gitnexus 1.6.4-rc.73 → 1.6.4-rc.74

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/server/validation.d.ts +3 -0
  2. package/dist/server/validation.js +8 -2
  3. package/package.json +1 -1
package/dist/server/validation.d.ts CHANGED
@@ -86,6 +86,9 @@ export interface RouteLimiterOverrides {
86
86
  * - keyGenerator: req.ip with a socket.remoteAddress fallback so abruptly
87
87
  * closed connections do not trigger ERR_ERL_UNDEFINED_IP_ADDRESS
88
88
  * (which would 500 the request via Express's default error handler).
89
+ * The IP is passed through `ipKeyGenerator` so IPv6 addresses are
90
+ * normalised to their /56 subnet — without this, each IPv6 address
91
+ * gets its own counter and the limit is trivially bypassed (#1360).
89
92
  * Caller must wire `app.set('trust proxy', ...)` correctly — see
90
93
  * createServer in api.ts.
91
94
  *
package/dist/server/validation.js CHANGED
@@ -18,7 +18,7 @@
18
18
  * in this module too but are introduced with the dependency they require.
19
19
  */
20
20
  import path from 'node:path';
21
- import rateLimit from 'express-rate-limit';
21
+ import rateLimit, { ipKeyGenerator } from 'express-rate-limit';
22
22
  /**
23
23
  * Thrown by validation helpers when user input is rejected.
24
24
  * Routes catch via existing try/catch and convert with err.status / err.message.
@@ -116,6 +116,9 @@ const DEFAULT_RATE_LIMIT_RPM = 60;
116
116
  * - keyGenerator: req.ip with a socket.remoteAddress fallback so abruptly
117
117
  * closed connections do not trigger ERR_ERL_UNDEFINED_IP_ADDRESS
118
118
  * (which would 500 the request via Express's default error handler).
119
+ * The IP is passed through `ipKeyGenerator` so IPv6 addresses are
120
+ * normalised to their /56 subnet — without this, each IPv6 address
121
+ * gets its own counter and the limit is trivially bypassed (#1360).
119
122
  * Caller must wire `app.set('trust proxy', ...)` correctly — see
120
123
  * createServer in api.ts.
121
124
  *
@@ -129,7 +132,10 @@ export function createRouteLimiter(opts) {
129
132
  standardHeaders: 'draft-7',
130
133
  legacyHeaders: false,
131
134
  passOnStoreError: true,
132
- keyGenerator: (req) => req.ip ?? req.socket?.remoteAddress ?? 'unknown',
135
+ keyGenerator: (req) => {
136
+ const ip = req.ip ?? req.socket?.remoteAddress;
137
+ return ip ? ipKeyGenerator(ip) : 'unknown';
138
+ },
133
139
  message: { error: 'Too many requests, please try again later.' },
134
140
  ...opts,
135
141
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "gitnexus",
3
- "version": "1.6.4-rc.73",
3
+ "version": "1.6.4-rc.74",
4
4
  "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
5
5
  "author": "Abhigyan Patwari",
6
6
  "license": "PolyForm-Noncommercial-1.0.0",