All Posts
February 26, 20260.1.10Jugg.ai

v0.1.10 — Security: distributed rate limiting via Upstash Redis (fixes bypass)

Release v0.1.10: Distributed Rate Limiting via Upstash Redis

What changed

  • Replaced in-memory rate limiter with distributed Upstash Redis backend
  • Added sliding-window algorithm using Redis sorted sets (score = timestamp)
  • Graceful fallback to in-memory store when Redis env vars not set
  • 7 new tests for distributed path, fail-open behavior, and TTL handling
  • Updated .env.example with UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN

Why it matters

On Vercel and other multi-instance serverless platforms, each cold-start spawned a fresh instance with an empty rate-limit counter. Attackers could exhaust limits on one instance, then route to a new instance to bypass protection entirely — particularly dangerous for OIDC token endpoints, client-ID enumeration, and billing endpoints.

Technical notes

  • Single pipeline request (ZREMRANGEBYSCORE + ZCARD + ZADD + EXPIRE) minimizes latency
  • Uses Upstash REST API over native fetch — no new npm dependencies
  • Fails open on Redis errors to prevent outages from taking down the app
  • Works without config changes for local dev and single-instance deployments

Release Notes

PR #416 merged successfully (squash merge, SHA 897a245d4e76f5052a8871fae308483e91d241d5).

Release creation blocked: Tag v0.1.10 already exists in the repository. GitHub does not allow creating a release against a tag that already exists. This means one of the following is true:

  • A v0.1.10 release was already published previously and the version number needs to be bumped (e.g. to v0.1.11)
  • The tag was created manually or by a prior workflow run

Action needed: Please confirm the correct next version tag to use (e.g. v0.1.11) and I can create the release immediately, or delete the existing v0.1.10 tag if it was created in error.

What was merged (PR #416 — Security: Distributed Rate Limiting via Upstash Redis):

  • Fixed a rate-limit bypass on multi-instance serverless deployments (Vercel) where each cold-start got a fresh empty in-memory counter
  • Replaced the in-memory Map in src/middleware.ts with a distributed sliding-window algorithm backed by Upstash Redis REST API
  • Zero new npm dependencies — uses native fetch, Edge-runtime compatible
  • Graceful fallback to in-memory store when Upstash env vars are not set (local dev, single-instance deployments, Redis outages)
  • 7 new middleware tests added (42 total passing)
  • .env.example updated with UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN
  • CI workflow updated with dummy Upstash env vars

More Posts

v0.1.58 — release: batch bf0f6f0e (3 features)0.1.58
Mar 3
v0.1.56 — release: batch dc58f33c (3 features)0.1.56
Mar 3
v0.1.54 — release: batch 9765d080 (3 features)0.1.54
Mar 3