275
GitHub is introducing rate limits for unauthenticated pulls, API calls, and web access (github.blog)
submitted 1 day ago* (last edited 1 day ago) by chaospatterns@lemmy.world to c/programming@programming.dev
114 comments fedilink hide all child comments

An update from GitHub: https://github.com/orgs/community/discussions/159123#discussioncomment-13148279

The rates are here: https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28

  • 60 req/hour for unauthenticated users
  • 5000 req/hour for authenticated - personal
  • 15000 req/hour for authenticated - enterprise org
you are viewing a single comment's thread
view the rest of the comments
[-] sxan@midwest.social 21 points 1 day ago

The Go module system pulls dependencies from their sources. This should be interesting.

Even if you host your project on a different provider, many libraries are on github. All those unauthenticated Arch users trying to install Go-based software that pulls dependencies from github.

How does the Rust module system work? How does pip?

[-] UnityDevice@lemmy.zip 5 points 15 hours ago* (last edited 15 hours ago)

Compiling any larger go application would hit this limit almost immediately. For example, podman is written in go and has around 70 dependencies, or about 200 when including transitive dependencies. Not all the depends are hosted on GitHub, but the vast majority are. That means that with a limit of 60 request per hour it would take you 3 hours to build podman on a new machine.

[-] adarza@lemmy.ca 12 points 1 day ago

already not looking forward to the next updates on a few systems.

[-] mesamunefire@piefed.social 6 points 23 hours ago

Yeah this could very well kill some package managers. Without some real hard heavy lifting.

[-] irelephant@programming.dev 3 points 19 hours ago

scoop relies on git repos to work (scoop.sh - windows package manager)

[-] Ephera@lemmy.ml 6 points 21 hours ago

For Rust, as I understand, crates.io hosts a copy of the source code. It is possible to specify a Git repository directly as a dependency, but apparently, you cannot do that if you publish to crates.io.

So, it will cause pain for some devs, but the ecosystem at large shouldn't implode.

[-] sxan@midwest.social 1 points 7 hours ago

I should know this, but I think Go's module metadata server also caches, and the compiler(s) looks there first if you don't override it. I remember Drew got pissed at Go because the package server was pounding on sr.ht for version information; I really should look into those details. It Just Works™, so I've never bothered to read up about how I works. A lamentable oversight I'll have to correct with this new rate limit. It might be no issue after all.

[-] Ephera@lemmy.ml 2 points 2 hours ago

I also remember there being a tiny shitstorm when Google started proxying package manager requests through their own servers, maybe two years ago or so. I don't know what happened with that, though, or if it's actually relevant here...

this post was submitted on 14 May 2025
275 points (99.3% liked)

Programming

20172 readers
588 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz