Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The yup npm package is a JavaScript schema builder for value parsing and validation. It enables developers to construct schemas for objects, arrays, strings, numbers, booleans, and more, to validate the shape and content of data against those schemas. It is often used in the context of form validation on both the client and server sides.
Object Shape Validation
Validates the shape of an object, ensuring that it has specific fields with data types and constraints like strings being required, numbers being positive integers, and strings matching email or URL patterns.
{"const schema = yup.object().shape({ name: yup.string().required(), age: yup.number().required().positive().integer(), email: yup.string().email(), website: yup.string().url() }); schema.isValid({ name: 'John', age: 24, email: 'john@example.com', website: 'http://example.com' }).then(valid => { console.log(valid); // true });"}
Array Validation
Validates arrays, ensuring that they contain elements of a specific type and adhere to constraints, such as all elements being positive numbers.
{"const schema = yup.array().of(yup.number().positive()).required(); schema.isValid([1, 2, 3]).then(valid => { console.log(valid); // true });"}
String Validation
Validates strings, ensuring they meet criteria such as being required, having a minimum length, and not exceeding a maximum length.
{"const schema = yup.string().required().min(2).max(10); schema.isValid('Hello').then(valid => { console.log(valid); // true });"}
Number Validation
Validates numbers, ensuring they are positive, integers, and below a certain value.
{"const schema = yup.number().positive().integer().lessThan(100); schema.isValid(50).then(valid => { console.log(valid); // true });"}
Date Validation
Validates dates, ensuring they fall within a specified range.
{"const schema = yup.date().min(new Date(2000, 0, 1)).max(new Date(2020, 12, 31)); schema.isValid(new Date(2010, 6, 15)).then(valid => { console.log(valid); // true });"}
Custom Validation
Allows for custom validation functions to be defined, providing flexibility for more complex validation scenarios.
{"const schema = yup.string().test('is-john', 'The name must be John', value => value === 'John'); schema.isValid('John').then(valid => { console.log(valid); // true });"}
Joi is a powerful schema description language and data validator for JavaScript. It offers a similar API to yup but with a broader feature set and more detailed error messages. Joi is often considered more heavyweight compared to yup.
Ajv is a JSON schema validator that supports draft-06/07/2019-09 of JSON Schema. It is known for its performance and is typically used for validating JSON data structures. Unlike yup, Ajv is based on pre-defined JSON schemas rather than a programmatic API.
Validator is a library of string validators and sanitizers. It is more focused on string validation and does not provide object schema validation like yup. It's useful for simple validation tasks without the need for defining complex schemas.
Class-validator works with TypeScript and uses decorators to define validation rules within class models. It is tightly integrated with TypeScript and is a good choice for projects that are already using TypeScript and decorators.
Yup is a JavaScript schema builder for value parsing and validation. Define a schema, transform a value to match, validate the shape of an existing value, or both. Yup schema are extremely expressive and allow modeling complex, interdependent validations, or value transformations.
Yup's API is heavily inspired by Joi, but leaner and built with client-side validation as its primary use-case. Yup separates the parsing and validating functions into separate steps. cast()
transforms data while validate
checks that the input is the correct shape. Each can be performed together (such as HTML form validation) or seperately (such as deserializing trusted data from APIs).
npm install -S yup
Yup always relies on the Promise
global object to handle asynchronous values as well as Set
and Map
.
For browsers that do not support these, you'll need to include a polyfill, such as core-js:
import 'core-js/es6/promise';
import 'core-js/es6/set';
import 'core-js/es6/map';
You define and create schema objects. Schema objects are immutable, so each call of a method returns a new schema object. When using es module syntax, yup exports everything as a named export
import * as yup from 'yup';
let schema = yup.object().shape({
name: yup.string().required(),
age: yup.number().required().positive().integer(),
email: yup.string().email(),
website: yup.string().url(),
createdOn: yup.date().default(function () {
return new Date();
}),
});
// check validity
schema
.isValid({
name: 'jimmy',
age: 24,
})
.then(function (valid) {
valid; // => true
});
// you can try and type cast objects to the defined schema
schema.cast({
name: 'jimmy',
age: '24',
createdOn: '2014-09-23T19:25:25Z',
});
// => { name: 'jimmy', age: 24, createdOn: Date }
The exported functions are factory methods for constructing schema instances, but without the new
keyword.
