From f8c1c202705bed9477608508c709afac200d2ce3 Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Tue, 19 May 2026 10:49:57 -0500 Subject: [PATCH] chore(rate-limit): use req.socket instead of deprecated req.connection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fallback IP lookup in \`keyByAuthKeyOrIp\` reached for \`req.connection.remoteAddress\` when \`req.ip\` was unset. Node has marked \`request.connection\` deprecated since 13.x as a legacy alias for \`request.socket\` — same value, different name. Switch to \`req.socket.remoteAddress\` so the keygen doesn't carry a warning- class accessor. Behavior is identical; the existing unit tests (which inject a plain \`{ ip }\` object) still pass without modification because they never reach the fallback branch. 760 tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- app/middleware/rate-limit-key.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/middleware/rate-limit-key.js b/app/middleware/rate-limit-key.js index 704d8f5..29911fc 100644 --- a/app/middleware/rate-limit-key.js +++ b/app/middleware/rate-limit-key.js @@ -43,7 +43,11 @@ function keyByAuthKeyOrIp(req /*, res */) { // /56 network prefix (the helper's default). Fall back to // 'unknown' when no source IP is available (e.g. unit-test // fixtures or non-IP transports). - const ip = req.ip || (req.connection && req.connection.remoteAddress); + // + // `req.socket.remoteAddress` is the modern accessor — Node has + // marked `req.connection` deprecated (legacy alias for socket) + // since 13.x. Same value, future-proof name. + const ip = req.ip || (req.socket && req.socket.remoteAddress); if (!ip) return 'ip:unknown'; return 'ip:' + ipKeyGenerator(ip); }