Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
A generic rate limiter for node.js. Useful for API clients, web crawling, or other tasks that need to be throttled
The 'limiter' npm package is used to control the rate of operations in Node.js applications. It allows you to limit the number of operations that can be performed over a given period of time, which is useful for rate-limiting API requests, managing resource usage, and preventing abuse.
Basic Rate Limiting
This feature allows you to limit the number of operations to a specified number per interval. In this example, the limiter allows 5 requests per second. If the limit is exceeded, it logs 'Rate limit exceeded'.
const { RateLimiter } = require('limiter');
const limiter = new RateLimiter({ tokensPerInterval: 5, interval: 'second' });
async function makeRequest() {
const remainingRequests = await limiter.removeTokens(1);
if (remainingRequests >= 0) {
console.log('Request allowed');
} else {
console.log('Rate limit exceeded');
}
}
makeRequest();
Custom Intervals
This feature allows you to set custom intervals for rate limiting. In this example, the limiter allows 10 requests per minute.
const { RateLimiter } = require('limiter');
const limiter = new RateLimiter({ tokensPerInterval: 10, interval: 60000 }); // 10 requests per minute
async function makeRequest() {
const remainingRequests = await limiter.removeTokens(1);
if (remainingRequests >= 0) {
console.log('Request allowed');
} else {
console.log('Rate limit exceeded');
}
}
makeRequest();
Rate Limiting with Bursts
This feature allows for bursts of requests to be made immediately up to the limit, and then enforces the rate limit. In this example, the limiter allows 5 requests per second and can handle bursts.
const { RateLimiter } = require('limiter');
const limiter = new RateLimiter({ tokensPerInterval: 5, interval: 'second', fireImmediately: true });
async function makeRequest() {
const remainingRequests = await limiter.removeTokens(1);
if (remainingRequests >= 0) {
console.log('Request allowed');
} else {
console.log('Rate limit exceeded');
}
}
makeRequest();
Bottleneck is a powerful rate limiter and scheduler for Node.js and the browser. It provides more advanced features like clustering, priority queues, and reservoir management. Compared to 'limiter', Bottleneck offers more flexibility and control over rate limiting and task scheduling.
Rate-limiter-flexible is a highly configurable rate limiter for Node.js. It supports various storage options like Redis, MongoDB, and in-memory. It offers more advanced features such as penalty and reward mechanisms, and different rate limiting strategies. It is more versatile compared to 'limiter'.
Express-rate-limit is a middleware for Express.js applications to limit repeated requests to public APIs. It is specifically designed for use with Express and provides easy integration with minimal configuration. It is more specialized for Express.js compared to 'limiter'.
Provides a generic rate limiter for node.js. Useful for API clients, web crawling, or other tasks that need to be throttled. Two classes are exposed, RateLimiter and TokenBucket. TokenBucket provides a lower level interface to rate limiting with a configurable burst rate and drip rate. RateLimiter sits on top of the token bucket and adds a restriction on the maximum number of tokens that can be removed each interval to comply with common API restrictions like "150 requests per hour maximum".
Use NPM to install:
npm install limiter
A simple example allowing 150 requests per hour:
var RateLimiter = require('limiter').RateLimiter;
// Allow 150 requests per hour (the Twitter search limit). Also understands
// 'second', 'minute', 'day', or a number of milliseconds
var limiter = new RateLimiter(150, 'hour');
// Throttle requests
limiter.removeTokens(1, function(err, remainingRequests) {
// err will only be set if we request more than the maximum number of
// requests we set in the constructor
// remainingRequests tells us how many additional requests could be sent
// right this moment
callMyRequestSendingFunction(...);
});
Another example allowing one message to be sent every 250ms:
var RateLimiter = require('limiter').RateLimiter;
var limiter = new RateLimiter(1, 250);
limiter.removeTokens(1, function() {
callMyMessageSendingFunction(...);
});
The default behaviour is to wait for the duration of the rate limiting
that’s currently in effect before the callback is fired, but if you
pass in true
as the third parameter, the callback will be fired
immediately with remainingRequests set to -1:
var RateLimiter = require('limiter').RateLimiter;
var limiter = new RateLimiter(150, 'hour', true); // fire CB immediately
// Immediately send 429 header to client when rate limiting is in effect
limiter.removeTokens(1, function(err, remainingRequests) {
if (remainingRequests < 0) {
response.writeHead(429, {'Content-Type': 'text/plain;charset=UTF-8'});
response.end('429 Too Many Requests - your IP is being rate limited');
} else {
callMyMessageSendingFunction(...);
}
});
Uses the token bucket directly to throttle at the byte level:
var BURST_RATE = 1024 * 1024 * 150; // 150KB/sec burst rate
var FILL_RATE = 1024 * 1024 * 50; // 50KB/sec sustained rate
var TokenBucket = require('limiter').TokenBucket;
// We could also pass a parent token bucket in as the last parameter to
// create a hierarchical token bucket
var bucket = new TokenBucket(BURST_RATE, FILL_RATE, 'second', null);
bucket.removeTokens(myData.byteLength, function() {
sendMyData(myData);
});
Both the token bucket and rate limiter should be used with a message queue or some way of preventing multiple simultaneous calls to removeTokens(). Otherwise, earlier messages may get held up for long periods of time if more recent messages are continually draining the token bucket. This can lead to out of order messages or the appearance of "lost" messages under heavy load.
(The MIT License)
Copyright (c) 2011 Cull TV, Inc. <jhurliman@cull.tv>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
A generic rate limiter for the web and node.js. Useful for API clients, web crawling, or other tasks that need to be throttled
The npm package limiter receives a total of 1,976,182 weekly downloads. As such, limiter popularity was classified as popular.
We found that limiter demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.