🔧 fix: #1453 add allowUnsafeValidationDetails for disabling unsafe validation details in production mode

Author: SaltyAom

CHANGELOG.md

@@ -1,10 +1,17 @@
 # 1.4.13 - 23 Oct 2025
+Improvement:
+- [#1453](https://github.com/elysiajs/elysia/issues/1453) add `allowUnsafeValidationDetails` for disabling unsafe validation details in production mode
+
+Bug fix:
 - [#1502](https://github.com/elysiajs/elysia/issues/1502) afterHandle doesn't update status
 - [#1495](https://github.com/elysiajs/elysia/pull/1495) request server hook parameters are typed as any (Bun 1.3.0)
 - [#1483](https://github.com/elysiajs/elysia/pull/1483) handle standard schema validators in ValidationError.all
 - [#1459](https://github.com/elysiajs/elysia/pull/1459) fix strictPath behavior when aot: false is set
 - [#1455](https://github.com/elysiajs/elysia/pull/1455) graceful shutdown not awaiting server.stop
-- [#1499](https://github.com/elysiajs/elysia/pull/1449) fails when mergint with t.Optional schema
+- [#1499](https://github.com/elysiajs/elysia/pull/1449) fails when merging with t.Optional schema
+
+change:
+- make `@types/bun` an optional dependency
 
 # 1.4.12 - 14 Oct 2025
 Improvement:

example/a.ts

@@ -1,8 +1,15 @@
-import { Elysia } from '../src'
+import { Elysia, t } from '../src'
 import { req } from '../test/utils'
 
-const app = new Elysia().onAfterResponse(({ set, responseValue }) => {
-	console.log(responseValue)
-	console.log(set.status)
+const app = new Elysia({
+	allowUnsafeValidationDetails: true
 })
-.listen(3000)
+	.onError(({ error }) => {
+		// console.log(error)
+	})
+	.get('/q', () => {}, {
+		query: t.Object({
+			a: t.String()
+		})
+	})
+	.listen(3000)

src/compose.ts

@@ -222,17 +222,19 @@ const composeValidationFactory = ({
 	validator,
 	encodeSchema = false,
 	isStaticResponse = false,
-	hasSanitize = false
+	hasSanitize = false,
+	allowUnsafeValidationDetails = false
 }: {
 	injectResponse?: string
 	normalize?: ElysiaConfig<''>['normalize']
 	validator: SchemaValidator
 	encodeSchema?: boolean
 	isStaticResponse?: boolean
 	hasSanitize?: boolean
+	allowUnsafeValidationDetails?: boolean
 }) => ({
 	validate: (type: string, value = `c.${type}`, error?: string) =>
-		`c.set.status=422;throw new ValidationError('${type}',validator.${type},${value}${error ? ',' + error : ''})`,
+		`c.set.status=422;throw new ValidationError('${type}',validator.${type},${value},${allowUnsafeValidationDetails}${error ? ',' + error : ''})`,
 	response: (name = 'r') => {
 		if (isStaticResponse || !validator.response) return ''
 
@@ -254,7 +256,7 @@ const composeValidationFactory = ({
 					`let vare${status}=validator.response[${status}].Check(${name})\n` +
 					`if(vare${status} instanceof Promise)vare${status}=await vare${status}\n` +
 					`if(vare${status}.issues)` +
-					`throw new ValidationError('response',validator.response[${status}],${name},vare${status}.issues)\n` +
+					`throw new ValidationError('response',validator.response[${status}],${name},${allowUnsafeValidationDetails},vare${status}.issues)\n` +
 					`${name}=vare${status}.value\n` +
 					`c.set.status=${status}\n` +
 					'break\n'
@@ -313,17 +315,17 @@ const composeValidationFactory = ({
 							clean({ ignoreTryCatch: true }) +
 							`${name}=validator.response[${status}].Encode(${name})\n` +
 							`}catch{` +
-							`throw new ValidationError('response',validator.response[${status}],${name})` +
+							`throw new ValidationError('response',validator.response[${status}],${name},${allowUnsafeValidationDetails})` +
 							`}`
-						: `throw new ValidationError('response',validator.response[${status}],${name})`) +
+						: `throw new ValidationError('response',validator.response[${status}],${name}),${allowUnsafeValidationDetails}`) +
 					`}`
 			} else {
 				if (!appliedCleaner) code += clean()
 
 				if (!noValidate)
 					code +=
 						`if(validator.response[${status}].Check(${name})===false)` +
-						`throw new ValidationError('response',validator.response[${status}],${name})\n` +
+						`throw new ValidationError('response',validator.response[${status}],${name},${allowUnsafeValidationDetails})\n` +
 						`c.set.status=${status}\n`
 			}
 
