Rate limit on `/merge_requests` API endpoint

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

Add the possibility to rate limit on /merge_requests endpoint
Add the possibility to exclude IPs of gitlab runners from rate limit.

Reason:

we have a self-hosted gitlab server and recently it got flooded by the vscode extension from one user, in Gitlab server's log we see lots of node-fetch requests like this:

10.32.2.30 - - [13/May/2025:12:41:15 +0000] "GET /api/v4/merge_requests?state=opened&reviewer_id=231&in=title&scope=all&labels=&with_labels_details=true&per_page=50&page=1 HTTP/1.1" 200 2331 "" "node-fetch" 2.94

to count number of requests per minute:

# zgrep node-fetch gitlab_access.log.1.gz | grep 10.32.2.30 | grep "2025:12:41" | wc -l
1635
# zgrep node-fetch gitlab_access.log.1.gz | grep 10.32.2.30 | grep "2025:12:40" | wc -l
10693
# zgrep node-fetch gitlab_access.log.1.gz | grep 10.32.2.30 | grep "2025:12:39" | wc -l
7448
# zgrep node-fetch gitlab_access.log.1.gz | grep 10.32.2.30 | grep "2025:12:38" | wc -l
7538
# zgrep node-fetch gitlab_access.log.1.gz | grep 10.32.2.30 | grep "2025:12:37" | wc -l
12853
# zgrep node-fetch gitlab_access.log.1.gz | grep 10.32.2.30 | grep "2025:12:36" | wc -l
5107

I believe it is a bug in the vscode extension while if we could do something from server side to avoid this kind of flood, such as rate limit, it could be useful.

Edited Sep 28, 2025 by 🤖 GitLab Bot 🤖

Rate limit on /merge_requests API endpoint

Proposal

Rate limit on `/merge_requests` API endpoint