express-rate-limit 8.0.2 → 8.1.1

package/dist/index.cjs

@@ -44,7 +44,8 @@ function ipKeyGenerator(ip, ipv6Subnet = 56) {
 
 // source/memory-store.ts
 var MemoryStore = class {
-  constructor() {
+  constructor(validations2) {
+    this.validations = validations2;
     /**
      * These two maps store usage (requests) and reset time by key (for example, IP
      * addresses or API keys).
@@ -70,6 +71,7 @@ var MemoryStore = class {
    */
   init(options) {
     this.windowMs = options.windowMs;
+    this.validations?.windowMs(this.windowMs);
     if (this.interval) clearInterval(this.interval);
     this.interval = setInterval(() => {
       this.clearExpired();
@@ -242,7 +244,7 @@ var setDraft6Headers = (response, info, windowMs) => {
   response.setHeader("RateLimit-Policy", `${info.limit};w=${windowSeconds}`);
   response.setHeader("RateLimit-Limit", info.limit.toString());
   response.setHeader("RateLimit-Remaining", info.remaining.toString());
-  if (resetSeconds)
+  if (typeof resetSeconds === "number")
     response.setHeader("RateLimit-Reset", resetSeconds.toString());
 };
 var setDraft7Headers = (response, info, windowMs) => {
@@ -372,6 +374,21 @@ var validations = {
       );
     }
   },
+  /**
+   * Alert the user if the Forwarded header is set (standardized version of X-Forwarded-For - not supported by express as of version 5.1.0)
+   *
+   * @param request {Request} - The Express request object.
+   *
+   * @returns {void}
+   */
+  forwardedHeader(request) {
+    if (request.headers.forwarded && request.ip === request.socket?.remoteAddress) {
+      throw new ValidationError(
+        "ERR_ERL_FORWARDED_HEADER",
+        `The 'Forwarded' header (standardized X-Forwarded-For) is set but currently being ignored. Add a custom keyGenerator to use a value from this header.`
+      );
+    }
+  },
   /**
    * Ensures totalHits value from store is a positive integer.
    *
@@ -585,6 +602,21 @@ var validations = {
         "Custom keyGenerator appears to use request IP without calling the ipKeyGenerator helper function for IPv6 addresses. This could allow IPv6 users to bypass limits."
       );
     }
+  },
+  /**
+   * Checks to see if the window duration is greater than 2^32 - 1. This is only
+   * called by the default MemoryStore, since it uses Node's setInterval method.
+   *
+   * See https://nodejs.org/api/timers.html#setintervalcallback-delay-args.
+   */
+  windowMs(windowMs) {
+    const SET_TIMEOUT_MAX = 2 ** 31 - 1;
+    if (typeof windowMs !== "number" || Number.isNaN(windowMs) || windowMs < 1 || windowMs > SET_TIMEOUT_MAX) {
+      throw new ValidationError(
+        "ERR_ERL_WINDOW_MS",
+        `Invalid windowMs value: ${windowMs}${typeof windowMs !== "number" ? ` (${typeof windowMs})` : ""}, must be a number between 1 and ${SET_TIMEOUT_MAX} when using the default MemoryStore`
+      );
+    }
   }
 };
 var getValidations = (_enabled) => {
@@ -711,6 +743,7 @@ var parseOptions = (passedOptions) => {
       validations2.ip(request.ip);
       validations2.trustProxy(request);
       validations2.xForwardedForHeader(request);
+      validations2.forwardedHeader(request);
       const ip = request.ip;
       let subnet = 56;
       if ((0, import_node_net3.isIPv6)(ip)) {
@@ -736,7 +769,9 @@ var parseOptions = (passedOptions) => {
     standardHeaders,
     // Note that this field is declared after the user's options are spread in,
     // so that this field doesn't get overridden with an un-promisified store!
-    store: promisifyStore(notUndefinedOptions.store ?? new MemoryStore()),
+    store: promisifyStore(
+      notUndefinedOptions.store ?? new MemoryStore(validations2)
+    ),
     // Print an error to the console if a few known misconfigurations are detected.
     validations: validations2
   };

