Skip to content

Fix: Add type validation for sendStatus to prevent BigInt serialization error (#6756) #6758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Vedant224 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix: Add type validation for sendStatus to prevent BigInt serialization error (#6756) #6758

Vedant224 wants to merge 2 commits into from

Conversation

@Vedant224
Copy link

@Vedant224 Vedant224 commented Sep 13, 2025

Fixes #6756

This PR adds type validation to res.sendStatus() to prevent uncaught TypeError when BigInt values are passed as status codes.

Problem:

  • res.sendStatus(200n) caused uncaught "Do not know how to serialize a BigInt" error
  • Error occurred when sendStatus() called this.status() which internally uses JSON.stringify()

Solution:

  • Add type checking at the beginning of sendStatus() method
  • Throw consistent TypeError: Invalid status code for non-number inputs
  • Matches existing error handling patterns in Express

Changes:

  • Add type validation in lib/response.js
  • Add test case for BigInt input in test/res.sendStatus.js
  • All existing tests pass (1239 passing)
  • Follows existing error message format
  • No linting errors

Testing:

npm test  # All 1239 tests pass
npm run lint  # No errors

@Vedant224
Fix: Add type validation for sendStatus to prevent BigInt serializati…
f48ee1c 
…on error (expressjs#6756)

- Add type checking in sendStatus() method to throw TypeError for non-number inputs
- Prevents uncaught 'Do not know how to serialize a BigInt' error
- Add test coverage for BigInt status code input
- Maintains backward compatibility with existing error patterns

Fixes expressjs#6756
shivarm
shivarm reviewed Sep 13, 2025
View reviewed changes
lib/response.js Outdated

res.sendStatus = function sendStatus(statusCode) {
if (typeof statusCode !== 'number') {
throw new TypeError('Invalid status code: ' + statusCode);
Copy link
Contributor

@shivarm shivarm Sep 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
throw new TypeError('Invalid status code: ' + statusCode);
throw new TypeError(`statusCode must be a valid number to res.sendStatus`);

I think it seems consistent

Copy link
Member

@bjohansebas bjohansebas Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree

bjohansebas
bjohansebas reviewed Sep 18, 2025
View reviewed changes
Copy link
Member

@bjohansebas bjohansebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, although this will be released for version 6 since it would be a breaking change, and we should first release a warning in version 5. Could you create a new PR to add a deprecation message?

@Vedant224
Copy link
Author

Vedant224 commented Sep 18, 2025
edited
Loading

@bjohansebas I've created the deprecation warning PR as requested. I kept it targeting master since that shows my actual 2-file changes cleanly. When I tried changing the target to 5.x it showed 36 changes (difference between branches).

Should I leave it targeting master and you'll handle getting it into Express v5, or would you prefer a different approach for the branch targeting?

The deprecation warning PR is ready for review - it adds the deprecate() call for non-number values in sendStatus().

@krzysdz krzysdz mentioned this pull request Oct 16, 2025
Open
@abhisekp abhisekp mentioned this pull request Oct 22, 2025
Closed
3 tasks
@krzysdz
Copy link
Contributor

krzysdz commented Oct 29, 2025

This looks good, although this will be released for version 6 since it would be a breaking change, and we should first release a warning in version 5. Could you create a new PR to add a deprecation message?

I don't think that it would be a breaking change - 5.x already includes validation that was added in #4212. This probably could be documented better, because it's mentioned only for res.status (both in migration guide and History.md), but the same PR modified res.sendStatus to use res.status in order to benefit from this new validation.

The problem with serialization occurs during creation of the validation error message (see #6756 (comment)).

jonchurch
jonchurch requested changes Dec 12, 2025
View reviewed changes
Copy link
Member

@jonchurch jonchurch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We centralize our validation for status codes in the .status method which sendStatus relies on.

Any changes to the validation should happen there.

@jonchurch jonchurch removed the 6.x label Dec 12, 2025
@jonchurch
Copy link
Member

jonchurch commented Dec 12, 2025

Also it's not an uncaught exception, we expect a throw for invalid status and it will be handled.

The enhancement would be the error message change, which makes this a very low prio change IMO.

wesleytodd
wesleytodd reviewed Dec 12, 2025
View reviewed changes
Copy link
Member

@wesleytodd wesleytodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving as a comment since @jonchurch has a blocking review. But once those are changed consider this a ✅ from me.

lib/response.js Outdated
res.sendStatus = function sendStatus(statusCode) {
if (typeof statusCode !== 'number') {
throw new TypeError('Invalid status code: ' + statusCode);
}
Copy link
Member

@wesleytodd wesleytodd Dec 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with @jonchurch, move this to res.status, but throwing for BigInt is the right way to go.

test/res.sendStatus.js Outdated
request(app)
.get('/')
.expect(500, /TypeError.*Invalid status code/, done)
})
Copy link
Member

@wesleytodd wesleytodd Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test will need to move to res.status.js after the other change.

@Vedant224
Copy link
Author

Vedant224 commented Dec 13, 2025

@jonchurch @wesleytodd I've updated the PR to address the feedback.
I moved the validation logic entirely to res.status, and res.sendStatus now calls that internally, so there are no duplicate checks.
I used typeof for the validation because standard string conversion turns 200n into "200", which makes the error message really confusing ("Invalid status code: 200"). By catching it early, we can show the actual issue ("Invalid status code: 200 (bigint)")..
As a side effect of using typeof, all invalid inputs (strings, null, objects) are now including their type in the error message (e.g., 200 (string) or null (object)).
All test cases are passing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wesleytodd wesleytodd wesleytodd left review comments

@bjohansebas bjohansebas bjohansebas left review comments

@jonchurch jonchurch jonchurch requested changes

+1 more reviewer

@shivarm shivarm shivarm left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TypeError: Do not know how to serialize a BigInt when using sendStatus with a BigNum instead of intended error message

7 participants

@Vedant224 @krzysdz @jonchurch @wesleytodd @spacejupiter @shivarm @bjohansebas