Investigate an alternative for `express-brute`

[na9da]

express-brute is now 8 years old, the version of its underscore dependency has a critical security warning. For now, we have put in place yarn resolution rules to force a safer version. However we could look for an alternative solution, some options include:

• forking express-brute
• investigate using https://www.npmjs.com/package/express-rate-limit

One thing to consider is some of the server config params share the same names as express-brute options. If we have to avoid a breaking change, then we have to manage that somehow.

[pjonsson]

I don't know anything about these libraries, but there is also a security issue with express-brute itself. I have no idea if node-rate-limiter-flexible fits the requirements of this project, but there is a guide for how to upgrade to it from express-brute: https://github.com/animir/node-rate-limiter-flexible/wiki/ExpressBrute-migration

[na9da]

That looks like a good alternative, thanks for the find.

[pjonsson]

I made a prototype migration in #162.