anyvali 0.3.3 → 0.3.5

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.3.5](https://github.com/BetterCorp/AnyVali/compare/js-v0.3.4...js-v0.3.5) (2026-06-17)
+
+
+### Bug Fixes
+
+* infer default coercion source ([19577b3](https://github.com/BetterCorp/AnyVali/commit/19577b3d59e00e246fe2021c0b7e30e4196a5fa3))
+
+## [0.3.4](https://github.com/BetterCorp/AnyVali/compare/js-v0.3.3...js-v0.3.4) (2026-06-14)
+
+
+### Bug Fixes
+
+* **validation:** close cross-language coercion + regex-anchor bypasses ([5693efe](https://github.com/BetterCorp/AnyVali/commit/5693efe897c8289424c5e9ae897660a8e42f80bc))
+
 ## [0.3.3](https://github.com/BetterCorp/AnyVali/compare/js-v0.3.2...js-v0.3.3) (2026-06-03)
 
 

package/dist/parse/coerce.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"coerce.d.ts","sourceRoot":"","sources":["../../src/parse/coerce.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,MAAM,cAAc,GACtB;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,OAAO,CAAA;CAAE,GACjC;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAExC;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,OAAO,GACX,cAAc,CA4BhB;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,cAAc,EACtB,UAAU,EAAE,MAAM,GACjB,cAAc,CAqFhB"}
+{"version":3,"file":"coerce.d.ts","sourceRoot":"","sources":["../../src/parse/coerce.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAOlD,MAAM,MAAM,cAAc,GACtB;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,OAAO,CAAA;CAAE,GACjC;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAExC;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,OAAO,GACX,cAAc,CA4BhB;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,cAAc,EACtB,UAAU,EAAE,MAAM,GACjB,cAAc,CAuGhB"}

package/dist/parse/coerce.js

@@ -1,3 +1,7 @@
+// Decimal floating-point grammar: optional sign, digits with optional
+// fraction (or bare fraction), optional decimal exponent. Excludes hex/octal/
+// binary literals, Infinity and NaN that JS `Number()` would otherwise accept.
+const DECIMAL_FLOAT_RE = /^[+-]?(?:\d+\.?\d*|\.\d+)(?:[eE][+-]?\d+)?$/;
 /**
  * Normalize coercion config from the corpus/interchange format.
  * The corpus uses strings like "string->int", "trim", "lower", "upper"
@@ -43,8 +47,15 @@ export function applyCoercion(input, config, targetType) {
             value = value.toUpperCase();
         }
     }
-    // Type coercion from string to target
-    if (config.from === "string" && typeof value === "string") {
+    // Type coercion from string to target.
+    // The only portable coercion source is "string" (spec 5.1), so enabling
+    // coercion on a non-string target (e.g. `number().coerce()`) implies a
+    // string source even when `from` is omitted. Without this, a bare
+    // `.coerce()` on a numeric/bool schema would silently no-op and the raw
+    // string would fail validation with invalid_type.
+    const isTypeTarget = targetType !== "string" && targetType !== "unknown";
+    const fromString = config.from === "string" || (config.from === undefined && isTypeTarget);
+    if (fromString && typeof value === "string") {
         switch (targetType) {
             case "int":
             case "int8":
@@ -82,6 +93,16 @@ export function applyCoercion(input, config, targetType) {
                         message: `Cannot coerce empty string to ${targetType}`,
                     };
                 }
+                // Spec 5.1: parse as DECIMAL floating-point. JS `Number()` also accepts
+                // hex (0x), octal (0o) and binary (0b) literals, which would let
+                // "0x10" slip through as 16 and bypass the decimal-only contract.
+                // Restrict to a decimal float grammar before parsing.
+                if (!DECIMAL_FLOAT_RE.test(trimmed)) {
+                    return {
+                        success: false,
+                        message: `Cannot coerce "${value}" to ${targetType}`,
+                    };
+                }
                 const num = Number(trimmed);
                 if (!Number.isFinite(num)) {
                     return {

