valibot: Transformation action now executes after failed schema check

After upgrading to 0.28.1 from 0.20.1 the transformation action executes after a failed schema check. This should never happen and is a bug.

const schema = transform(
	string('Invalid string', [regex(/^[0-9]+ (milliseconds?|seconds?|minutes?|hours?|days?)/)]),
	() => {
		throw new Error('This error should not happen for invalid input')
	}
}

// This will throw my error instead of a valibot error.
parse(schema, 'INVALID')

About this issue

  • Original URL
  • State: closed
  • Created 5 months ago
  • Comments: 41 (26 by maintainers)

Commits related to this issue

Most upvoted comments

I had a call with @Demivan and thought about the current behavior of transform. I agree, and suspect that most users expect it to be executed only when the input has no issues. So I plan to change the implementation of transform. For now, I don’t plan to make this behavior configurable, because I don’t want to add configurations that aren’t needed. But I am open to feedback on this and may add it later.

+1
fabian-hiller on Feb 20, 2024

My apologies then. I was confused with the current solution that Fabian introduced and your proposal I guess. I actually like your customPartial proposal the best.

customPartial(
  [
     //You're being explicit about the validations you're relying on. (That's the part that was missing in the current solution.)
     // It could also support field paths
     ['deepObject', 'password'],
     ['deepObject', 'confirm'],
  ],
  (input) => input.deepObject.password === input.deepObject.confirm
)

And we could create a TS type that will filters out everything except the relevant fields inside the input.

type Input = {
  deepObject: {
    password: string
    confirm: string
  }
}
+1
ivands on Feb 19, 2024

Yes, feel free to reach out on Discord (fabianhiller) or express your pain points and ideas here in the comments.

+1
fabian-hiller on Feb 15, 2024

In what case do you think this could lead to a security problem?

I don’t have an example off hand, but unpredictable behavior is why bugs exist. And this is a validation library, after all.

One of the biggest selling points of Valibot is its small and tree-shakeable bundle sizes. That’s why a lot of developers use Valibot for form validation. I myself am the author of a form library called Modular Forms. That’s why I prioritized it over the edge case for transform.

That makes a lot of sense. I would just add that Valibot is also the best option for serverless as well. We use it to do server-side validation. I guess that’s why I’m prioritizing predictability.

Let me think about it some more. I’ll have more time tomorrow or the day after.

+1
ivands on Feb 13, 2024
Read more comments on GitHub
← valibot: Optional returns the string | undefined type even with the default value set
valibot: Type instantiation is excessively deep and possibly infinite. →