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-// Generated by dts-bundle-generator v8.0.1
+// Generated by dts-bundle-generator v8.1.2
 
 import { NextFunction, Request, RequestHandler, Response } from 'express';
 
@@ -60,6 +60,14 @@ declare const validations: {
 	 * @returns {void}
 	 */
 	xForwardedForHeader(request: Request): void;
+	/**
+	 * Alert the user if the Forwarded header is set (standardized version of X-Forwarded-For - not supported by express as of version 5.1.0)
+	 *
+	 * @param request {Request} - The Express request object.
+	 *
+	 * @returns {void}
+	 */
+	forwardedHeader(request: Request): void;
 	/**
 	 * Ensures totalHits value from store is a positive integer.
 	 *
@@ -141,6 +149,13 @@ declare const validations: {
 	ipv6Subnet(ipv6Subnet?: any): void;
 	ipv6SubnetOrKeyGenerator(options: Partial<Options>): void;
 	keyGeneratorIpFallback(keyGenerator?: ValueDeterminingMiddleware<string>): void;
+	/**
+	 * Checks to see if the window duration is greater than 2^32 - 1. This is only
+	 * called by the default MemoryStore, since it uses Node's setInterval method.
+	 *
+	 * See https://nodejs.org/api/timers.html#setintervalcallback-delay-args.
+	 */
+	windowMs(windowMs: number): void;
 };
 export type Validations = typeof validations;
 /**
@@ -496,6 +511,7 @@ export type Client = {
  * @public
  */
 export declare class MemoryStore implements Store {
+	private validations?;
 	/**
 	 * The duration of time before which all hit counts are reset (in milliseconds).
 	 */
@@ -521,6 +537,7 @@ export declare class MemoryStore implements Store {
 	 * cannot affect other instances.
 	 */
 	localKeys: boolean;
+	constructor(validations?: Validations | undefined);
 	/**
 	 * Method that initializes the store.
 	 *

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-// Generated by dts-bundle-generator v8.0.1
+// Generated by dts-bundle-generator v8.1.2
 
 import { NextFunction, Request, RequestHandler, Response } from 'express';
 
@@ -60,6 +60,14 @@ declare const validations: {
 	 * @returns {void}
 	 */
 	xForwardedForHeader(request: Request): void;
+	/**
+	 * Alert the user if the Forwarded header is set (standardized version of X-Forwarded-For - not supported by express as of version 5.1.0)
+	 *
+	 * @param request {Request} - The Express request object.
+	 *
+	 * @returns {void}
+	 */
+	forwardedHeader(request: Request): void;
 	/**
 	 * Ensures totalHits value from store is a positive integer.
 	 *
@@ -141,6 +149,13 @@ declare const validations: {
 	ipv6Subnet(ipv6Subnet?: any): void;
 	ipv6SubnetOrKeyGenerator(options: Partial<Options>): void;
 	keyGeneratorIpFallback(keyGenerator?: ValueDeterminingMiddleware<string>): void;
+	/**
+	 * Checks to see if the window duration is greater than 2^32 - 1. This is only
+	 * called by the default MemoryStore, since it uses Node's setInterval method.
+	 *
+	 * See https://nodejs.org/api/timers.html#setintervalcallback-delay-args.
+	 */
+	windowMs(windowMs: number): void;
 };
 export type Validations = typeof validations;
 /**
@@ -496,6 +511,7 @@ export type Client = {
  * @public
  */
 export declare class MemoryStore implements Store {
+	private validations?;
 	/**
 	 * The duration of time before which all hit counts are reset (in milliseconds).
 	 */
@@ -521,6 +537,7 @@ export declare class MemoryStore implements Store {
 	 * cannot affect other instances.
 	 */
 	localKeys: boolean;
+	constructor(validations?: Validations | undefined);
 	/**
 	 * Method that initializes the store.
 	 *