package/dist/parse/coerce.js.map

@@ -1 +1 @@
-{"version":3,"file":"coerce.js","sourceRoot":"","sources":["../../src/parse/coerce.ts"],"names":[],"mappings":"AAMA;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,GAAY;IAEZ,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACnE,OAAO,GAAqB,CAAC;IAC/B,CAAC;IAED,MAAM,MAAM,GAAmB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAa,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAa,CAAC,CAAC;IAEnE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,aAAa,CAAC;YACnB,KAAK,gBAAgB,CAAC;YACtB,KAAK,cAAc;gBACjB,MAAM,CAAC,IAAI,GAAG,QAAQ,CAAC;gBACvB,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;gBACnB,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;gBACpB,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;gBACpB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAAc,EACd,MAAsB,EACtB,UAAkB;IAElB,IAAI,KAAK,GAAG,KAAK,CAAC;IAElB,2EAA2E;IAC3E,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAChB,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,KAAK,GAAI,KAAgB,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,KAAK,GAAI,KAAgB,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC1D,QAAQ,UAAU,EAAE,CAAC;YACnB,KAAK,KAAK,CAAC;YACX,KAAK,MAAM,CAAC;YACZ,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,QAAQ,CAAC;YACd,KAAK,QAAQ,CAAC;YACd,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7B,IAAI,OAAO,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC/C,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpD,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,KAAK,GAAG,GAAG,CAAC;gBACZ,MAAM;YACR,CAAC;YAED,KAAK,QAAQ,CAAC;YACd,KAAK,SAAS,CAAC;YACf,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7B,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;oBACnB,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,iCAAiC,UAAU,EAAE;qBACvD,CAAC;gBACJ,CAAC;gBACD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,KAAK,GAAG,GAAG,CAAC;gBACZ,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBACzC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;oBACtC,KAAK,GAAG,IAAI,CAAC;gBACf,CAAC;qBAAM,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;oBAC9C,KAAK,GAAG,KAAK,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,WAAW;qBAC5C,CAAC;gBACJ,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClC,CAAC"}
+{"version":3,"file":"coerce.js","sourceRoot":"","sources":["../../src/parse/coerce.ts"],"names":[],"mappings":"AAEA,sEAAsE;AACtE,8EAA8E;AAC9E,+EAA+E;AAC/E,MAAM,gBAAgB,GAAG,6CAA6C,CAAC;AAMvE;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,GAAY;IAEZ,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACnE,OAAO,GAAqB,CAAC;IAC/B,CAAC;IAED,MAAM,MAAM,GAAmB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAa,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAa,CAAC,CAAC;IAEnE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,aAAa,CAAC;YACnB,KAAK,gBAAgB,CAAC;YACtB,KAAK,cAAc;gBACjB,MAAM,CAAC,IAAI,GAAG,QAAQ,CAAC;gBACvB,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;gBACnB,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;gBACpB,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;gBACpB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAAc,EACd,MAAsB,EACtB,UAAkB;IAElB,IAAI,KAAK,GAAG,KAAK,CAAC;IAElB,2EAA2E;IAC3E,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAChB,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,KAAK,GAAI,KAAgB,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,KAAK,GAAI,KAAgB,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,wEAAwE;IACxE,uEAAuE;IACvE,kEAAkE;IAClE,wEAAwE;IACxE,kDAAkD;IAClD,MAAM,YAAY,GAAG,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,SAAS,CAAC;IACzE,MAAM,UAAU,GACd,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,YAAY,CAAC,CAAC;IAC1E,IAAI,UAAU,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC5C,QAAQ,UAAU,EAAE,CAAC;YACnB,KAAK,KAAK,CAAC;YACX,KAAK,MAAM,CAAC;YACZ,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,QAAQ,CAAC;YACd,KAAK,QAAQ,CAAC;YACd,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7B,IAAI,OAAO,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC/C,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpD,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,KAAK,GAAG,GAAG,CAAC;gBACZ,MAAM;YACR,CAAC;YAED,KAAK,QAAQ,CAAC;YACd,KAAK,SAAS,CAAC;YACf,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7B,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;oBACnB,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,iCAAiC,UAAU,EAAE;qBACvD,CAAC;gBACJ,CAAC;gBACD,wEAAwE;gBACxE,iEAAiE;gBACjE,kEAAkE;gBAClE,sDAAsD;gBACtD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpC,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,QAAQ,UAAU,EAAE;qBACrD,CAAC;gBACJ,CAAC;gBACD,KAAK,GAAG,GAAG,CAAC;gBACZ,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBACzC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;oBACtC,KAAK,GAAG,IAAI,CAAC;gBACf,CAAC;qBAAM,IAAI,KAAK,KAAK,OAAO,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;oBAC9C,KAAK,GAAG,KAAK,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kBAAkB,KAAK,WAAW;qBAC5C,CAAC;gBACJ,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClC,CAAC"}