If you need access to the actual schema classes, they are also exported:
import {
BooleanSchema,
DateSchema,
MixedSchema,
NumberSchema,
ArraySchema,
ObjectSchema,
StringSchema,
} from 'yup';
If you're looking for an easily serializable DSL for yup schema, check out yup-ast
Allows you to customize the default messages used by Yup, when no message is provided with a validation test. If any message is missing in the custom dictionary the error message will default to Yup's one.
import { setLocale } from 'yup';
setLocale({
mixed: {
default: 'Não é válido',
},
number: {
min: 'Deve ser maior que ${min}',
},
});
// now use Yup schemas AFTER you defined your custom dictionary
let schema = yup.object().shape({
name: yup.string(),
age: yup.number().min(18),
});
schema.validate({ name: 'jimmy', age: 11 }).catch(function (err) {
err.name; // => 'ValidationError'
err.errors; // => ['Deve ser maior que 18']
});
If you need multi-language support, Yup has got you covered. The function setLocale
accepts functions that can be used to generate error objects with translation keys and values. Just get this output and feed it into your favorite i18n library.
import { setLocale } from 'yup';
setLocale({
// use constant translation keys for messages without values
mixed: {
default: 'field_invalid',
},
// use functions to generate an error object that includes the value from the schema
number: {
min: ({ min }) => ({ key: 'field_too_short', values: { min } }),
max: ({ max }) => ({ key: 'field_too_big', values: { max } }),
},
});
// now use Yup schemas AFTER you defined your custom dictionary
let schema = yup.object().shape({
name: yup.string(),
age: yup.number().min(18),
});
schema.validate({ name: 'jimmy', age: 11 }).catch(function (err) {
err.name; // => 'ValidationError'
err.errors; // => [{ key: 'field_too_short', values: { min: 18 } }]
});
yup
yup.reach(schema: Schema, path: string, value?: object, context?: object): Schema
yup.addMethod(schemaType: Schema, name: string, method: ()=> Schema): void
yup.ref(path: string, options: { contextPrefix: string }): Ref
yup.lazy((value: any) => Schema): Lazy
ValidationError(errors: string | Array<string>, value: any, path: string)
mixed.clone(): Schema
mixed.label(label: string): Schema
mixed.meta(metadata: object): Schema
mixed.describe(): SchemaDescription
mixed.concat(schema: Schema): Schema
mixed.validate(value: any, options?: object): Promise<any, ValidationError>
mixed.validateSync(value: any, options?: object): any
mixed.validateAt(path: string, value: any, options?: object): Promise<any, ValidationError>
mixed.validateSyncAt(path: string, value: any, options?: object): any
mixed.isValid(value: any, options?: object): Promise<boolean>
mixed.isValidSync(value: any, options?: object): boolean
mixed.cast(value: any, options = {}): any
mixed.isType(value: any): boolean
mixed.strict(isStrict: boolean = false): Schema
mixed.strip(stripField: boolean = true): Schema
mixed.withMutation(builder: (current: Schema) => void): void
mixed.default(value: any): Schema
mixed.getDefault(options?: object): Any
mixed.nullable(isNullable: boolean = true): Schema
mixed.required(message?: string | function): Schema
mixed.notRequired(): Schema
Alias: optional()
mixed.defined(): Schema
mixed.typeError(message: string): Schema
mixed.oneOf(arrayOfValues: Array<any>, message?: string | function): Schema
Alias: equals
mixed.notOneOf(arrayOfValues: Array<any>, message?: string | function)
mixed.when(keys: string | Array<string>, builder: object | (value, schema)=> Schema): Schema
mixed.test(name: string, message: string | function, test: function): Schema
mixed.test(options: object): Schema
mixed.transform((currentValue: any, originalValue: any) => any): Schema
string.required(message?: string | function): Schema
string.length(limit: number | Ref, message?: string | function): Schema
string.min(limit: number | Ref, message?: string | function): Schema
string.max(limit: number | Ref, message?: string | function): Schema
string.matches(regex: Regex, message?: string | function): Schema
string.matches(regex: Regex, options: { message: string, excludeEmptyString: bool }): Schema
string.email(message?: string | function): Schema
string.url(message?: string | function): Schema
string.uuid(message?: string | function): Schema
string.ensure(): Schema
string.trim(message?: string | function): Schema
string.lowercase(message?: string | function): Schema
string.uppercase(message?: string | function): Schema
number.min(limit: number | Ref, message?: string | function): Schema
number.max(limit: number | Ref, message?: string | function): Schema
number.lessThan(max: number | Ref, message?: string | function): Schema
number.moreThan(min: number | Ref, message?: string | function): Schema
number.positive(message?: string | function): Schema
number.negative(message?: string | function): Schema
number.integer(message?: string | function): Schema
number.truncate(): Schema
number.round(type: 'floor' | 'ceil' | 'trunc' | 'round' = 'round'): Schema
array.of(type: Schema): Schema
array.length(length: number | Ref, message?: string | function): Schema
array.min(limit: number | Ref, message?: string | function): Schema
array.max(limit: number | Ref, message?: string | function): Schema
array.ensure(): Schema
array.compact(rejector: (value) => boolean): Schema
object.shape(fields: object, noSortEdges?: Array<[string, string]>): Schema
object.pick(keys: string[]): Schema
object.omit(keys: string[]): Schema
object.getDefaultFromShape(): Record<string, unknown>
object.from(fromKey: string, toKey: string, alias: boolean = false): this
object.noUnknown(onlyKnownKeys: boolean = true, message?: string | function): Schema
object.camelCase(): Schema
object.constantCase(): Schema
yup
The module export.
