@orpc/openapi-client 0.0.0-next.7c4acaa → 0.0.0-next.7ccd703

package/README.md

@@ -30,7 +30,8 @@
 - **🔗 End-to-End Type Safety**: Ensure type-safe inputs, outputs, and errors from client to server.
 - **📘 First-Class OpenAPI**: Built-in support that fully adheres to the OpenAPI standard.
 - **📝 Contract-First Development**: Optionally define your API contract before implementation.
-- **⚙️ Framework Integrations**: Seamlessly integrate with TanStack Query (React, Vue, Solid, Svelte), Pinia Colada, and more.
+- **🔍 First-Class OpenTelemetry**: Seamlessly integrate with OpenTelemetry for observability.
+- **⚙️ Framework Integrations**: Seamlessly integrate with TanStack Query (React, Vue, Solid, Svelte, Angular), Pinia Colada, and more.
 - **🚀 Server Actions**: Fully compatible with React Server Actions on Next.js, TanStack Start, and other platforms.
 - **🔠 Standard Schema Support**: Works out of the box with Zod, Valibot, ArkType, and other schema validators.
 - **🗃️ Native Types**: Supports native types like Date, File, Blob, BigInt, URL, and more.
@@ -38,7 +39,6 @@
 - **📡 SSE & Streaming**: Enjoy full type-safe support for SSE and streaming.
 - **🌍 Multi-Runtime Support**: Fast and lightweight on Cloudflare, Deno, Bun, Node.js, and beyond.
 - **🔌 Extendability**: Easily extend functionality with plugins, middleware, and interceptors.
-- **🛡️ Reliability**: Well-tested, TypeScript-based, production-ready, and MIT licensed.
 
 ## Documentation
 
@@ -49,13 +49,13 @@ You can find the full documentation [here](https://orpc.unnoq.com).
 - [@orpc/contract](https://www.npmjs.com/package/@orpc/contract): Build your API contract.
 - [@orpc/server](https://www.npmjs.com/package/@orpc/server): Build your API or implement API contract.
 - [@orpc/client](https://www.npmjs.com/package/@orpc/client): Consume your API on the client with type-safety.
+- [@orpc/openapi](https://www.npmjs.com/package/@orpc/openapi): Generate OpenAPI specs and handle OpenAPI requests.
+- [@orpc/otel](https://www.npmjs.com/package/@orpc/otel): [OpenTelemetry](https://opentelemetry.io/) integration for observability.
+- [@orpc/nest](https://www.npmjs.com/package/@orpc/nest): Deeply integrate oRPC with [NestJS](https://nestjs.com/).
 - [@orpc/react](https://www.npmjs.com/package/@orpc/react): Utilities for integrating oRPC with React and React Server Actions.
-- [@orpc/react-query](https://www.npmjs.com/package/@orpc/react-query): Integration with [React Query](https://tanstack.com/query/latest/docs/framework/react/overview).
-- [@orpc/vue-query](https://www.npmjs.com/package/@orpc/vue-query): Integration with [Vue Query](https://tanstack.com/query/latest/docs/framework/vue/overview).
-- [@orpc/solid-query](https://www.npmjs.com/package/@orpc/solid-query): Integration with [Solid Query](https://tanstack.com/query/latest/docs/framework/solid/overview).
-- [@orpc/svelte-query](https://www.npmjs.com/package/@orpc/svelte-query): Integration with [Svelte Query](https://tanstack.com/query/latest/docs/framework/svelte/overview).
+- [@orpc/tanstack-query](https://www.npmjs.com/package/@orpc/tanstack-query): [TanStack Query](https://tanstack.com/query/latest) integration.
 - [@orpc/vue-colada](https://www.npmjs.com/package/@orpc/vue-colada): Integration with [Pinia Colada](https://pinia-colada.esm.dev/).
-- [@orpc/openapi](https://www.npmjs.com/package/@orpc/openapi): Generate OpenAPI specs and handle OpenAPI requests.
+- [@orpc/hey-api](https://www.npmjs.com/package/@orpc/hey-api): [Hey API](https://heyapi.dev/) integration.
 - [@orpc/zod](https://www.npmjs.com/package/@orpc/zod): More schemas that [Zod](https://zod.dev/) doesn't support yet.
 - [@orpc/valibot](https://www.npmjs.com/package/@orpc/valibot): OpenAPI spec generation from [Valibot](https://valibot.dev/).
 - [@orpc/arktype](https://www.npmjs.com/package/@orpc/arktype): OpenAPI spec generation from [ArkType](https://arktype.io/).