package/dist/schemas/number.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"number.d.ts","sourceRoot":"","sources":["../../src/schemas/number.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAIvC,qBAAa,YAAa,SAAQ,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC;IAC1D,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC;IAC5B,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IACjC,SAAS,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IACjC,SAAS,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAEnB,IAAI,GAAE,UAAqB;IAKvC,kBAAkB,IAAI,MAAM;IAI5B,GAAG,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAMpB,GAAG,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAMpB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAM7B,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAM7B,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAM3B,SAAS,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO;IAgBrD,SAAS,CAAC,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,YAAY,GAAG,IAAI;IA0DpE,OAAO,IAAI,UAAU;CAYtB;AAED,qBAAa,aAAc,SAAQ,YAAY;;CAI9C;AAED,qBAAa,aAAc,SAAQ,YAAY;;CAI9C"}
+{"version":3,"file":"number.d.ts","sourceRoot":"","sources":["../../src/schemas/number.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAOvC,qBAAa,YAAa,SAAQ,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC;IAC1D,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC;IAC5B,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IACjC,SAAS,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IACjC,SAAS,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAEnB,IAAI,GAAE,UAAqB;IAKvC,kBAAkB,IAAI,MAAM;IAI5B,GAAG,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAMpB,GAAG,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAMpB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAM7B,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAM7B,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAM3B,SAAS,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO;IA8BrD,SAAS,CAAC,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,YAAY,GAAG,IAAI;IA0DpE,OAAO,IAAI,UAAU;CAYtB;AAED,qBAAa,aAAc,SAAQ,YAAY;;CAI9C;AAED,qBAAa,aAAc,SAAQ,YAAY;;CAI9C"}

package/dist/schemas/number.js

@@ -1,6 +1,8 @@
 import { BaseSchema } from "./base.js";
 import { ISSUE_CODES } from "../issue-codes.js";
 import { describeType } from "../util.js";
+/** Largest finite magnitude representable in IEEE 754 binary32. */
+const FLOAT32_MAX = 3.4028234663852886e38;
 export class NumberSchema extends BaseSchema {
     _kind;
     _min;
@@ -51,6 +53,19 @@ export class NumberSchema extends BaseSchema {
             });
             return undefined;
         }
+        // float32 MUST reject values outside the binary32 representable range
+        // (spec 1.4). Without this, float32 silently accepts any float64 value,
+        // defeating the narrowing guarantee.
+        if (this._kind === "float32" && input !== 0 && Math.abs(input) > FLOAT32_MAX) {
+            ctx.issues.push({
+                code: ISSUE_CODES.TOO_LARGE,
+                message: `Value ${input} is outside the float32 range`,
+                path: [...ctx.path],
+                expected: "float32",
+                received: String(input),
+            });
+            return undefined;
+        }
         this._validateConstraints(input, ctx);
         return input;
     }

