ValidationPipe from @nestjs/class-validator is not working | NestJS | Page 1

strange abyss Feb 9, 2024, 3:06 PM

#

Context: I faced this issue: https://github.com/nestjs/nest/issues/8562#issue-1050869638
Due to the security issues that class-validator presents, I need to replace the class-validator package with the @nestjs/class-validator package. At first, I experienced an error. I tried to solve it using what was suggested here https://github.com/nestjs/nest/issues/8562#issuecomment-970107298. Although I no longer have execution errors running the unit tests, I noticed that the validations included in the DTO (with @nestjs/class-validator) are not being respected.

Code:

 ...
  app.useGlobalPipes(
    new ValidationPipe({
      validatorPackage: require('@nestjs/class-validator'),
      transformerPackage: require('@nestjs/class-transformer'),
      transform: true,
      whitelist: true,
    }),
    ...
  );```

```dto.ts
export class dto {
  @IsNumber({}, { each: true, message: 'items should be numbers' })
  field?: number[];
}```

```controller.ts
@UsePipes( // I also added this block at the beggining of the controller
    new ValidationPipe({
      validatorPackage: require('@nestjs/class-validator'),
      transformerPackage: require('@nestjs/class-transformer'),
      transform: true,
    }),
  )
  @Patch('')
  async update(
    @Body() payload: dto,
  ): Promise<string> {
          return method(payload ),
    );
  }```

```test.ts
 it(test', async () => {
      const body = { field: [0, 'a'] };
      const response = await request(app.getHttpServer())
        .patch('url')
        .set('Accept', 'application/json')
        .set('Content-Type', 'application/json')
        .send(JSON.stringify(body));

      expect(response.status).toBe(HttpStatus.BAD_REQUEST);
  });```

Result:
``` expect(received).toBe(expected) // Object.is equality

 Expected: 400
 Received: 200```

GitHub

ValidationPipe still uses class-validator package · Issue #8562 · n...

Is there an existing issue for this? I have searched the existing issues Current behavior When changing the class-validator package to instead use @nestjs\class-validator, I found that ValidationPi...

spare sigil Feb 9, 2024, 3:56 PM

#

I'm pretty sure the nest fork is behind in terms of code and security to the original package. Also, it's probably not set to use reflect-metadata 0.2.0 which is what's most likely causing the 200 instead of the 400

strange abyss Feb 9, 2024, 4:05 PM

#

Thanks for the response jmcdo29, so, which package do you recommend to replace class-validator? something like joi?

spare sigil Feb 9, 2024, 4:07 PM

#

You should be able to use c-v/c-t just fine. However, if you want to move to using a schema instead there's @nest-lab/typeschema which can integrate with a multitude of schema validators

strange abyss Feb 9, 2024, 4:56 PM

#

Sorry, but what should I do to make c-v/c-t? I missed that part

spare sigil Feb 9, 2024, 4:57 PM

#

You can use class-validator/class-transformer with the built in validation pipe. No need for the @nestjs/ fork of them

strange abyss Feb 9, 2024, 4:59 PM

#

Oh, the problem was that I want ro replace the class-validator due security issues related to the package, some critical. I'll research for an alternative

spare sigil Feb 9, 2024, 5:00 PM

#

Do they currently have critical security vulnerabilities? I thought they got resolved

strange abyss Feb 9, 2024, 5:05 PM

#

Yes, and those vulnerabilities are not fixeable

spare sigil Feb 9, 2024, 5:06 PM

#

Then yeah, I Guess you need to find something else entirely.

#

Like I said, there's @nest-lab/typeschema

#ValidationPipe from @nestjs/class-validator is not working