Gathering detailed insights and metrics for rate-limiter-flexible
Gathering detailed insights and metrics for rate-limiter-flexible
Gathering detailed insights and metrics for rate-limiter-flexible
Gathering detailed insights and metrics for rate-limiter-flexible
Atomic counters and rate limiting tools. Limit resource access at any scale.
npm install rate-limiter-flexible
Typescript
Module System
Node Version
NPM Version
99.5
Supply Chain
100
Quality
84.1
Maintenance
100
Vulnerability
100
License
Check points before upserting with Redis
Updated on May 18, 2025
Etcd support
Updated on Apr 28, 2025
v7.0.0
Updated on Apr 05, 2025
SQLite: fix Knex connection issue
Updated on Mar 23, 2025
Multiple SQLite clients support
Updated on Mar 20, 2025
SQLite support
Updated on Mar 13, 2025
JavaScript (99.63%)
Shell (0.37%)
Total Downloads
77,484,234
Last Day
40,743
Last Week
985,101
Last Month
4,120,707
Last Year
37,407,910
ISC License
3,274 Stars
764 Commits
169 Forks
22 Watchers
6 Branches
47 Contributors
Updated on Jul 01, 2025
Minified
Minified + Gzipped
Latest Version
7.1.1
Package Id
rate-limiter-flexible@7.1.1
Unpacked Size
171.70 kB
Size
35.38 kB
File Count
37
NPM Version
10.8.0
Node Version
20.11.0
Published on
May 18, 2025
Cumulative downloads
Total Downloads
Last Day
-7.2%
40,743
Compared to previous day
Last Week
-3.2%
985,101
Compared to previous week
Last Month
3.7%
4,120,707
Compared to previous month
Last Year
126.4%
37,407,910
Compared to previous year
rate-limiter-flexible counts and limits the number of actions by key and protects from DDoS and brute force attacks at any scale.
It works with Valkey, Redis, Prisma, DynamoDB, process Memory, Cluster or PM2, Memcached, MongoDB, MySQL, SQLite, and PostgreSQL.
Memory limiter also works in the browser.
Atomic increments. All operations in memory or distributed environment use atomic increments against race conditions.
Fast. Average request takes 0.7ms
in Cluster and 2.5ms
in Distributed application. See benchmarks.
Flexible. Combine limiters, block key for some duration, delay actions, manage failover with insurance options, configure smart key blocking in memory and many others.
Ready for growth. It provides a unified API for all limiters. Whenever your application grows, it is ready. Prepare your limiters in minutes.
Friendly. No matter which node package you prefer: valkey-glide
or iovalkey
, redis
or ioredis
, sequelize
/typeorm
or knex
, memcached
, native driver or mongoose
. It works with all of them.
Safe for using with valkey cluster. valkey-glide
implementation, RateLimiterValkeyGlide, is being tested to ensure compatibility and high performance.
In-memory blocks. Avoid extra requests to store with inMemoryBlockOnConsumed.
Allow traffic bursts with BurstyRateLimiter.
Deno compatible See this example
It uses a fixed window, as it is much faster than a rolling window. See comparative benchmarks with other libraries here
npm i --save rate-limiter-flexible
yarn add rate-limiter-flexible
1// CommonJS 2const { RateLimiterMemory } = require("rate-limiter-flexible"); 3 4// or 5 6// ECMAScript 7import { RateLimiterMemory } from "rate-limiter-flexible"; 8// or 9import RateLimiterMemory from "rate-limiter-flexible/lib/RateLimiterMemory.js";
Points can be consumed by IP address, user ID, authorisation token, API route or any other string.
1const opts = { 2 points: 6, // 6 points 3 duration: 1, // Per second 4}; 5 6const rateLimiter = new RateLimiterMemory(opts); 7 8rateLimiter.consume(remoteAddress, 2) // consume 2 points 9 .then((rateLimiterRes) => { 10 // 2 points consumed 11 }) 12 .catch((rateLimiterRes) => { 13 // Not enough points to consume 14 });
The Promise's resolve
and reject
callbacks both return an instance of the RateLimiterRes
class if there is no error.
Object attributes:
1RateLimiterRes = { 2 msBeforeNext: 250, // Number of milliseconds before next action can be done 3 remainingPoints: 0, // Number of remaining points in current duration 4 consumedPoints: 5, // Number of consumed points in current duration 5 isFirstInDuration: false, // action is first in current duration 6}
You may want to set HTTP headers for the response:
1const headers = { 2 "Retry-After": rateLimiterRes.msBeforeNext / 1000, 3 "X-RateLimit-Limit": opts.points, 4 "X-RateLimit-Remaining": rateLimiterRes.remainingPoints, 5 "X-RateLimit-Reset": Math.ceil((Date.now() + rateLimiterRes.msBeforeNext) / 1000) 6}
get
, set
, block
, delete
, penalty
and reward
methodsFull documentation is on Wiki
Some copy/paste examples on Wiki:
See releases for detailed changelog.
points
Default: 4
Maximum number of points that can be consumed over duration
duration
Default: 1
Number of seconds before consumed points are reset.
Points are never reset if duration
is set to 0.
storeClient
Required for store limiters
Must be @valkey/valkey-glide
, iovalkey
, redis
, ioredis
, memcached
, mongodb
, pg
, mysql2
, mysql
or any other related pool or connection.
knex
, if you use it.Smooth out traffic peaks:
Specific:
Read detailed description on Wiki.
RateLimiterRes
or null
.secDuration
seconds.Appreciated, feel free!
Make sure you've launched npm run eslint
before creating PR, all errors have to be fixed.
You can try to run npm run eslint-fix
to fix some issues.
Any new limiter with storage must be extended from RateLimiterStoreAbstract
.
It has to implement 4 methods:
_getRateLimiterRes
parses raw data from store to RateLimiterRes
object.
_upsert
may be atomic or non-atomic upsert (increment). It inserts or updates the value by key and returns raw data.
If it doesn't make an atomic upsert (increment), the class should be suffixed with NonAtomic
, e.g. RateLimiterRedisNonAtomic
.
It must support forceExpire
mode to overwrite key expiration time.
_get
returns raw data by key or null
if there is no key.
_delete
deletes all key-related data and returns true
on deleted, false
if key is not found.
All other methods depends on the store. See RateLimiterRedis
or RateLimiterPostgres
for examples.
Note: all changes should be covered by tests.
No vulnerabilities found.
Reason
30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
Reason
Found 4/16 approved changesets -- score normalized to 2
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More@konceiver/hapi-rate-limiter-flexible
An integration for node-rate-limiter-flexible into hapi.js
egg-rate-limiter-flexible
egg rate limiter flexible
rate-limiter-flexible-decorator
Decorator style for rate-limiter-flexible
redis-sliding-rate-limiter
Flexible and performant rate limiter based on sliding window algorithm with arbitrary precision