package/dist/schemas/number.js.map

@@ -1 +1 @@
-{"version":3,"file":"number.js","sourceRoot":"","sources":["../../src/schemas/number.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,MAAM,OAAO,YAAa,SAAQ,UAA0B;IAChD,KAAK,CAAa;IAClB,IAAI,CAAU;IACd,IAAI,CAAU;IACd,aAAa,CAAU;IACvB,aAAa,CAAU;IACvB,WAAW,CAAU;IAE/B,YAAY,OAAmB,QAAQ;QACrC,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAED,kBAAkB;QAChB,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,GAAG,CAAC,CAAS;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;IAED,GAAG,CAAC,CAAS;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY,CAAC,CAAS;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY,CAAC,CAAS;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,UAAU,CAAC,CAAS;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS,CAAC,KAAc,EAAE,GAAiB;QACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,YAAY;gBAC9B,OAAO,EAAE,YAAY,IAAI,CAAC,KAAK,cAAc,YAAY,CAAC,KAAK,CAAC,EAAE;gBAClE,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,IAAI,CAAC,KAAK;gBACpB,QAAQ,EAAE,YAAY,CAAC,KAAK,CAAC;aAC9B,CAAC,CAAC;YACH,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAES,oBAAoB,CAAC,GAAW,EAAE,GAAiB;QAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,qBAAqB,IAAI,CAAC,IAAI,EAAE;gBACzC,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC3B,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,qBAAqB,IAAI,CAAC,IAAI,EAAE;gBACzC,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC3B,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,IAAI,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,oBAAoB,IAAI,CAAC,aAAa,EAAE;gBACjD,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;gBACpC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,IAAI,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,oBAAoB,IAAI,CAAC,aAAa,EAAE;gBACjD,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;gBACpC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC;YACzC,IACE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,KAAK;gBAC3B,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,KAAK,EAC9C,CAAC;gBACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,WAAW,CAAC,cAAc;oBAChC,OAAO,EAAE,gCAAgC,IAAI,CAAC,WAAW,EAAE;oBAC3D,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;oBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC;oBAClC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,IAAI,GAA4B,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;YAAE,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC;QAClD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;YAAE,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC;QAClD,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;YAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;YAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;YAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;QACvE,IAAI,CAAC,WAAW,CAAC,IAA6B,CAAC,CAAC;QAChD,OAAO,IAA6B,CAAC;IACvC,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,YAAY;IAC7C;QACE,KAAK,CAAC,SAAS,CAAC,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,YAAY;IAC7C;QACE,KAAK,CAAC,SAAS,CAAC,CAAC;IACnB,CAAC;CACF"}
+{"version":3,"file":"number.js","sourceRoot":"","sources":["../../src/schemas/number.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C,mEAAmE;AACnE,MAAM,WAAW,GAAG,qBAAqB,CAAC;AAE1C,MAAM,OAAO,YAAa,SAAQ,UAA0B;IAChD,KAAK,CAAa;IAClB,IAAI,CAAU;IACd,IAAI,CAAU;IACd,aAAa,CAAU;IACvB,aAAa,CAAU;IACvB,WAAW,CAAU;IAE/B,YAAY,OAAmB,QAAQ;QACrC,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAED,kBAAkB;QAChB,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,GAAG,CAAC,CAAS;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;IAED,GAAG,CAAC,CAAS;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY,CAAC,CAAS;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY,CAAC,CAAS;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,UAAU,CAAC,CAAS;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS,CAAC,KAAc,EAAE,GAAiB;QACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,YAAY;gBAC9B,OAAO,EAAE,YAAY,IAAI,CAAC,KAAK,cAAc,YAAY,CAAC,KAAK,CAAC,EAAE;gBAClE,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,IAAI,CAAC,KAAK;gBACpB,QAAQ,EAAE,YAAY,CAAC,KAAK,CAAC;aAC9B,CAAC,CAAC;YACH,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,sEAAsE;QACtE,wEAAwE;QACxE,qCAAqC;QACrC,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,WAAW,EAAE,CAAC;YAC7E,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,SAAS,KAAK,+BAA+B;gBACtD,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC;aACxB,CAAC,CAAC;YACH,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAES,oBAAoB,CAAC,GAAW,EAAE,GAAiB;QAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,qBAAqB,IAAI,CAAC,IAAI,EAAE;gBACzC,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC3B,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,qBAAqB,IAAI,CAAC,IAAI,EAAE;gBACzC,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC3B,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,IAAI,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,oBAAoB,IAAI,CAAC,aAAa,EAAE;gBACjD,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;gBACpC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,IAAI,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,WAAW,CAAC,SAAS;gBAC3B,OAAO,EAAE,oBAAoB,IAAI,CAAC,aAAa,EAAE;gBACjD,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;gBACpC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC;YACzC,IACE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,KAAK;gBAC3B,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,KAAK,EAC9C,CAAC;gBACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,WAAW,CAAC,cAAc;oBAChC,OAAO,EAAE,gCAAgC,IAAI,CAAC,WAAW,EAAE;oBAC3D,IAAI,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC;oBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC;oBAClC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,IAAI,GAA4B,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;YAAE,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC;QAClD,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;YAAE,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC;QAClD,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;YAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;YAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;QACzC,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;YAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;QACvE,IAAI,CAAC,WAAW,CAAC,IAA6B,CAAC,CAAC;QAChD,OAAO,IAA6B,CAAC;IACvC,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,YAAY;IAC7C;QACE,KAAK,CAAC,SAAS,CAAC,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,YAAY;IAC7C;QACE,KAAK,CAAC,SAAS,CAAC,CAAC;IACnB,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "anyvali",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "Native validation with portable schema interchange",
   "homepage": "https://anyvali.com",
   "repository": {

