npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ambergristle/hono-rate-limiter

v0.0.9

Published

Basic rate limiting for Hono, featuring a variety of algorithms

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ambergristleambergristle

Keywords

honoratelimitratelimitrate-limitmiddlewareipfixed-windowsliding-windowtoken-bucketauthauthorizationsecuritybruteforcebruteforcebrute-forceattack

Readme

TL;DR

A flexible rate limiting solution designed for Hono + (Upstash) Redis (for now), with four built-in algorithms.

Modularity and interoperability are key goals. The RateLimiter can be used without the middleware, if you prefer to configure request handling yourself. I'll extend support to node-redis soon, and I'll look into implementing the algorithms using Cloudflare KV.

The middleware was inspired by hono-rate-limiter, and the algorithms are borrowed from `@upstash/ratelimit-js and Lucia Auth.

Get Started

import { Redis } from '@upstash/redis';
import { rateLimiter } from '@ambergristle/hono-rate-limiter';
import { FixedWindowCounter } from '@ambergristle/hono-rate-limiter/algorithms';

const globalGetLimiter = rateLimiter({
  client: Redis.fromEnv(), // don't forget to set env variables!
  algorithm: FixedWindowCounter.init(100, 60),
  cost: (c) => c.req.method === 'GET' ? 1 : 3,
  generateKey: (c) => getConnInfo(c).remote.address,
});

const app = new Hono()
  .use('*', globalGetLimiter)
  .get('/', (c) => c.text('Rate limited!'));

export default app;

Generate identifiers from Context variables

type AuthEnv = {
  Variables: {
    user: { userId: string };
  }
}

const userLimiter = rateLimiter<AuthEnv>({
  // ...
  generateKey: (c) => c.var.user.userId,
});

Initialize limiter from Context

type RedisEnv = {
  Variables: {
    client: Redis;
  }
}

rateLimiter<RedisEnv>({
  client: (c) => c.var.client,
  // ...
});

Make sure cache is persisted beyond requests

const blockedCache = new Map<string, number>();

rateLimiter<RedisEnv>({
  // ...
  blockedCache,
});

Configure response Headers and error Response

rateLimiter<RedisEnv>({
  // ...
  headerSpec: 'draft-7', // 'draft-6' | 'draft-7' | 'draft-8'
  refundFailedRequests: true,
  errorResponse: (c) => {
    return c.text('Slow down!', 420);
  }
});

Customize key prefixing

{keyPrefix?}:{policyName}:{key}

rateLimiter<RedisEnv>({
  // ...
  keyPrefix: 'limit',
  policyName: 'global',
});

Roadmap

improve tests, benchmarks

  • optimize test design to provide better coverage, use fewer resrouces
  • add coverage for algorithm-specific behaviors
  • add coverage/benchmarks for limiter performance

reset all

  • should be able to clear redis policy-prefixed records
  • should this exist at the RateLimiter level?

improve errors

  • distinguish between different error types?

open questions

  • how should request cost be communicated to clients
    • is it factored into

Future

deny list

  • allow identifiers? to be blacklisted
  • use a reference list as a starting point?

safe load scripts

  • look into prehashing scripts, should be ez
  • add preloading for less-likely scripts, try to load if not found

dynamic cost window log

  • doesn't obviously make sense, poses some serious technical challenges

dynamic refunds

  • only required if limiter is untethered from middleware

tests

[x] headers

[x] cache

middleware [] configuration (validate required arguments and outputs) [] headers [] error response

algorithms [x] configuration (validate required arguments and outputs) [x] basic [x] returns rate limit info and limiter result' [x] blocks after limit exceeded [x] allows additional requests after reset [x] works consistently (this is a weak test) [x] rejects all requests if max=0 [] specific [] fixed doubled at boundaries [] sliding smooth at boundaries [] log exact [] bucket? burst and rate [x] check: check method returns current rate limit info [x] refund: refund method restores quota units [x] reset: reset method deletes identifier bucket

performance [] response time [] resource use

  • concurrent requests
  • multiple users (limits isolated per id)
  • configurable windows