Open na9da opened 2 months ago
I don't know anything about these libraries, but there is also a security issue with express-brute itself. I have no idea if node-rate-limiter-flexible fits the requirements of this project, but there is a guide for how to upgrade to it from express-brute: https://github.com/animir/node-rate-limiter-flexible/wiki/ExpressBrute-migration
That looks like a good alternative, thanks for the find.
I made a prototype migration in #162.
express-brute
is now 8 years old, the version of itsunderscore
dependency has a critical security warning. For now, we have put in place yarn resolution rules to force a safer version. However we could look for an alternative solution, some options include:express-brute
One thing to consider is some of the server config params share the same names as express-brute options. If we have to avoid a breaking change, then we have to manage that somehow.