I recently built and open-sourced limitngin, a lightweight, zero-dependency, ESM-only rate limiter middleware for Express.
The goal was simple:
Build something that works efficiently for both small projects and larger systems, without forcing external infrastructure from day one.
Designed for Small Projects — Without Redis
For:
- Personal projects
- MVPs
- Internal tools
You often don’t want to set up Redis just to enable basic rate limiting.
limitngin uses an optimized in-memory store that is:
- Map-based for better memory behavior
- Automatically cleaned up
- Stable under high key churn
- Zero external dependencies
- Drop it in and it works.
Built With Scale in Mind
Even though it starts in-memory, the internal architecture is designed for extensibility.
It already supports:
- Sliding Window Counter (default)
- Token Bucket
- IP-based limiting
- Auth-token–based limiting
- Standard
RateLimit-*+Retry-Afterheaders - Type-safe configuration using discriminated unions
And Redis (or external storage adapters) are planned for future releases.
So you can start simple — and scale later.
Stress & Memory Testing
Before publishing, I ran controlled stress tests:
- ~500,000 unique key simulations
- Continuous request churn
- Heap inspection under sustained load
- Manual GC checks using
node --expose-gc
Results:
- Stable memory growth curve
- No memory leaks
- Proper cleanup of inactive keys
- ~10MB reduction in peak memory after migrating from Record → Map
- Heap returning close to baseline after GC
The focus was to predict behavior under pressure.
If you’re building with Express and want:
- A clean API
- Zero dependencies
- Algorithm flexibility
- Efficient in-memory performance
limitngin is now available.
Open to discussions, feedback, and contributions.
Top comments (0)