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-// Generated by dts-bundle-generator v8.0.1
+// Generated by dts-bundle-generator v8.1.2
 
 import { NextFunction, Request, RequestHandler, Response } from 'express';
 
@@ -60,6 +60,14 @@ declare const validations: {
 	 * @returns {void}
 	 */
 	xForwardedForHeader(request: Request): void;
+	/**
+	 * Alert the user if the Forwarded header is set (standardized version of X-Forwarded-For - not supported by express as of version 5.1.0)
+	 *
+	 * @param request {Request} - The Express request object.
+	 *
+	 * @returns {void}
+	 */
+	forwardedHeader(request: Request): void;
 	/**
 	 * Ensures totalHits value from store is a positive integer.
 	 *
@@ -141,6 +149,13 @@ declare const validations: {
 	ipv6Subnet(ipv6Subnet?: any): void;
 	ipv6SubnetOrKeyGenerator(options: Partial<Options>): void;
 	keyGeneratorIpFallback(keyGenerator?: ValueDeterminingMiddleware<string>): void;
+	/**
+	 * Checks to see if the window duration is greater than 2^32 - 1. This is only
+	 * called by the default MemoryStore, since it uses Node's setInterval method.
+	 *
+	 * See https://nodejs.org/api/timers.html#setintervalcallback-delay-args.
+	 */
+	windowMs(windowMs: number): void;
 };
 export type Validations = typeof validations;
 /**
@@ -496,6 +511,7 @@ export type Client = {
  * @public
  */
 export declare class MemoryStore implements Store {
+	private validations?;
 	/**
 	 * The duration of time before which all hit counts are reset (in milliseconds).
 	 */
@@ -521,6 +537,7 @@ export declare class MemoryStore implements Store {
 	 * cannot affect other instances.
 	 */
 	localKeys: boolean;
+	constructor(validations?: Validations | undefined);
 	/**
 	 * Method that initializes the store.
 	 *

