terriajs-server icon indicating copy to clipboard operation
terriajs-server copied to clipboard

Published 20 hours ago verified publisher icon TerriaJS

Investigate an alternative for `express-brute`

Open na9da opened this issue 1 year ago • 3 comments

express-brute is now 8 years old, the version of its underscore dependency has a critical security warning. For now, we have put in place yarn resolution rules to force a safer version. However we could look for an alternative solution, some options include:

  • forking express-brute
  • investigate using https://www.npmjs.com/package/express-rate-limit

One thing to consider is some of the server config params share the same names as express-brute options. If we have to avoid a breaking change, then we have to manage that somehow.

na9da avatar May 03 '24 04:05 na9da

I don't know anything about these libraries, but there is also a security issue with express-brute itself. I have no idea if node-rate-limiter-flexible fits the requirements of this project, but there is a guide for how to upgrade to it from express-brute: https://github.com/animir/node-rate-limiter-flexible/wiki/ExpressBrute-migration

pjonsson avatar May 03 '24 07:05 pjonsson

That looks like a good alternative, thanks for the find.

na9da avatar May 03 '24 09:05 na9da

I made a prototype migration in #162.

pjonsson avatar May 05 '24 15:05 pjonsson