let yup = require('yup');
yup.mixed;
yup.string;
yup.number;
yup.boolean; // also aliased as yup.bool
yup.date;
yup.object;
yup.array;
yup.reach;
yup.addMethod;
yup.ref;
yup.lazy;
yup.setLocale;
yup.ValidationError;
yup.reach(schema: Schema, path: string, value?: object, context?: object): Schema
For nested schemas yup.reach
will retrieve a nested schema based on the provided path.
For nested schemas that need to resolve dynamically, you can provide a value
and optionally
a context
object.
let schema = object().shape({
nested: object().shape({
arr: array().of(object().shape({ num: number().max(4) })),
}),
});
reach(schema, 'nested.arr.num');
reach(schema, 'nested.arr[].num');
reach(schema, 'nested.arr[1].num');
reach(schema, 'nested["arr"][1].num');
yup.addMethod(schemaType: Schema, name: string, method: ()=> Schema): void
Adds a new method to the core schema types. A friendlier convenience method for schemaType.prototype[name] = method
.
yup.addMethod(yup.date, 'format', function (formats, parseStrict) {
return this.transform(function (value, originalValue) {
if (this.isType(value)) return value;
value = Moment(originalValue, formats, parseStrict);
return value.isValid() ? value.toDate() : new Date('');
});
});
yup.ref(path: string, options: { contextPrefix: string }): Ref
Creates a reference to another sibling or sibling descendant field. Refs are resolved at validation/cast time and supported where specified. Refs are evaluated in the proper order so that the ref value is resolved before the field using the ref (be careful of circular dependencies!).
let schema = object({
baz: ref('foo.bar'),
foo: object({
bar: string(),
}),
x: ref('$x'),
});
schema.cast({ foo: { bar: 'boom' } }, { context: { x: 5 } });
// => { baz: 'boom', x: 5, foo: { bar: 'boom' } }
yup.lazy((value: any) => Schema): Lazy
Creates a schema that is evaluated at validation/cast time. Useful for creating recursive schema like Trees, for polymorphic fields and arrays.
CAUTION! When defining parent-child recursive object schema, you want to reset the default()
to undefined
on the child—otherwise the object will infinitely nest itself when you cast it!
let node = object({
id: number(),
child: yup.lazy(() => node.default(undefined)),
});
let renderable = yup.lazy((value) => {
switch (typeof value) {
case 'number':
return number();
case 'string':
return string();
default:
return mixed();
}
});
let renderables = array().of(renderable);
ValidationError(errors: string | Array<string>, value: any, path: string)
Thrown on failed validations, with the following properties
name
: "ValidationError"path
: a string, indicating where there error was thrown. path
is empty at the root level.errors
: array of error messagesinner
: in the case of aggregate errors, inner is an array of ValidationErrors
throw earlier in the
validation chain. When the abortEarly
option is false
this is where you can inspect each error thrown,
alternatively, errors
will have all of the messages from each inner error.Creates a schema that matches all types. All types inherit from this base type
let schema = yup.mixed();
schema.isValid(undefined, function (valid) {
valid; // => true
});
mixed.clone(): Schema
Creates a deep copy of the schema. Clone is used internally to return a new schema with every schema state change.
mixed.label(label: string): Schema
Overrides the key name which is used in error messages.
mixed.meta(metadata: object): Schema
Adds to a metadata object, useful for storing data with a schema, that doesn't belong the cast object itself.
mixed.describe(): SchemaDescription
Collects schema details (like meta, labels, and active tests) into a serializable description object.
