generation logic. The most impactful change is in `ipKeyGenerator`, which now detects IPv4-mapped IPv6 addresses (for example, `::ffff:1.2.3.4`) and returns the mapped IPv4 form instead of treating it as a normal IPv6 address subnet.

    Breaking

  • v8.2.1

    7 months ago

    Release v8.2.1 primarily adjusts option validation behavior. It adds compatibility for options used by express-slow-down (delayAfter, delayMs, maxDelayMs) so the middleware avoids logging ERR_ERL_UNKNOWN_OPTION-related warnings in those cases.

  • v8.2.0

    7 months ago

    Release v8.2.0 is presented with minimal release notes content, only pointing to an external changelog. The code diff shows a new configuration validation feature added to the runtime middleware, plus several development tooling and type-checking dependency updates.