package/dist/adapters/fetch/index.d.mts

@@ -1,7 +1,7 @@
 import { ClientContext } from '@orpc/client';
 import { LinkFetchClientOptions } from '@orpc/client/fetch';
 import { AnyContractRouter } from '@orpc/contract';
-import { f as StandardOpenAPILinkOptions, g as StandardOpenAPILink } from '../../shared/openapi-client.D_hC2pAM.mjs';
+import { g as StandardOpenAPILinkOptions, h as StandardOpenAPILink } from '../../shared/openapi-client.f2unmElJ.mjs';
 import '@orpc/client/standard';
 import '@orpc/shared';
 import '@orpc/standard-server';

package/dist/adapters/fetch/index.d.ts

@@ -1,7 +1,7 @@
 import { ClientContext } from '@orpc/client';
 import { LinkFetchClientOptions } from '@orpc/client/fetch';
 import { AnyContractRouter } from '@orpc/contract';
-import { f as StandardOpenAPILinkOptions, g as StandardOpenAPILink } from '../../shared/openapi-client.D_hC2pAM.js';
+import { g as StandardOpenAPILinkOptions, h as StandardOpenAPILink } from '../../shared/openapi-client.f2unmElJ.js';
 import '@orpc/client/standard';
 import '@orpc/shared';
 import '@orpc/standard-server';

package/dist/adapters/fetch/index.mjs

@@ -1,9 +1,9 @@
 import { LinkFetchClient } from '@orpc/client/fetch';
 import '@orpc/shared';
-import { b as StandardOpenAPILink } from '../../shared/openapi-client.D89vdV2Y.mjs';
+import '@orpc/contract';
+import { b as StandardOpenAPILink } from '../../shared/openapi-client.D3eD5ojB.mjs';
 import '@orpc/client';
 import '@orpc/client/standard';
-import '@orpc/contract';
 import '@orpc/standard-server';
 
 class OpenAPILink extends StandardOpenAPILink {

package/dist/adapters/standard/index.d.mts

@@ -1,10 +1,63 @@
-export { S as StandardBracketNotationSerialized, a as StandardBracketNotationSerializer, c as StandardOpenAPICustomJsonSerializer, b as StandardOpenAPIJsonSerialized, e as StandardOpenAPIJsonSerializer, d as StandardOpenAPIJsonSerializerOptions, g as StandardOpenAPILink, f as StandardOpenAPILinkOptions, j as StandardOpenAPISerializeOptions, k as StandardOpenAPISerializer, i as StandardOpenapiLinkCodec, h as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.D_hC2pAM.mjs';
+export { S as StandardBracketNotationSerialized, b as StandardBracketNotationSerializer, a as StandardBracketNotationSerializerOptions, d as StandardOpenAPICustomJsonSerializer, c as StandardOpenAPIJsonSerialized, f as StandardOpenAPIJsonSerializer, e as StandardOpenAPIJsonSerializerOptions, h as StandardOpenAPILink, g as StandardOpenAPILinkOptions, k as StandardOpenAPISerializeOptions, l as StandardOpenAPISerializer, j as StandardOpenapiLinkCodec, i as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.f2unmElJ.mjs';
 import { HTTPPath } from '@orpc/client';
 import '@orpc/client/standard';
 import '@orpc/contract';
 import '@orpc/shared';
 import '@orpc/standard-server';
 
