Express IP Rate Limiting Middleware

1.3.2 verified Thu Apr 23 auth: no javascript abandoned

The package `limiting-middleware` provides a simple, IP-based rate limiting solution for Express applications, restricting client requests within a defined time frame. Currently at version 1.3.2, the module has not received updates since 2019, making it an abandoned project. Its initial development was for personal use, which explains its limited feature set compared to more actively maintained and mature alternatives like `express-rate-limit`. Key limitations include exclusive reliance on CommonJS `require()` syntax, absence of ESM support, and a basic in-memory store, rendering it unsuitable for production environments requiring scalability, advanced configurations, or robust security updates.

Common errors

error TypeError: Cannot read properties of undefined (reading 'limitByIp') ↓

cause The `LimitingMiddleware` class was called without the `new` keyword, meaning `limitByIp()` was invoked on the class itself rather than an instantiated object.

fix

Instantiate the middleware with new LimitingMiddleware({...}) before calling .limitByIp(). Correct usage: app.use(new LimitingMiddleware({ limit: 100, resetInterval: 1200000 }).limitByIp());

error ERR_REQUIRE_ESM ↓

cause Attempted to use ES module `import` syntax to load a CommonJS-only package. This package does not provide an ESM entry point.

fix

Use CommonJS require() syntax instead: const LimitingMiddleware = require('limiting-middleware');

error Rate limit not working consistently across multiple server instances. ↓

cause The package uses an in-memory store for rate limiting, which is isolated to each Node.js process. In a multi-instance deployment (e.g., load-balanced servers, PM2 clusters), each instance maintains its own separate rate limits.

fix

This package is not designed for distributed rate limiting. Consider migrating to express-rate-limit, which supports various external stores like Redis to synchronize rate limits across multiple instances.

Warnings

breaking This package has not been updated since 2019 and is considered abandoned. It does not receive security patches, bug fixes, or new features. ↓

fix Migrate to actively maintained alternatives such as `express-rate-limit` (for blocking) or `express-slow-down` (for throttling).

gotcha The package only supports CommonJS (`require()`) syntax. Attempting to import it using ES Modules (`import`) will result in a runtime error. ↓

fix Ensure your project uses CommonJS or continue to use `const LimitingMiddleware = require('limiting-middleware');` even in an ESM project if your build setup supports CJS interoperability (though generally not recommended for new projects).

gotcha The built-in rate limit store is in-memory only. This means rate limits are not synchronized across multiple application instances or processes, leading to inaccurate limiting in clustered environments or when using process managers like PM2. ↓

fix For production deployments with multiple instances, use a rate limiting solution that supports external stores (e.g., Redis) for shared state, such as `express-rate-limit` with a Redis store.

gotcha The configuration options are limited to `limit` and `resetInterval`. More advanced features like custom key generation, whitelisting, different rate limiting algorithms (e.g., sliding window), or custom error responses are not directly supported. ↓

fix Evaluate if more feature-rich alternatives like `express-rate-limit` or `express-slow-down` provide the necessary advanced configurations for your use case.

Install

npm install limiting-middleware

yarn add limiting-middleware

pnpm add limiting-middleware

Imports

LimitingMiddleware
wrong
```
import LimitingMiddleware from 'limiting-middleware';
```
correct
```
const LimitingMiddleware = require('limiting-middleware');
```
This package exclusively uses CommonJS 'require()' syntax; ES module imports are not supported.

Quickstart

Demonstrates how to initialize and apply the IP-based rate limiting middleware to an Express application.

const express = require('express');
const LimitingMiddleware = require('limiting-middleware');

const app = express();
const PORT = process.env.PORT ?? 3000;

// Apply the rate limiting middleware globally.
// Limits each IP to 10 requests every 5 minutes (300,000 ms).
app.use(new LimitingMiddleware({ limit: 10, resetInterval: 300000 }).limitByIp());

app.get('/', (req, res) => {
  res.send('Hello! This route is rate-limited.');
});

app.get('/unlimited', (req, res) => {
  res.send('This route is not explicitly rate-limited by the middleware.');
});

app.listen(PORT, () => {
  console.log(`Server listening on port ${PORT}`);
  console.log('Try hitting / multiple times to see the rate limit in action.');
});