Releases · express-rate-limit/express-rate-limit

Changed behavior when max is set to 0:
- Previously, max: 0 was treated as a 'disable' flag and would allow all requests through.
- Starting with v7, all requests will be blocked when max is set to 0.
- To replicate the old behavior, use the skip function instead.
Renamed req.rateLimit.current to req.rateLimit.used.
- current is now a hidden getter that will return the used value, but it will not appear when iterating over the keys or calling JSON.stringify().
Changed the minimum required Node version from v14 to v16.
- express-rate-limit now targets es2022 in TypeScript/ESBuild.
Bumped TypeScript from v4 to v5 and dts-bundle-generator from v7 to v8.

Removed the draft_polli_ratelimit_headers option (it was deprecated in v6).
- Use standardHeaders: 'draft-6' instead.
Removed the onLimitReached option (it was deprecated in v6).
- This is an example of how to replicate it's behavior with a custom handler option.

The MemoryStore now uses precise, per-user reset times rather than a global window that resets all users at once.
The limit configuration option is now prefered to max.
- It still shows the same behavior, and max is still supported. The change was made to better align with terminology used in the IETF standard drafts.

The validate config option can now be an object with keys to enable or disable specific validation checks. For more information, see this.

Provide feedback