+/**
+ * parse a form data with bracket notation
+ *
+ * @example
+ * ```ts
+ * const form = new FormData()
+ * form.append('a', '1')
+ * form.append('user[name]', 'John')
+ * form.append('user[age]', '20')
+ * form.append('user[friends][]', 'Bob')
+ * form.append('user[friends][]', 'Alice')
+ * form.append('user[friends][]', 'Charlie')
+ * form.append('thumb', new Blob(['hello']), 'thumb.png')
+ *
+ * parseFormData(form)
+ * // {
+ * //   a: '1',
+ * //   user: {
+ * //     name: 'John',
+ * //     age: '20',
+ * //     friends: ['Bob', 'Alice', 'Charlie'],
+ * //   },
+ * //   thumb: form.get('thumb'),
+ * // }
+ * ```
+ *
+ * @see {@link https://orpc.unnoq.com/docs/openapi/bracket-notation Bracket Notation Docs}
+ */
+declare function parseFormData(form: FormData): any;
+/**
+ * Get the issue message from the error.
+ *
+ * @param error - The error (can be anything) can contain `data.issues` (standard schema issues)
+ * @param path - The path of the field that has the issue follow [bracket notation](https://orpc.unnoq.com/docs/openapi/bracket-notation)
+ *
+ * @example
+ * ```tsx
+ * const { error, data, execute } = useServerAction(someAction)
+ *
+ * return <form action={(form) => execute(parseFormData(form))}>
+ *   <input name="user[name]" type="text" />
+ *   <p>{getIssueMessage(error, 'user[name]')}</p>
+ *
+ *   <input name="user[age]" type="number" />
+ *   <p>{getIssueMessage(error, 'user[age]')}</p>
+ *
+ *   <input name="images[]" type="file" />
+ *   <p>{getIssueMessage(error, 'images[]')}</p>
+ * </form>
+ *
+ */
+declare function getIssueMessage(error: unknown, path: string): string | undefined;
+
 /**
  * @internal
  */
@@ -17,4 +70,4 @@ declare function getDynamicParams(path: HTTPPath | undefined): {
     name: string;
 }[] | undefined;
 
-export { getDynamicParams, standardizeHTTPPath };
+export { getDynamicParams, getIssueMessage, parseFormData, standardizeHTTPPath };

package/dist/adapters/standard/index.d.ts

@@ -1,10 +1,63 @@
-export { S as StandardBracketNotationSerialized, a as StandardBracketNotationSerializer, c as StandardOpenAPICustomJsonSerializer, b as StandardOpenAPIJsonSerialized, e as StandardOpenAPIJsonSerializer, d as StandardOpenAPIJsonSerializerOptions, g as StandardOpenAPILink, f as StandardOpenAPILinkOptions, j as StandardOpenAPISerializeOptions, k as StandardOpenAPISerializer, i as StandardOpenapiLinkCodec, h as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.D_hC2pAM.js';
+export { S as StandardBracketNotationSerialized, b as StandardBracketNotationSerializer, a as StandardBracketNotationSerializerOptions, d as StandardOpenAPICustomJsonSerializer, c as StandardOpenAPIJsonSerialized, f as StandardOpenAPIJsonSerializer, e as StandardOpenAPIJsonSerializerOptions, h as StandardOpenAPILink, g as StandardOpenAPILinkOptions, k as StandardOpenAPISerializeOptions, l as StandardOpenAPISerializer, j as StandardOpenapiLinkCodec, i as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.f2unmElJ.js';
 import { HTTPPath } from '@orpc/client';
 import '@orpc/client/standard';
 import '@orpc/contract';
 import '@orpc/shared';
 import '@orpc/standard-server';
 
+/**
+ * parse a form data with bracket notation
+ *
+ * @example
+ * ```ts
+ * const form = new FormData()
+ * form.append('a', '1')
+ * form.append('user[name]', 'John')
+ * form.append('user[age]', '20')
+ * form.append('user[friends][]', 'Bob')
+ * form.append('user[friends][]', 'Alice')
+ * form.append('user[friends][]', 'Charlie')
+ * form.append('thumb', new Blob(['hello']), 'thumb.png')
+ *
+ * parseFormData(form)
+ * // {
+ * //   a: '1',
+ * //   user: {
+ * //     name: 'John',
+ * //     age: '20',
+ * //     friends: ['Bob', 'Alice', 'Charlie'],
+ * //   },
+ * //   thumb: form.get('thumb'),
+ * // }
+ * ```
+ *
+ * @see {@link https://orpc.unnoq.com/docs/openapi/bracket-notation Bracket Notation Docs}
+ */
+declare function parseFormData(form: FormData): any;
+/**
+ * Get the issue message from the error.
+ *
+ * @param error - The error (can be anything) can contain `data.issues` (standard schema issues)
+ * @param path - The path of the field that has the issue follow [bracket notation](https://orpc.unnoq.com/docs/openapi/bracket-notation)
+ *
+ * @example
+ * ```tsx
+ * const { error, data, execute } = useServerAction(someAction)
+ *
+ * return <form action={(form) => execute(parseFormData(form))}>
+ *   <input name="user[name]" type="text" />
+ *   <p>{getIssueMessage(error, 'user[name]')}</p>
+ *
+ *   <input name="user[age]" type="number" />
+ *   <p>{getIssueMessage(error, 'user[age]')}</p>
+ *
+ *   <input name="images[]" type="file" />
+ *   <p>{getIssueMessage(error, 'images[]')}</p>
+ * </form>
+ *
+ */
+declare function getIssueMessage(error: unknown, path: string): string | undefined;
+
 /**
  * @internal
  */
@@ -17,4 +70,4 @@ declare function getDynamicParams(path: HTTPPath | undefined): {
     name: string;
 }[] | undefined;
 
-export { getDynamicParams, standardizeHTTPPath };
+export { getDynamicParams, getIssueMessage, parseFormData, standardizeHTTPPath };

package/dist/adapters/standard/index.mjs

@@ -1,6 +1,43 @@
-export { S as StandardBracketNotationSerializer, a as StandardOpenAPIJsonSerializer, b as StandardOpenAPILink, d as StandardOpenAPISerializer, c as StandardOpenapiLinkCodec, g as getDynamicParams, s as standardizeHTTPPath } from '../../shared/openapi-client.D89vdV2Y.mjs';
+import { S as StandardBracketNotationSerializer } from '../../shared/openapi-client.D3eD5ojB.mjs';
+export { a as StandardOpenAPIJsonSerializer, b as StandardOpenAPILink, d as StandardOpenAPISerializer, c as StandardOpenapiLinkCodec, g as getDynamicParams, s as standardizeHTTPPath } from '../../shared/openapi-client.D3eD5ojB.mjs';
+import { isSchemaIssue } from '@orpc/contract';
+import { isTypescriptObject } from '@orpc/shared';
 import '@orpc/client/standard';
-import '@orpc/shared';
 import '@orpc/client';
-import '@orpc/contract';
 import '@orpc/standard-server';
+
+function parseFormData(form) {
+  const serializer = new StandardBracketNotationSerializer();
+  return serializer.deserialize(Array.from(form.entries()));
+}
+function getIssueMessage(error, path) {
+  if (!isTypescriptObject(error) || !isTypescriptObject(error.data) || !Array.isArray(error.data.issues)) {
+    return void 0;
+  }
+  const serializer = new StandardBracketNotationSerializer();
+  for (const issue of error.data.issues) {
+    if (!isSchemaIssue(issue)) {
+      continue;
+    }
+    if (issue.path === void 0) {
+      if (path === "") {
+        return issue.message;
+      }
+      continue;
+    }
+    const issuePath = serializer.stringifyPath(
+      issue.path.map((segment) => typeof segment === "object" ? segment.key.toString() : segment.toString())
+    );
+    if (issuePath === path) {
+      return issue.message;
+    }
+    if (path.endsWith("[]") && issuePath.replace(/\[(?:0|[1-9]\d*)\]$/, "[]") === path) {
+      return issue.message;
+    }
+    if (path === "" && issuePath.match(/(?:0|[1-9]\d*)$/)) {
+      return issue.message;
+    }
+  }
+}
+
+export { StandardBracketNotationSerializer, getIssueMessage, parseFormData };

package/dist/shared/{openapi-client.D89vdV2Y.mjs → openapi-client.D3eD5ojB.mjs}

@@ -1,10 +1,14 @@
 import { toHttpPath, getMalformedResponseErrorCode, StandardLink } from '@orpc/client/standard';
-import { isObject, value, get, isAsyncIteratorObject } from '@orpc/shared';
+import { isObject, NullProtoObj, value, get, isAsyncIteratorObject } from '@orpc/shared';
 import { isORPCErrorStatus, isORPCErrorJson, createORPCErrorFromJson, mapEventIterator, toORPCError } from '@orpc/client';
 import { isContractProcedure, fallbackContractConfig, ORPCError } from '@orpc/contract';
 import { mergeStandardHeaders, ErrorEvent } from '@orpc/standard-server';
 
 class StandardBracketNotationSerializer {
+  maxArrayIndex;
+  constructor(options = {}) {
+    this.maxArrayIndex = options.maxBracketNotationArrayIndex ?? 9999;
+  }
   serialize(data, segments = [], result = []) {
     if (Array.isArray(data)) {
       data.forEach((item, i) => {
@@ -34,20 +38,26 @@ class StandardBracketNotationSerializer {
           currentRef[nextSegment] = [];
         }
         if (i !== segments.length - 1) {
-          if (Array.isArray(currentRef[nextSegment]) && !isValidArrayIndex(segment)) {
-            currentRef[nextSegment] = { ...currentRef[nextSegment] };
+          if (Array.isArray(currentRef[nextSegment]) && !isValidArrayIndex(segment, this.maxArrayIndex)) {
+            if (arrayPushStyles.has(currentRef[nextSegment])) {
+              arrayPushStyles.delete(currentRef[nextSegment]);
+              currentRef[nextSegment] = pushStyleArrayToObject(currentRef[nextSegment]);
+            } else {
+              currentRef[nextSegment] = arrayToObject(currentRef[nextSegment]);
+            }
           }
         } else {
           if (Array.isArray(currentRef[nextSegment])) {
             if (segment === "") {
               if (currentRef[nextSegment].length && !arrayPushStyles.has(currentRef[nextSegment])) {
-                currentRef[nextSegment] = { ...currentRef[nextSegment] };
+                currentRef[nextSegment] = arrayToObject(currentRef[nextSegment]);
               }
             } else {
               if (arrayPushStyles.has(currentRef[nextSegment])) {
-                currentRef[nextSegment] = { "": currentRef[nextSegment].at(-1) };
-              } else if (!isValidArrayIndex(segment)) {
-                currentRef[nextSegment] = { ...currentRef[nextSegment] };
+                arrayPushStyles.delete(currentRef[nextSegment]);
+                currentRef[nextSegment] = pushStyleArrayToObject(currentRef[nextSegment]);
+              } else if (!isValidArrayIndex(segment, this.maxArrayIndex)) {
+                currentRef[nextSegment] = arrayToObject(currentRef[nextSegment]);
               }
             }
           }
@@ -55,12 +65,14 @@ class StandardBracketNotationSerializer {
         currentRef = currentRef[nextSegment];
         nextSegment = segment;
       });
-      if (Array.isArray(currentRef)) {
-        if (nextSegment === "") {
-          arrayPushStyles.add(currentRef);
-          currentRef.push(value);
+      if (Array.isArray(currentRef) && nextSegment === "") {
+        arrayPushStyles.add(currentRef);
+        currentRef.push(value);
+      } else if (nextSegment in currentRef) {
+        if (Array.isArray(currentRef[nextSegment])) {
+          currentRef[nextSegment].push(value);
         } else {
-          currentRef[Number(nextSegment)] = value;
+          currentRef[nextSegment] = [currentRef[nextSegment], value];
         }
       } else {
         currentRef[nextSegment] = value;
@@ -119,8 +131,20 @@ class StandardBracketNotationSerializer {
     return inBrackets || segments.length === 0 ? [path] : segments;
   }
 }
-function isValidArrayIndex(value) {
-  return /^0$|^[1-9]\d*$/.test(value);
+function isValidArrayIndex(value, maxIndex) {
+  return /^0$|^[1-9]\d*$/.test(value) && Number(value) <= maxIndex;
+}
+function arrayToObject(array) {
+  const obj = new NullProtoObj();
+  array.forEach((item, i) => {
+    obj[i] = item;
+  });
+  return obj;
+}
+function pushStyleArrayToObject(array) {
+  const obj = new NullProtoObj();
+  obj[""] = array.length === 1 ? array[0] : array;
+  return obj;
 }
 
 class StandardOpenAPIJsonSerializer {
@@ -329,6 +353,7 @@ class StandardOpenapiLinkCodec {
       return deserialized;
     }
     return {
+      status: response.status,
       headers: response.headers,
       body: deserialized
     };
@@ -403,7 +428,7 @@ class StandardOpenAPISerializer {
 class StandardOpenAPILink extends StandardLink {
   constructor(contract, linkClient, options) {
     const jsonSerializer = new StandardOpenAPIJsonSerializer(options);
-    const bracketNotationSerializer = new StandardBracketNotationSerializer();
+    const bracketNotationSerializer = new StandardBracketNotationSerializer({ maxBracketNotationArrayIndex: 4294967294 });
     const serializer = new StandardOpenAPISerializer(jsonSerializer, bracketNotationSerializer);
     const linkCodec = new StandardOpenapiLinkCodec(contract, serializer, options);
     super(linkCodec, linkClient, options);

package/dist/shared/{openapi-client.D_hC2pAM.d.mts → openapi-client.f2unmElJ.d.mts}

@@ -1,11 +1,29 @@
 import { ClientContext, ClientOptions } from '@orpc/client';
 import { StandardLinkCodec, StandardLinkOptions, StandardLink, StandardLinkClient } from '@orpc/client/standard';
 import { AnyContractRouter } from '@orpc/contract';
-import { Segment, Value } from '@orpc/shared';
+import { Segment, Value, Promisable } from '@orpc/shared';
 import { StandardHeaders, StandardRequest, StandardLazyResponse } from '@orpc/standard-server';
 
 type StandardBracketNotationSerialized = [string, unknown][];
+interface StandardBracketNotationSerializerOptions {
+    /**
+     * Maximum allowed array index for bracket notation deserialization.
+     *
+     * This helps protect against memory exhaustion attacks where malicious input
+     * uses extremely large array indices (e.g., `?arr[4294967296]=value`).
+     *
+     * While bracket notation creates sparse arrays that handle large indices efficiently,
+     * downstream code might inadvertently convert these sparse arrays to dense arrays,
+     * potentially creating millions of undefined elements and causing memory issues.
+     *
+     * @note Only applies to deserialization.
+     * @default 9_999 (array with 10,000 elements)
+     */
+    maxBracketNotationArrayIndex?: number;
+}
 declare class StandardBracketNotationSerializer {
+    private readonly maxArrayIndex;
+    constructor(options?: StandardBracketNotationSerializerOptions);
     serialize(data: unknown, segments?: Segment[], result?: StandardBracketNotationSerialized): StandardBracketNotationSerialized;
     deserialize(serialized: StandardBracketNotationSerialized): Record<string, unknown> | unknown[];
     stringifyPath(segments: readonly Segment[]): string;
@@ -44,7 +62,7 @@ interface StandardOpenapiLinkCodecOptions<T extends ClientContext> {
     /**
      * Base url for all requests.
      */
-    url: Value<string | URL, [
+    url: Value<Promisable<string | URL>, [
         options: ClientOptions<T>,
         path: readonly string[],
         input: unknown
@@ -52,7 +70,7 @@ interface StandardOpenapiLinkCodecOptions<T extends ClientContext> {
     /**
      * Inject headers to the request.
      */
-    headers?: Value<StandardHeaders, [
+    headers?: Value<Promisable<StandardHeaders>, [
         options: ClientOptions<T>,
         path: readonly string[],
         input: unknown
@@ -75,5 +93,5 @@ declare class StandardOpenAPILink<T extends ClientContext> extends StandardLink<
     constructor(contract: AnyContractRouter, linkClient: StandardLinkClient<T>, options: StandardOpenAPILinkOptions<T>);
 }
 
-export { StandardBracketNotationSerializer as a, StandardOpenAPIJsonSerializer as e, StandardOpenAPILink as g, StandardOpenapiLinkCodec as i, StandardOpenAPISerializer as k };
-export type { StandardBracketNotationSerialized as S, StandardOpenAPIJsonSerialized as b, StandardOpenAPICustomJsonSerializer as c, StandardOpenAPIJsonSerializerOptions as d, StandardOpenAPILinkOptions as f, StandardOpenapiLinkCodecOptions as h, StandardOpenAPISerializeOptions as j };
+export { StandardBracketNotationSerializer as b, StandardOpenAPIJsonSerializer as f, StandardOpenAPILink as h, StandardOpenapiLinkCodec as j, StandardOpenAPISerializer as l };
+export type { StandardBracketNotationSerialized as S, StandardBracketNotationSerializerOptions as a, StandardOpenAPIJsonSerialized as c, StandardOpenAPICustomJsonSerializer as d, StandardOpenAPIJsonSerializerOptions as e, StandardOpenAPILinkOptions as g, StandardOpenapiLinkCodecOptions as i, StandardOpenAPISerializeOptions as k };

package/dist/shared/{openapi-client.D_hC2pAM.d.ts → openapi-client.f2unmElJ.d.ts}

@@ -1,11 +1,29 @@
 import { ClientContext, ClientOptions } from '@orpc/client';
 import { StandardLinkCodec, StandardLinkOptions, StandardLink, StandardLinkClient } from '@orpc/client/standard';
 import { AnyContractRouter } from '@orpc/contract';
-import { Segment, Value } from '@orpc/shared';
+import { Segment, Value, Promisable } from '@orpc/shared';
 import { StandardHeaders, StandardRequest, StandardLazyResponse } from '@orpc/standard-server';
 
 type StandardBracketNotationSerialized = [string, unknown][];
+interface StandardBracketNotationSerializerOptions {
+    /**
+     * Maximum allowed array index for bracket notation deserialization.
+     *
+     * This helps protect against memory exhaustion attacks where malicious input
+     * uses extremely large array indices (e.g., `?arr[4294967296]=value`).
+     *
+     * While bracket notation creates sparse arrays that handle large indices efficiently,
+     * downstream code might inadvertently convert these sparse arrays to dense arrays,
+     * potentially creating millions of undefined elements and causing memory issues.
+     *
+     * @note Only applies to deserialization.
+     * @default 9_999 (array with 10,000 elements)
+     */
+    maxBracketNotationArrayIndex?: number;
+}
 declare class StandardBracketNotationSerializer {
+    private readonly maxArrayIndex;
+    constructor(options?: StandardBracketNotationSerializerOptions);
     serialize(data: unknown, segments?: Segment[], result?: StandardBracketNotationSerialized): StandardBracketNotationSerialized;
     deserialize(serialized: StandardBracketNotationSerialized): Record<string, unknown> | unknown[];
     stringifyPath(segments: readonly Segment[]): string;
@@ -44,7 +62,7 @@ interface StandardOpenapiLinkCodecOptions<T extends ClientContext> {
     /**
      * Base url for all requests.
      */
-    url: Value<string | URL, [
+    url: Value<Promisable<string | URL>, [
         options: ClientOptions<T>,
         path: readonly string[],
         input: unknown
@@ -52,7 +70,7 @@ interface StandardOpenapiLinkCodecOptions<T extends ClientContext> {
     /**
      * Inject headers to the request.
      */
-    headers?: Value<StandardHeaders, [
+    headers?: Value<Promisable<StandardHeaders>, [
         options: ClientOptions<T>,
         path: readonly string[],
         input: unknown
@@ -75,5 +93,5 @@ declare class StandardOpenAPILink<T extends ClientContext> extends StandardLink<
     constructor(contract: AnyContractRouter, linkClient: StandardLinkClient<T>, options: StandardOpenAPILinkOptions<T>);
 }
 
-export { StandardBracketNotationSerializer as a, StandardOpenAPIJsonSerializer as e, StandardOpenAPILink as g, StandardOpenapiLinkCodec as i, StandardOpenAPISerializer as k };
-export type { StandardBracketNotationSerialized as S, StandardOpenAPIJsonSerialized as b, StandardOpenAPICustomJsonSerializer as c, StandardOpenAPIJsonSerializerOptions as d, StandardOpenAPILinkOptions as f, StandardOpenapiLinkCodecOptions as h, StandardOpenAPISerializeOptions as j };
+export { StandardBracketNotationSerializer as b, StandardOpenAPIJsonSerializer as f, StandardOpenAPILink as h, StandardOpenapiLinkCodec as j, StandardOpenAPISerializer as l };
+export type { StandardBracketNotationSerialized as S, StandardBracketNotationSerializerOptions as a, StandardOpenAPIJsonSerialized as c, StandardOpenAPICustomJsonSerializer as d, StandardOpenAPIJsonSerializerOptions as e, StandardOpenAPILinkOptions as g, StandardOpenapiLinkCodecOptions as i, StandardOpenAPISerializeOptions as k };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@orpc/openapi-client",
   "type": "module",
-  "version": "0.0.0-next.7c4acaa",
+  "version": "0.0.0-next.7ccd703",
   "license": "MIT",
   "homepage": "https://orpc.unnoq.com",
   "repository": {
@@ -34,13 +34,13 @@
     "dist"
   ],
   "dependencies": {
-    "@orpc/client": "0.0.0-next.7c4acaa",
-    "@orpc/contract": "0.0.0-next.7c4acaa",
-    "@orpc/shared": "0.0.0-next.7c4acaa",
-    "@orpc/standard-server": "0.0.0-next.7c4acaa"
+    "@orpc/client": "0.0.0-next.7ccd703",
+    "@orpc/contract": "0.0.0-next.7ccd703",
+    "@orpc/standard-server": "0.0.0-next.7ccd703",
+    "@orpc/shared": "0.0.0-next.7ccd703"
   },
   "devDependencies": {
-    "@orpc/server": "0.0.0-next.7c4acaa"
+    "@orpc/server": "0.0.0-next.7ccd703"
   },
   "scripts": {
     "build": "unbuild",