You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Authentication gaps: flag any mutation/query using publicProcedure whose name/path suggests admin/
sensitive behavior (e.g., user, token, password, admin, config), not just the small sensitive-
name list today.
Missing input validation: we already warn on missing .input; expand to
detect .input(z.any()) / .input(z.unknown()) (effectively unvalidated) and very loose shapes (no
required keys) as warn-level.
Schema drift/loose output: flag .output(z.any()) or no .output() when returning objects/arrays
(heuristic: resolver returns object literal or array literal) to encourage explicit responses.
Unaudited side-effects: we warn on side-effects in queries; add a rule for mutations that perform side-
effects but are public and lack any auth middleware marker (no protected/private/admin base) to push for
protection/rate limits.
Unhandled async errors: detect await db./prisma. calls in resolvers without surrounding try/catch or
TRPCError throws; also catch naked then chains without catch.
Leaky error details: flag resolvers that return/throw raw error or err.message directly to clients
without wrapping in TRPCError (possible info leak).
Query impurity expansion: broaden side-effect detection to file I/O (fs/promises.writeFile etc.),
external HTTP (fetch/axios), and mutations disguised as queries by HTTP verbs in name (post*, put* in
queries).
Rate limiting hints: for public mutations that touch high-risk domains (email, sms, token creation),
suggest adding rate limiting/middleware; extend the sensitive pattern list to include sms, otp, invite,
webhook, apiKey.
Long-running resolvers: detect usage of Promise.allSettled/setTimeout/sleep in resolvers and warn if no
timeout/abort pattern is present (helps avoid stuck requests).
Pagination sanity: flag queries that accept limit/take/pageSize without a max clamp (simple regex for
limit param and no Math.min/z.max), to avoid DoS via huge responses.
File/FS access exposure: flag any resolver accessing fs/path/process.env combined with public
procedures, to prompt explicit vetting of what’s being exposed.