SchemaDescription {
type: string,
label: string,
meta: object,
tests: Array<{ name: string, params: object }>
}
mixed.concat(schema: Schema): Schema
Creates a new instance of the schema by combining two schemas. Only schemas of the same type can be concatenated.
mixed.validate(value: any, options?: object): Promise<any, ValidationError>
Returns the value (a cast value if isStrict
is false
) if the value is valid, and returns the errors otherwise.
This method is asynchronous and returns a Promise object, that is fulfilled with the value, or rejected
with a ValidationError
.
The options
argument is an object hash containing any schema options you may want to override
(or specify for the first time).
Options = {
strict: boolean = false;
abortEarly: boolean = true;
stripUnknown: boolean = false;
recursive: boolean = true;
context?: object;
}
strict
: only validate the input, and skip any coercion or transformationabortEarly
: return from validation methods on the first error rather
than after all validations run.stripUnknown
: remove unspecified keys from objects.recursive
: when false
validations will not descend into nested schema
(relevant for objects or arrays).context
: any context needed for validating schema conditions (see: when()
)schema.validate({ name: 'jimmy', age: 24 }).then(function (value) {
value; // => { name: 'jimmy',age: 24 }
});
schema.validate({ name: 'jimmy', age: 'hi' }).catch(function (err) {
err.name; // => 'ValidationError'
err.errors; // => ['age must be a number']
});
mixed.validateSync(value: any, options?: object): any
Runs validatations synchronously if possible and returns the resulting value,
or throws a ValidationError. Accepts all the same options as validate
.
Synchronous validation only works if there are no configured async tests, e.g tests that return a Promise. For instance this will work:
let schema = number().test(
'is-42',
"this isn't the number i want",
(value) => value != 42,
);
schema.validateSync(23); // throws ValidationError
however this will not:
let schema = number().test('is-42', "this isn't the number i want", (value) =>
Promise.resolve(value != 42),
);
schema.validateSync(42); // throws Error
mixed.validateAt(path: string, value: any, options?: object): Promise<any, ValidationError>
Validate a deeply nested path within the schema. Similar to how reach
works,
but uses the resulting schema as the subject for validation.
Note! The
value
here is the root value relative to the starting schema, not the value at the nested path.
let schema = object({
foo: array().of(
object({
loose: boolean(),
bar: string().when('loose', {
is: true,
otherwise: (s) => s.strict(),
}),
}),
),
});
let rootValue = {
foo: [{ bar: 1 }, { bar: 1, loose: true }],
};
await schema.validateAt('foo[0].bar', rootValue); // => ValidationError: must be a string
await schema.validateAt('foo[1].bar', rootValue); // => '1'
mixed.validateSyncAt(path: string, value: any, options?: object): any
Same as validateAt
but synchronous.
mixed.isValid(value: any, options?: object): Promise<boolean>
Returns true
when the passed in value matches the schema. isValid
is asynchronous and returns a Promise object.
Takes the same options as validate()
.
mixed.isValidSync(value: any, options?: object): boolean
Synchronously returns true
when the passed in value matches the schema.
Takes the same options as validateSync()
and has the same caveats around async tests.
mixed.cast(value: any, options = {}): any
Attempts to coerce the passed in value to a value that matches the schema. For example: '5'
will
cast to 5
when using the number()
type. Failed casts generally return null
, but may also
return results like NaN
and unexpected strings.
options
parameter can be an object containing context
. (For more info on context
see mixed.validate
)
mixed.isType(value: any): boolean
Runs a type check against the passed in value
. It returns true if it matches,
it does not cast the value. When nullable()
is set null
is considered a valid value of the type.
You should use isType
for all Schema type checks.
mixed.strict(isStrict: boolean = false): Schema
Sets the strict
option to true
. Strict schemas skip coercion and transformation attempts,
validating the value "as is".
mixed.strip(stripField: boolean = true): Schema
Marks a schema to be removed from an output object. Only works as a nested schema.
let schema = object({
useThis: number(),
notThis: string().strip(),
});
schema.cast({ notThis: 'foo', useThis: 4 }); // => { useThis: 4 }
mixed.withMutation(builder: (current: Schema) => void): void
First the legally required Rich Hickey quote:
If a tree falls in the woods, does it make a sound?
If a pure function mutates some local data in order to produce an immutable return value, is that ok?
withMutation
allows you to mutate the schema in place, instead of the default behavior which clones before each change.
Generally this isn't necessary since the vast majority of schema changes happen during the initial
declaration, and only happen once over the lifetime of the schema, so performance isn't an issue.