@@ -411,12 +413,13 @@ const isGenerator = (v: Function | HookContainer) => {
 const coerceTransformDecodeError = (
 	fnLiteral: string,
 	type: string,
+	allowUnsafeValidationDetails = false,
 	value = `c.${type}`
 ) =>
 	`try{${fnLiteral}}catch(error){` +
 	`if(error.constructor.name === 'TransformDecodeError'){` +
 	`c.set.status=422\n` +
-	`throw error.error ?? new ValidationError('${type}',validator.${type},${value})}` +
+	`throw error.error ?? new ValidationError('${type}',validator.${type},${value},${allowUnsafeValidationDetails})}` +
 	`}`
 
 export const composeHandler = ({
@@ -590,13 +593,15 @@ export const composeHandler = ({
 
 	const normalize = app.config.normalize
 	const encodeSchema = app.config.encodeSchema
+	const allowUnsafeValidationDetails = app.config.allowUnsafeValidationDetails
 
 	const validation = composeValidationFactory({
 		normalize,
 		validator,
 		encodeSchema,
 		isStaticResponse: handler instanceof Response,
-		hasSanitize: !!app.config.sanitize
+		hasSanitize: !!app.config.sanitize,
+		allowUnsafeValidationDetails
 	})
 
 	if (hasHeaders) fnLiteral += adapter.headers
@@ -763,11 +768,14 @@ export const composeHandler = ({
 		if (!hooks.afterResponse?.length && !hasTrace) return ''
 
 		let afterResponse = ''
-		const prefix = hooks.afterResponse?.some(isAsync) ? 'async ' : ''
 
 		afterResponse +=
-			`\nsetImmediate(${prefix}()=>{` +
-			`if(c.responseValue instanceof ElysiaCustomStatusResponse) c.set.status=c.responseValue.code\n`
+			`\nsetImmediate(async()=>{` +
+			`if(c.responseValue){` +
+			`if(c.responseValue instanceof ElysiaCustomStatusResponse) c.set.status=c.responseValue.code\n` +
+			`else if(c.responseValue[Symbol.iterator]) for (const v of c.responseValue) { }` +
+			`else if(c.responseValue[Symbol.asyncIterator]) for await (const v of c.responseValue) { }` +
+			`}`
 
 		const reporter = createReport({
 			trace: hooks.trace,
@@ -1184,7 +1192,8 @@ export const composeHandler = ({
 			if (validator.headers.hasTransform)
 				fnLiteral += coerceTransformDecodeError(
 					`c.headers=validator.headers.Decode(c.headers)\n`,
-					'headers'
+					'headers',
+					allowUnsafeValidationDetails
 				)
 
 			if (validator.headers.isOptional) fnLiteral += '}'
@@ -1226,7 +1235,8 @@ export const composeHandler = ({
 			if (validator.params.hasTransform)
 				fnLiteral += coerceTransformDecodeError(
 					`c.params=validator.params.Decode(c.params)\n`,
-					'params'
+					'params',
+					allowUnsafeValidationDetails
 				)
 		}
 
@@ -1279,11 +1289,13 @@ export const composeHandler = ({
 				// For query, we decode it twice to ensure that it works
 				fnLiteral += coerceTransformDecodeError(
 					`c.query=validator.query.Decode(c.query)\n`,
-					'query'
+					'query',
+					allowUnsafeValidationDetails
 				)
 				fnLiteral += coerceTransformDecodeError(
 					`c.query=validator.query.Decode(c.query)\n`,
-					'query'
+					'query',
+					allowUnsafeValidationDetails
 				)
 			}
 
