Breaking
- Changed behavior when
maxis set to 0:- Previously,
max: 0was treated as a 'disable' flag and would allow all requests through. - Starting with v7, all requests will be blocked when max is set to 0.
- To replicate the old behavior, use the skip function instead.
- Previously,
- Renamed
req.rateLimit.currenttoreq.rateLimit.used.currentis now a hidden getter that will return theusedvalue, but it will not appear when iterating over the keys or callingJSON.stringify().
- Changed the minimum required Node version from v14 to v16.
express-rate-limitnow targetses2022in TypeScript/ESBuild.
- Bumped TypeScript from v4 to v5 and
dts-bundle-generatorfrom v7 to v8.
Deprecated
- Removed the
draft_polli_ratelimit_headersoption (it was deprecated in v6).- Use
standardHeaders: 'draft-6'instead.
- Use
- Removed the
onLimitReachedoption (it was deprecated in v6).- This is an example of how to replicate it's behavior with a custom
handleroption.
- This is an example of how to replicate it's behavior with a custom
Changed
- The
MemoryStorenow uses precise, per-user reset times rather than a global window that resets all users at once. - The
limitconfiguration option is now prefered tomax.- It still shows the same behavior, and
maxis still supported. The change was made to better align with terminology used in the IETF standard drafts.
- It still shows the same behavior, and
Added
- The
validateconfig option can now be an object with keys to enable or disable specific validation checks. For more information, see this.