v0.1.12 — fix: replace in-memory rate limiter with Upstash Redis distributed backend
Release v0.1.12: Distributed Rate Limiter
What Changed
- Replaced in-memory rate limiter with Upstash Redis distributed backend
- Automatic fallback to in-memory sliding-window when Redis env vars aren't set
checkRateLimit()is now async; returnsPromiseRateLimitConfigis now exported- 30+ new test cases covering both backends
Why It Matters
On serverless deployments, the old in-memory approach allowed attackers to bypass rate limits by routing requests across multiple instances or hitting cold-start instances with empty counters. Rate limits are now enforced globally across your entire deployment via Redis—eliminating both vulnerabilities.
Technical Notes
When UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN are set, all rate-limit state is stored in Upstash Redis and shared across instances. The implementation uses the Upstash REST API directly (no npm packages) and is fully Edge-runtime compatible. If Redis becomes unavailable, the system fails open—allowing requests through so an outage never takes down your application.
Release Notes
PR #419 ("fix: replace in-memory rate limiter with Upstash Redis distributed backend") was successfully squash-merged into main (commit e29ddc0). However, the GitHub release creation for tag v0.1.12 failed because that tag already exists in the repository. The merge is complete; the release needs either a tag deletion + retry for v0.1.12, or a bump to v0.1.13.