However certain mutations do occur at cast/validation time, (such as conditional schema using when()
), or
when instantiating a schema object.
object()
.shape({ key: string() })
.withMutation((schema) => {
return arrayOfObjectTests.forEach((test) => {
schema.test(test);
});
});
mixed.default(value: any): Schema
Sets a default value to use when the value is undefined
.
Defaults are created after transformations are executed, but before validations, to help ensure that safe
defaults are specified. The default value will be cloned on each use, which can incur performance penalty
for objects and arrays. To avoid this overhead you can also pass a function that returns a new default.
Note that null
is considered a separate non-empty value.
yup.string.default('nothing');
yup.object.default({ number: 5 }); // object will be cloned every time a default is needed
yup.object.default(() => ({ number: 5 })); // this is cheaper
yup.date.default(() => new Date()); // also helpful for defaults that change over time
mixed.getDefault(options?: object): Any
Retrieve a previously set default value. getDefault
will resolve any conditions that may alter the default. Optionally pass options
with context
(for more info on context
see mixed.validate
).
mixed.nullable(isNullable: boolean = true): Schema
Indicates that null
is a valid value for the schema. Without nullable()
null
is treated as a different type and will fail isType()
checks.
mixed.required(message?: string | function): Schema
Mark the schema as required, which will not allow undefined
or null
as a value.
Note that unless a schema is marked as nullable()
a null
value is treated as a type error, not a missing value. Mark a schema as mixed().nullable().required()
treat null
as missing.
Watch out!
string().required
) works a little different and additionally prevents empty string values (''
) when required.
mixed.notRequired(): Schema
Alias: optional()
Mark the schema as not required. Passing undefined
(or null
for nullable schema) as value will not fail validation.
mixed.defined(): Schema
Require a value for the schema. All field values apart from undefined
meet this requirement.
mixed.typeError(message: string): Schema
Define an error message for failed type checks. The ${value}
and ${type}
interpolation can
be used in the message
argument.
mixed.oneOf(arrayOfValues: Array<any>, message?: string | function): Schema
Alias: equals
Whitelist a set of values. Values added are automatically removed from any blacklist if they are in it.
The ${values}
interpolation can be used in the message
argument. If a ref or refs are provided,
the ${resolved}
interpolation can be used in the message argument to get the resolved values that were checked
at validation time.
Note that undefined
does not fail this validator, even when undefined
is not included in arrayOfValues
.
If you don't want undefined
to be a valid value, you can use mixed.required
.
let schema = yup.mixed().oneOf(['jimmy', 42]);
await schema.isValid(42); // => true
await schema.isValid('jimmy'); // => true
await schema.isValid(new Date()); // => false
mixed.notOneOf(arrayOfValues: Array<any>, message?: string | function)
Blacklist a set of values. Values added are automatically removed from any whitelist if they are in it.
The ${values}
interpolation can be used in the message
argument. If a ref or refs are provided,
the ${resolved}
interpolation can be used in the message argument to get the resolved values that were checked
at validation time.
let schema = yup.mixed().notOneOf(['jimmy', 42]);
await schema.isValid(42); // => false
await schema.isValid(new Date()); // => true
mixed.when(keys: string | Array<string>, builder: object | (value, schema)=> Schema): Schema
Adjust the schema based on a sibling or sibling children fields. You can provide an object
literal where the key is
is value or a matcher function, then
provides the true schema and/or
otherwise
for the failure condition.
is
conditions are strictly compared (===
) if you want to use a different form of equality you
can provide a function like: is: (value) => value == true
.
Like joi you can also prefix properties with $
to specify a property that is dependent
on context
passed in by validate()
or isValid
. when
conditions are additive.
let schema = object({
isBig: boolean(),
count: number()
.when('isBig', {
is: true, // alternatively: (val) => val == true
then: yup.number().min(5),
otherwise: yup.number().min(0),
})
.when('$other', (other, schema) => (other === 4 ? schema.max(6) : schema)),
});
await schema.validate(value, { context: { other: 4 } });
You can also specify more than one dependent key, in which case each value will be spread as an argument.
let schema = object({
isSpecial: boolean(),
isBig: boolean(),
count: number().when(['isBig', 'isSpecial'], {
is: true, // alternatively: (isBig, isSpecial) => isBig && isSpecial
then: yup.number().min(5),
otherwise: yup.number().min(0),
}),
});
await schema.validate({
isBig: true,
isSpecial: true,
count: 10,
});
Alternatively you can provide a function that returns a schema (called with the value of the key and the current schema).
let schema = yup.object({
isBig: yup.boolean(),
count: yup.number().when('isBig', (isBig, schema) => {
return isBig ? schema.min(5) : schema.min(0);
}),
});
await schema.validate({ isBig: false, count: 4 });
mixed.test(name: string, message: string | function, test: function): Schema
Adds a test function to the validation chain. Tests are run after any object is cast. Many types have some tests built in, but you can create custom ones easily. In order to allow asynchronous custom validations all (or no) tests are run asynchronously. A consequence of this is that test execution order cannot be guaranteed.
