npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

zodsheriff

v0.1.0

Published

Validation for LLM-generated typescript zod schemas

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hrishioahrishioa

Keywords

Readme

🛡️ ZodSheriff

npm version TypeScript

Safe validation and execution of LLM-generated Zod schemas

Safely run Zod schemas from LLMs while preserving structure, comments, and documentation. Invalid parts are surgically removed while keeping the rest intact.

FeaturesQuick StartUsageAdvanced FeaturesArchitecture

🎯 Key Features

  • 🔒 Safe Schema Execution: Run Zod schemas from LLMs without worrying about malicious code or infinite loops
  • 🛡️ Proactive Security: Prevents regex DoS attacks and detects unsafe patterns
  • ⚡ Resource Protection: Aggressive timeout management and depth tracking
  • 🔍 Deep Validation: Comprehensive validation of methods, arguments, and properties
  • 🎯 Smart Schema Analysis: Powerful schema unification and transformation capabilities
  • 🎚️ Configurable Safety: Multiple security profiles with deep customization
  • 📊 Type-Safe Architecture: Built with TypeScript, featuring extensive type safety
  • 🛠️ CLI & API: Flexible usage through CLI or programmatic API

🚀 Quick Start

CLI Usage

# Basic validation
bunx zodsheriff schema.ts

# Read from clipboard
bunx zodsheriff --clipboard

# Read from stdin (great for pipelines)
cat schema.ts | bunx zodsheriff --stdin

# Choose security level
bunx zodsheriff --config medium schema.ts

# Get cleaned schema
bunx zodsheriff --clean-only schema.ts > safe-schema.ts

# Get unified schema (combines dependent schemas)
bunx zodsheriff --getUnifiedLargest schema.ts > unified.ts

# Unwrap top-level arrays in unified schema
bunx zodsheriff --getUnifiedLargest --unwrapArrays schema.ts > unified.ts

📦 Installation

npm install zodsheriff   # Using npm
yarn add zodsheriff      # Using yarn
pnpm add zodsheriff     # Using pnpm

💻 Usage

API Usage

import { validateZodSchema } from "zodsheriff";

// Basic validation
const result = await validateZodSchema(schemaCode);
if (result.isValid) {
  console.log("Schema is safe!");
  console.log(result.cleanedCode);
}

// With schema unification
const result = await validateZodSchema(schemaCode, {
  schemaUnification: {
    enabled: true,
    unwrapArrayRoot: true, // Unwrap top-level arrays
  },
});

// Access unified schemas
if (result.schemaGroups?.length) {
  console.log("Largest unified schema:", result.schemaGroups[0].code);
}

Security Levels

import {
  validateZodSchema,
  extremelySafeConfig,
  mediumConfig,
  relaxedConfig,
} from "zodsheriff";

// Extremely Safe - Best for untrusted LLM output
const safeResult = await validateZodSchema(code, extremelySafeConfig);

// Medium - Balanced for semi-trusted sources
const mediumResult = await validateZodSchema(code, mediumConfig);

// Relaxed - For trusted sources
const relaxedResult = await validateZodSchema(code, relaxedConfig);

Custom Configuration

import { validateZodSchema, createConfig, relaxedConfig } from "zodsheriff";

const config = createConfig(relaxedConfig, {
  timeoutMs: 2000,
  maxNodeCount: 5000,
  maxChainDepth: 4,
  schemaUnification: {
    enabled: true,
    unwrapArrayRoot: true,
  },
  propertySafety: {
    deniedPrefixes: ["_", "$"],
    deniedProperties: new Set(["constructor", "__proto__"]),
  },
});

const result = await validateZodSchema(schemaCode, config);

🔍 Advanced Features

Schema Unification

ZodSheriff can analyze dependencies between schemas and generate unified, self-contained versions:

// Input schemas with dependencies
const addressSchema = z.object({
  street: z.string(),
  city: z.string(),
});

const userSchema = z.object({
  name: z.string(),
  address: addressSchema,
});

// After unification (--getUnifiedLargest):
const unifiedSchema = z.object({
  name: z.string(),
  address: z.object({
    street: z.string(),
    city: z.string(),
  }),
});

Array Unwrapping

When using schema unification, you can automatically unwrap top-level array schemas:

// Input schema
const arraySchema = z.array(
  z.object({
    id: z.string(),
    value: z.number(),
  })
);

// After unification with --unwrapArrays:
const unwrappedSchema = z.object({
  id: z.string(),
  value: z.number(),
});

Validation Results

const result = await validateZodSchema(schemaCode);

// Validation status
console.log("Valid:", result.isValid);

// Review issues
result.issues.forEach((issue) => {
  console.log(`${issue.severity}: ${issue.message} at line ${issue.line}`);
  if (issue.suggestion) {
    console.log(`Suggestion: ${issue.suggestion}`);
  }
});

// Access root schemas
console.log("Root schemas:", result.rootSchemaNames);

// Access unified schemas
if (result.schemaGroups?.length) {
  const largest = result.schemaGroups[0];
  console.log(`Unified schema with ${largest.metrics.schemaCount} schemas`);
}

🏗️ Architecture Decisions

Safety First

  • Strict method and property whitelisting
  • Comprehensive function validation
  • Protection against prototype pollution
  • Resource limits and timeout protection

Smart Processing

  • AST-based schema analysis
  • Schema dependency tracking
  • Intelligent unification
  • Comment and structure preservation

Performance

  • Smart caching strategy
  • Optimized validation paths
  • Resource-aware processing
  • Configurable parallelization

📚 Documentation

For detailed documentation, visit:

🤝 Contributing

Contributions are welcome! Please read our Contributing Guide and Code of Conduct.

📄 License

MIT License - see LICENSE for details