package/dist/index.mjs

@@ -15,7 +15,8 @@ function ipKeyGenerator(ip, ipv6Subnet = 56) {
 
 // source/memory-store.ts
 var MemoryStore = class {
-  constructor() {
+  constructor(validations2) {
+    this.validations = validations2;
     /**
      * These two maps store usage (requests) and reset time by key (for example, IP
      * addresses or API keys).
@@ -41,6 +42,7 @@ var MemoryStore = class {
    */
   init(options) {
     this.windowMs = options.windowMs;
+    this.validations?.windowMs(this.windowMs);
     if (this.interval) clearInterval(this.interval);
     this.interval = setInterval(() => {
       this.clearExpired();
@@ -213,7 +215,7 @@ var setDraft6Headers = (response, info, windowMs) => {
   response.setHeader("RateLimit-Policy", `${info.limit};w=${windowSeconds}`);
   response.setHeader("RateLimit-Limit", info.limit.toString());
   response.setHeader("RateLimit-Remaining", info.remaining.toString());
-  if (resetSeconds)
+  if (typeof resetSeconds === "number")
     response.setHeader("RateLimit-Reset", resetSeconds.toString());
 };
 var setDraft7Headers = (response, info, windowMs) => {
@@ -343,6 +345,21 @@ var validations = {
       );
     }
   },
+  /**
+   * Alert the user if the Forwarded header is set (standardized version of X-Forwarded-For - not supported by express as of version 5.1.0)
+   *
+   * @param request {Request} - The Express request object.
+   *
+   * @returns {void}
+   */
+  forwardedHeader(request) {
+    if (request.headers.forwarded && request.ip === request.socket?.remoteAddress) {
+      throw new ValidationError(
+        "ERR_ERL_FORWARDED_HEADER",
+        `The 'Forwarded' header (standardized X-Forwarded-For) is set but currently being ignored. Add a custom keyGenerator to use a value from this header.`
+      );
+    }
+  },
   /**
    * Ensures totalHits value from store is a positive integer.
    *
@@ -556,6 +573,21 @@ var validations = {
         "Custom keyGenerator appears to use request IP without calling the ipKeyGenerator helper function for IPv6 addresses. This could allow IPv6 users to bypass limits."
       );
     }
+  },
+  /**
+   * Checks to see if the window duration is greater than 2^32 - 1. This is only
+   * called by the default MemoryStore, since it uses Node's setInterval method.
+   *
+   * See https://nodejs.org/api/timers.html#setintervalcallback-delay-args.
+   */
+  windowMs(windowMs) {
+    const SET_TIMEOUT_MAX = 2 ** 31 - 1;
+    if (typeof windowMs !== "number" || Number.isNaN(windowMs) || windowMs < 1 || windowMs > SET_TIMEOUT_MAX) {
+      throw new ValidationError(
+        "ERR_ERL_WINDOW_MS",
+        `Invalid windowMs value: ${windowMs}${typeof windowMs !== "number" ? ` (${typeof windowMs})` : ""}, must be a number between 1 and ${SET_TIMEOUT_MAX} when using the default MemoryStore`
+      );
+    }
   }
 };
 var getValidations = (_enabled) => {
@@ -682,6 +714,7 @@ var parseOptions = (passedOptions) => {
       validations2.ip(request.ip);
       validations2.trustProxy(request);
       validations2.xForwardedForHeader(request);
+      validations2.forwardedHeader(request);
       const ip = request.ip;
       let subnet = 56;
       if (isIPv62(ip)) {
@@ -707,7 +740,9 @@ var parseOptions = (passedOptions) => {
     standardHeaders,
     // Note that this field is declared after the user's options are spread in,
     // so that this field doesn't get overridden with an un-promisified store!
-    store: promisifyStore(notUndefinedOptions.store ?? new MemoryStore()),
+    store: promisifyStore(
+      notUndefinedOptions.store ?? new MemoryStore(validations2)
+    ),
     // Print an error to the console if a few known misconfigurations are detected.
     validations: validations2
   };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "express-rate-limit",
-  "version": "8.0.2",
+  "version": "8.1.1",
   "description": "Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.",
   "author": {
     "name": "Nathan Friedly",
@@ -61,29 +61,29 @@
     "express": ">= 4.11"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.1.1",
+    "@biomejs/biome": "2.2.2",
     "@express-rate-limit/prettier": "1.1.1",
     "@express-rate-limit/tsconfig": "1.0.2",
-    "@jest/globals": "30.0.4",
+    "@jest/globals": "30.1.2",
     "@types/express": "5.0.3",
     "@types/jest": "30.0.0",
-    "@types/node": "24.0.14",
+    "@types/node": "24.3.0",
     "@types/supertest": "6.0.3",
     "del-cli": "6.0.0",
-    "dts-bundle-generator": "8.0.1",
-    "esbuild": "0.25.6",
+    "dts-bundle-generator": "8.1.2",
+    "esbuild": "0.25.9",
     "express": "5.1.0",
     "husky": "9.1.7",
-    "jest": "30.0.4",
-    "lint-staged": "16.1.2",
-    "mintlify": "4.2.15",
+    "jest": "30.1.2",
+    "lint-staged": "16.1.6",
+    "mintlify": "4.2.94",
     "npm-run-all": "4.1.5",
     "prettier": "3.6.2",
     "ratelimit-header-parser": "0.1.0",
-    "supertest": "7.1.3",
-    "ts-jest": "29.4.0",
+    "supertest": "7.1.4",
+    "ts-jest": "29.4.1",
     "ts-node": "10.9.2",
-    "typescript": "5.8.3"
+    "typescript": "5.9.2"
   },
   "prettier": "@express-rate-limit/prettier",
   "lint-staged": {