All tests must provide a name
, an error message
and a validation function that must return
true
when the current value
is valid and false
or a ValidationError
otherwise.
To make a test async return a promise that resolves true
or false
or a ValidationError
.
For the message
argument you can provide a string which will interpolate certain values
if specified using the ${param}
syntax. By default all test messages are passed a path
value
which is valuable in nested schemas.
The test
function is called with the current value
. For more advanced validations you can
use the alternate signature to provide more options (see below):
let jimmySchema = string().test(
'is-jimmy',
'${path} is not Jimmy',
(value, context) => value === 'jimmy',
);
// or make it async by returning a promise
let asyncJimmySchema = string().test(
'is-jimmy',
'${path} is not Jimmy',
async (value, testContext) => (await fetch('/is-jimmy/' + value)).responseText === 'true',
});
await schema.isValid('jimmy'); // => true
await schema.isValid('john'); // => false
Test functions are called with a special context value, as the second argument, that exposes some useful metadata
and functions. For non arrow functions, the test context is also set as the function this
. Watch out, if you access
it via this
it won't work in an arrow function.
testContext.path
: the string path of the current validationtestContext.schema
: the resolved schema object that the test is running against.testContext.options
: the options
object that validate() or isValid() was called withtestContext.parent
: in the case of nested schema, this is the value of the parent objecttestContext.originalValue
: the original value that is being testedtestContext.createError(Object: { path: String, message: String, params: Object })
: create and return a
validation error. Useful for dynamically setting the path
, params
, or more likely, the error message
.
If either option is omitted it will use the current path, or default message.mixed.test(options: object): Schema
Alternative test(..)
signature. options
is an object containing some of the following options:
Options = {
// unique name identifying the test
name: string;
// test function, determines schema validity
test: (value: any) => boolean;
// the validation error message
message: string;
// values passed to message for interpolation
params: ?object;
// mark the test as exclusive, meaning only one of the same can be active at once
exclusive: boolean = false;
}
In the case of mixing exclusive and non-exclusive tests the following logic is used. If a non-exclusive test is added to a schema with an exclusive test of the same name the exclusive test is removed and further tests of the same name will be stacked.
If an exclusive test is added to a schema with non-exclusive tests of the same name the previous tests are removed and further tests of the same name will replace each other.
let max = 64;
let schema = yup.mixed().test({
name: 'max',
exclusive: true,
params: { max },
message: '${path} must be less than ${max} characters',
test: (value) => value == null || value.length <= max,
});
mixed.transform((currentValue: any, originalValue: any) => any): Schema
Adds a transformation to the transform chain. Transformations are central to the casting process,
default transforms for each type coerce values to the specific type (as verified by isType()
). transforms are run before validations and only applied when the schema is not marked as strict
(the default). Some types have built in transformations.
Transformations are useful for arbitrarily altering how the object is cast, however, you should take care
not to mutate the passed in value. Transforms are run sequentially so each value
represents the
current state of the cast, you can use the originalValue
param if you need to work on the raw initial value.
let schema = string().transform(function (value, originalvalue) {
return this.isType(value) && value !== null ? value.toUpperCase() : value;
});
schema.cast('jimmy'); // => 'JIMMY'
Each types will handle basic coercion of values to the proper type for you, but occasionally you may want to adjust or refine the default behavior. For example, if you wanted to use a different date parsing strategy than the default one you could do that with a transform.
module.exports = function (formats = 'MMM dd, yyyy') {
return date().transform(function (value, originalValue) {
// check to see if the previous transform already parsed the date
if (this.isType(value)) return value;
// the default coercion failed so let's try it with Moment.js instead
value = Moment(originalValue, formats);
// if it's valid return the date object, otherwise return an `InvalidDate`
return value.isValid() ? value.toDate() : new Date('');
});
};
Define a string schema. Supports all the same methods as mixed
.
let schema = yup.string();
await schema.isValid('hello'); // => true
By default, the cast
logic of string
is to call toString
on the value if it exists.
empty values are not coerced (use ensure()
to coerce empty values to empty strings).