@@ -1398,7 +1410,8 @@ export const composeHandler = ({
 			if (validator.body.hasTransform)
 				fnLiteral += coerceTransformDecodeError(
 					`if(isNotEmptyObject)c.body=validator.body.Decode(c.body)\n`,
-					'body'
+					'body',
+					allowUnsafeValidationDetails
 				)
 
 			if (hasUnion && validator.body.schema.anyOf?.length) {
@@ -1537,7 +1550,8 @@ export const composeHandler = ({
 						`for(const [key,value] of Object.entries(validator.cookie.Decode(cookieValue))){` +
 							`c.cookie[key].value=value` +
 							`}`,
-						'cookie'
+						'cookie',
+						allowUnsafeValidationDetails
 					)
 			}
 

src/error.ts

@@ -42,9 +42,7 @@ const emptyHttpStatus = {
 export class ElysiaCustomStatusResponse<
 	const in out Code extends number | keyof StatusMap,
 	// no in out here so the response can be sub type of return type
-	T = Code extends keyof InvertedStatusMap
-		? InvertedStatusMap[Code]
-		: Code,
+	T = Code extends keyof InvertedStatusMap ? InvertedStatusMap[Code] : Code,
 	const in out Status extends Code extends keyof StatusMap
 		? StatusMap[Code]
 		: Code = Code extends keyof StatusMap ? StatusMap[Code] : Code
@@ -270,7 +268,8 @@ export class ValidationError extends Error {
 			| ElysiaTypeCheck<any>
 			| StandardSchemaV1Like,
 		public value: unknown,
-		errors?: ValueErrorIterator
+		private allowUnsafeValidationDetails = false,
+		errors?: ValueErrorIterator,
 	) {
 		let message = ''
 		let error
@@ -335,7 +334,7 @@ export class ValidationError extends Error {
 			// @ts-ignore private field
 			const schema = validator?.schema ?? validator
 
-			if (!isProduction) {
+			if (!isProduction && !allowUnsafeValidationDetails) {
 				try {
 					expected = Value.Create(schema)
 				} catch (error) {
@@ -352,7 +351,7 @@ export class ValidationError extends Error {
 				error?.schema?.message || error?.schema?.error !== undefined
 					? typeof error.schema.error === 'function'
 						? error.schema.error(
-								isProduction
+								isProduction && !allowUnsafeValidationDetails
 									? {
 											type: 'validation',
 											on: type,
@@ -392,7 +391,7 @@ export class ValidationError extends Error {
 					typeof customError === 'object'
 						? JSON.stringify(customError)
 						: customError + ''
-			} else if (isProduction) {
+			} else if (isProduction && !allowUnsafeValidationDetails) {
 				message = JSON.stringify({
 					type: 'validation',
 					on: type,
@@ -438,23 +437,29 @@ export class ValidationError extends Error {
 			this.validator?.provider === 'standard' ||
 			'~standard' in this.validator ||
 			// @ts-ignore
-			('schema' in this.validator && this.validator.schema && '~standard' in this.validator.schema)
+			('schema' in this.validator &&
+				this.validator.schema &&
+				'~standard' in this.validator.schema)
 		) {
 			const standard = // @ts-ignore
-				('~standard' in this.validator
-					? this.validator
-					: // @ts-ignore
-						this.validator.schema)['~standard']
+				(
+					'~standard' in this.validator
+						? this.validator
+						: // @ts-ignore
+							this.validator.schema
+				)['~standard']
 
 			const issues = standard.validate(this.value).issues
 
 			// Map standard schema issues to the expected format
-			return issues?.map((issue: any) => ({
-				summary: issue.message,
-				path: issue.path?.join('.') || 'root',
-				message: issue.message,
-				value: this.value
-			})) || []
+			return (
+				issues?.map((issue: any) => ({
+					summary: issue.message,
+					path: issue.path?.join('.') || 'root',
+					message: issue.message,
+					value: this.value
+				})) || []
+			)
 		}
 
 		// Handle TypeBox validators
@@ -521,7 +526,7 @@ export class ValidationError extends Error {
 		const expected = this.expected
 		const errors = this.all
 
-		return isProduction
+		return isProduction && !this.allowUnsafeValidationDetails
 			? {
 					type: 'validation',
 					on: this.type,

src/types.ts

@@ -238,6 +238,16 @@ export interface ElysiaConfig<Prefix extends string | undefined> {
 	 * Sucrose (Static Code Analysis) configuration
 	 */
 	sucrose?: Sucrose.Settings
+
+	/**
+	 * Allow unsafe validation details in errors thrown by Elysia's schema validator (422 status code)
+	 *
+	 * Ideally, this should only be used in development environment or public APIs
+	 * This may leak sensitive information about the server implementation and should be used with caution in production environments.
+	 *
+	 * @default false
+	 */
+	allowUnsafeValidationDetails?: boolean
 }
 
 export interface ValidatorLayer {