Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Zodix is a collection of Zod utilities for Remix loaders and actions. It abstracts the complexity of parsing and validating FormData
and URLSearchParams
so your loaders/actions stay clean and are strongly typed.
Remix loaders often look like:
export async function loader({ params, request }: LoaderArgs) {
const { id } = params;
const url = new URL(request.url);
const count = url.searchParams.get('count') || '10';
if (typeof id !== 'string') {
throw new Error('id must be a string');
}
const countNumber = parseInt(count, 10);
if (isNaN(countNumber)) {
throw new Error('count must be a number');
}
// Fetch data with id and countNumber
};
Here is the same loader with Zodix:
export async function loader({ params, request }: LoaderArgs) {
const { id } = zx.parseParams(params, { id: z.string() });
const { count } = zx.parseQuery(request, { count: zx.NumAsString });
// Fetch data with id and countNumber
};
Check the example app for complete examples of common patterns.
Install with npm, yarn, pnpm, etc.
npm install zodix zod
Import the zx
object, or specific functions:
import { zx } from 'zodix';
// import { parseParams, NumAsString } from 'zodix';
Parse and validate the Params
object from LoaderArgs['params']
or ActionArgs['params']
using a Zod shape:
export async function loader({ params }: LoaderArgs) {
const { userId, noteId } = zx.parseParams(params, {
userId: z.string(),
noteId: z.string(),
});
};
The same as above, but using an existing Zod object schema:
// This is if you have many pages that share the same params.
export const ParamsSchema = z.object({ userId: z.string(), noteId: z.string() });
export async function loader({ params }: LoaderArgs) {
const { userId, noteId } = zx.parseParams(params, ParamsSchema);
};
Parse and validate FormData
from a Request
in a Remix action and avoid the tedious FormData
dance:
export async function action({ request }: ActionArgs) {
const { email, password, saveSession } = await zx.parseForm(request, {
email: z.string().email(),
password: z.string().min(6),
saveSession: zx.CheckboxAsString,
});
};
Integrate with existing Zod schemas and models/controllers:
// db.ts
export const CreateNoteSchema = z.object({
userId: z.string(),
title: z.string(),
category: NoteCategorySchema.optional(),
});
export function createNote(note: z.infer<typeof CreateNoteSchema>) {}
import { CreateNoteSchema, createNote } from './db';
export async function action({ request }: ActionArgs) {
const formData = await zx.parseForm(request, CreateNoteSchema);
createNote(formData); // No TypeScript errors here
};
Parse and validate the query string (search params) of a Request
:
export async function loader({ request }: LoaderArgs) {
const { count, page } = zx.parseQuery(request, {
// NumAsString parses a string number ("5") and returns a number (5)
count: zx.NumAsString,
page: zx.NumAsString,
});
};
These work the same as the non-safe versions, but don't throw when validation fails. They use z.parseSafe()
and always return an object with the parsed data or an error.
export async function action(args: ActionArgs) {
const results = await zx.parseFormSafe(args.request, {
email: z.string().email({ message: "Invalid email" }),
password: z.string().min(8, { message: "Password must be at least 8 characters" }),
});
return json({
success: results.success,
error: results.error,
});
}
Check the login page example for a full example.
parseParams()
, parseForm()
, and parseQuery()
These functions throw a 400 Response when the parsing fails. This works nicely with Remix catch boundaries and should be used for parsing things that should rarely fail and don't require custom error handling. You can pass a custom error message or status code.
export async function loader({ params }: LoaderArgs) {
const { postId } = zx.parseParams(
params,
{ postId: zx.NumAsString },
{ message: "Invalid postId parameter", status: 400 }
);
const post = await getPost(postId);
return { post };
}
export function CatchBoundary() {
const caught = useCatch();
return <h1>Caught error: {caught.statusText}</h1>;
}
Check the post page example for a full example.
parseParamsSafe()
, parseFormSafe()
, and parseQuerySafe()
These functions are great for form validation because they don't throw when parsing fails. They always return an object with this shape:
{ success: boolean; error?: ZodError; data?: <parsed data>; }
You can then handle errors in the action and access them in the component using useActionData()
. Check the login page example for a full example.
Because FormData
and URLSearchParams
serialize all values to strings, you often end up with things like "5"
, "on"
and "true"
. The helper schemas handle parsing and validating strings representing other data types and are meant to be used with the parse functions.
"true"
→ true
"false"
→ false
"notboolean"
→ throws ZodError
"on"
→ true
undefined
→ false
"anythingbuton"
→ throws ZodError
"3"
→ 3
"3.14"
→ throws ZodError
"notanumber"
→ throws ZodError
"3"
→ 3
"3.14"
→ 3.14
"notanumber"
→ throws ZodError
See the tests for more details.
const Schema = z.object({
isAdmin: zx.BoolAsString,
agreedToTerms: zx.CheckboxAsString,
age: zx.IntAsString,
cost: zx.NumAsString,
});
const parsed = Schema.parse({
isAdmin: 'true',
agreedToTerms: 'on',
age: '38',
cost: '10.99'
});
/*
parsed = {
isAdmin: true,
agreedToTerms: true,
age: 38,
cost: 10.99
}
*/
URLSearchParams
parsingYou may have URLs with query string that look like ?ids[]=1&ids[]=2
or ?ids=1,2
that aren't handled as desired by the built in URLSearchParams
parsing.
You can pass a custom function, or use a library like query-string to parse them with Zodix.
// Create a custom parser function
type ParserFunction = (params: URLSearchParams) => Record<string, string | string[]>;
const customParser: ParserFunction = () => { /* ... */ };
// Parse non-standard search params
const search = new URLSearchParams(`?ids[]=id1&ids[]=id2`);
const { ids } = zx.parseQuery(
request,
{ ids: z.array(z.string()) }
{ parser: customParser }
);
// ids = ['id1', 'id2']
Zod discriminated unions are great for helping with actions that handle multiple intents like this:
// This adds type narrowing by the intent property
const Schema = z.discriminatedUnion('intent', [
z.object({ intent: z.literal('delete'), id: z.string() }),
z.object({ intent: z.literal('create'), name: z.string() }),
]);
export async function action({ request }: ActionArgs) {
const data = await zx.parseForm(request, Schema);
switch (data.intent) {
case 'delete':
// data is now narrowed to { intent: 'delete', id: string }
return;
case 'create':
// data is now narrowed to { intent: 'create', name: string }
return;
default:
// data is now narrowed to never. This will error if a case is missing.
const _exhaustiveCheck: never = data;
}
};
FAQs
Parse Remix loaders and actions with Zod
The npm package zodix receives a total of 5,975 weekly downloads. As such, zodix popularity was classified as popular.
We found that zodix demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.