Failed casts return the input value.
string.required(message?: string | function): Schema
The same as the mixed()
schema required, except that empty strings are also considered 'missing' values.
string.length(limit: number | Ref, message?: string | function): Schema
Set a required length for the string value. The ${length}
interpolation can be used in the message
argument
string.min(limit: number | Ref, message?: string | function): Schema
Set a minimum length limit for the string value. The ${min}
interpolation can be used in the message
argument
string.max(limit: number | Ref, message?: string | function): Schema
Set a maximum length limit for the string value. The ${max}
interpolation can be used in the message
argument
string.matches(regex: Regex, message?: string | function): Schema
Provide an arbitrary regex
to match the value against.
let schema = string().matches(/(hi|bye)/);
await schema.isValid('hi'); // => true
await schema.isValid('nope'); // => false
string.matches(regex: Regex, options: { message: string, excludeEmptyString: bool }): Schema
An alternate signature for string.matches
with an options object. excludeEmptyString
, when true,
short circuits the regex test when the value is an empty string
let schema = string().matches(/(hi|bye)/, { excludeEmptyString: true });
await schema.isValid(''); // => true
string.email(message?: string | function): Schema
Validates the value as an email address via a regex.
string.url(message?: string | function): Schema
Validates the value as a valid URL via a regex.
string.uuid(message?: string | function): Schema
Validates the value as a valid UUID via a regex.
string.ensure(): Schema
Transforms undefined
and null
values to an empty string along with
setting the default
to an empty string.
string.trim(message?: string | function): Schema
Transforms string values by removing leading and trailing whitespace. If
strict()
is set it will only validate that the value is trimmed.
string.lowercase(message?: string | function): Schema
Transforms the string value to lowercase. If strict()
is set it
will only validate that the value is lowercase.
string.uppercase(message?: string | function): Schema
Transforms the string value to uppercase. If strict()
is set it
will only validate that the value is uppercase.
Define a number schema. Supports all the same methods as mixed
.
let schema = yup.number();
await schema.isValid(10); // => true
The default cast
logic of number
is: parseFloat
.
Failed casts return NaN
.
number.min(limit: number | Ref, message?: string | function): Schema
Set the minimum value allowed. The ${min}
interpolation can be used in the
message
argument.
number.max(limit: number | Ref, message?: string | function): Schema
Set the maximum value allowed. The ${max}
interpolation can be used in the
message
argument.
number.lessThan(max: number | Ref, message?: string | function): Schema
Value must be less than max
. The ${less}
interpolation can be used in the
message
argument.
number.moreThan(min: number | Ref, message?: string | function): Schema
Value must be strictly greater than min
. The ${more}
interpolation can be used in the
message
argument.
number.positive(message?: string | function): Schema
Value must be a positive number.
number.negative(message?: string | function): Schema
Value must be a negative number.
number.integer(message?: string | function): Schema
Validates that a number is an integer.
number.truncate(): Schema
Transformation that coerces the value to an integer by stripping off the digits to the right of the decimal point.
number.round(type: 'floor' | 'ceil' | 'trunc' | 'round' = 'round'): Schema
Adjusts the value via the specified method of Math
(defaults to 'round').
Define a boolean schema. Supports all the same methods as mixed
.
let schema = yup.boolean();
await schema.isValid(true); // => true
Define a Date schema. By default ISO date strings will parse correctly,
for more robust parsing options see the extending schema types at the end of the readme.
Supports all the same methods as mixed
.
let schema = yup.date();
await schema.isValid(new Date()); // => true
The default cast
logic of date
is pass the value to the Date
constructor, failing that, it will attempt
to parse the date as an ISO date string.
Failed casts return an invalid Date.
date.min(limit: Date | string | Ref, message?: string | function): Schema
Set the minimum date allowed. When a string is provided it will attempt to cast to a date first and use the result as the limit.
date.max(limit: Date | string | Ref, message?: string | function): Schema
Set the maximum date allowed, When a string is provided it will attempt to cast to a date first and use the result as the limit.
Define an array schema. Arrays can be typed or not, When specifying the element type, cast
and isValid
will apply to the elements as well. Options passed into isValid
are passed also passed to child schemas.
Supports all the same methods as mixed
.
let schema = yup.array().of(yup.number().min(2));
await schema.isValid([2, 3]); // => true
await schema.isValid([1, -24]); // => false
schema.cast(['2', '3']); // => [2, 3]
You can also pass a subtype schema to the array constructor as a convenience.
array().of(yup.number());
// or
array(yup.number());
The default cast
behavior for array
is: JSON.parse
Failed casts return: null
;
array.of(type: Schema): Schema
Specify the schema of array elements. of()
is optional and when omitted the array schema will
not validate its contents.
array.length(length: number | Ref, message?: string | function): Schema
Set a specific length requirement for the array. The ${length}
interpolation can be used in the message
argument.
array.min(limit: number | Ref, message?: string | function): Schema
Set a minimum length limit for the array. The ${min}
interpolation can be used in the message
argument.
array.max(limit: number | Ref, message?: string | function): Schema
Set a maximum length limit for the array. The ${max}
interpolation can be used in the message
argument.
array.ensure(): Schema
Ensures that the value is an array, by setting the default to []
and transforming null
and undefined
values to an empty array as well. Any non-empty, non-array value will be wrapped in an array.
array().ensure().cast(null); // => []
array().ensure().cast(1); // => [1]
array().ensure().cast([1]); // => [1]
array.compact(rejector: (value) => boolean): Schema
Removes falsey values from the array. Providing a rejecter function lets you specify the rejection criteria yourself.
array().compact().cast(['', 1, 0, 4, false, null]); // => [1, 4]
array()
.compact(function (v) {
return v == null;
})
.cast(['', 1, 0, 4, false, null]); // => ['', 1, 0, 4, false]
Define an object schema. Options passed into isValid
are also passed to child schemas.
Supports all the same methods as mixed
.
yup.object().shape({
name: string().required(),
age: number().required().positive().integer(),
email: string().email(),
website: string().url(),
});
You can also pass a shape to the object constructor as a convenience.
object().shape({
num: number(),
});
// or
object({
num: number(),
});
The default cast
behavior for object
is: JSON.parse
Failed casts return: null
;
Object schema come with a default value already set, which "builds" out the object shape, a sets any defaults for fields:
const schema = object({
name: string().default(''),
});
schema.default(); // -> { name: '' }
This may be a bit suprising, but is generally very helpful since it allows large, nested schema to create default values that fill out the whole shape and not just the root object. There is one gotcha! though. For nested object schema that are optional but include non optional fields may fail in unexpected ways:
const schema = object({
id: string().required(),
names: object({
first: string().required(),
}),
});
schema.isValid({ id: 1 }); // false! names.first is required
This is because yup casts the input object before running validation which will produce:
{ id: '1', names: { first: undefined }}
During the validation phase names
exists, and is validated, finding names.first
missing.
If you wish to avoid this behavior do one of the following:
names.default(undefined)
names.nullable().default(null)
object.shape(fields: object, noSortEdges?: Array<[string, string]>): Schema
Define the keys of the object and the schemas for said keys.
Note that you can chain shape
method, which acts like object extends, for example:
object({
a: string(),
b: number(),
}).shape({
b: string(),
c: number(),
});
would be exactly the same as:
object({
a: string(),
b: string(),
c: number(),
});
object.pick(keys: string[]): Schema
Create a new schema from a subset of the original's fields.
const person = object({
age: number().default(30).required(),
name: string().default('pat').required(),
color: string().default('red').required(),
});
const nameAndAge = person.pick(['name', 'age']);
nameAndAge.getDefault(); // => { age: 30, name: 'pat'}
object.omit(keys: string[]): Schema
Create a new schema with fields omitted.
const person = object({
age: number().default(30).required(),
name: string().default('pat').required(),
color: string().default('red').required(),
});
const nameAndAge = person.omit(['color']);
nameAndAge.getDefault(); // => { age: 30, name: 'pat'}
object.getDefaultFromShape(): Record<string, unknown>
Produces a default object value by walking the object shape and calling default()
on each field. This is the default behavior of getDefault()
but allows for
building out an object skeleton regardless of the default().
object.from(fromKey: string, toKey: string, alias: boolean = false): this
Transforms the specified key to a new key. If alias
is true
then the old key will be left.
let schema = object({
myProp: mixed(),
Other: mixed(),
})
.from('prop', 'myProp')
.from('other', 'Other', true);
schema.cast({ prop: 5, other: 6 }); // => { myProp: 5, other: 6, Other: 6 }
object.noUnknown(onlyKnownKeys: boolean = true, message?: string | function): Schema
Validate that the object value only contains keys specified in shape
, pass false
as the first
argument to disable the check. Restricting keys to known, also enables stripUnknown
option, when not in strict mode.
object.camelCase(): Schema
Transforms all object keys to camelCase
object.constantCase(): Schema
Transforms all object keys to CONSTANT_CASE.
FAQs
Dead simple Object schema validation
The npm package yup receives a total of 4,618,682 weekly downloads. As such, yup popularity was classified as popular.
We found that yup demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.