package/src/parse/coerce.ts

@@ -1,5 +1,10 @@
 import type { CoercionConfig } from "../types.js";
 
+// Decimal floating-point grammar: optional sign, digits with optional
+// fraction (or bare fraction), optional decimal exponent. Excludes hex/octal/
+// binary literals, Infinity and NaN that JS `Number()` would otherwise accept.
+const DECIMAL_FLOAT_RE = /^[+-]?(?:\d+\.?\d*|\.\d+)(?:[eE][+-]?\d+)?$/;
+
 export type CoercionResult =
   | { success: true; value: unknown }
   | { success: false; message: string };
@@ -61,8 +66,16 @@ export function applyCoercion(
     }
   }
 
-  // Type coercion from string to target
-  if (config.from === "string" && typeof value === "string") {
+  // Type coercion from string to target.
+  // The only portable coercion source is "string" (spec 5.1), so enabling
+  // coercion on a non-string target (e.g. `number().coerce()`) implies a
+  // string source even when `from` is omitted. Without this, a bare
+  // `.coerce()` on a numeric/bool schema would silently no-op and the raw
+  // string would fail validation with invalid_type.
+  const isTypeTarget = targetType !== "string" && targetType !== "unknown";
+  const fromString =
+    config.from === "string" || (config.from === undefined && isTypeTarget);
+  if (fromString && typeof value === "string") {
     switch (targetType) {
       case "int":
       case "int8":
@@ -101,6 +114,16 @@ export function applyCoercion(
             message: `Cannot coerce empty string to ${targetType}`,
           };
         }
+        // Spec 5.1: parse as DECIMAL floating-point. JS `Number()` also accepts
+        // hex (0x), octal (0o) and binary (0b) literals, which would let
+        // "0x10" slip through as 16 and bypass the decimal-only contract.
+        // Restrict to a decimal float grammar before parsing.
+        if (!DECIMAL_FLOAT_RE.test(trimmed)) {
+          return {
+            success: false,
+            message: `Cannot coerce "${value}" to ${targetType}`,
+          };
+        }
         const num = Number(trimmed);
         if (!Number.isFinite(num)) {
           return {

package/src/schemas/number.ts

@@ -3,6 +3,9 @@ import { BaseSchema } from "./base.js";
 import { ISSUE_CODES } from "../issue-codes.js";
 import { describeType } from "../util.js";
 
+/** Largest finite magnitude representable in IEEE 754 binary32. */
+const FLOAT32_MAX = 3.4028234663852886e38;
+
 export class NumberSchema extends BaseSchema<number, number> {
   protected _kind: SchemaKind;
   protected _min?: number;
@@ -62,6 +65,20 @@ export class NumberSchema extends BaseSchema<number, number> {
       return undefined;
     }
 
+    // float32 MUST reject values outside the binary32 representable range
+    // (spec 1.4). Without this, float32 silently accepts any float64 value,
+    // defeating the narrowing guarantee.
+    if (this._kind === "float32" && input !== 0 && Math.abs(input) > FLOAT32_MAX) {
+      ctx.issues.push({
+        code: ISSUE_CODES.TOO_LARGE,
+        message: `Value ${input} is outside the float32 range`,
+        path: [...ctx.path],
+        expected: "float32",
+        received: String(input),
+      });
+      return undefined;
+    }
+
     this._validateConstraints(input, ctx);
     return input;
   }

package/tests/unit/number.test.ts

@@ -1,5 +1,5 @@
 import { describe, it, expect } from "vitest";
-import { number, float32, float64, int, int8, int16, int32, int64, uint8, uint16, uint32, uint64 } from "../../src/index.js";
+import { number, float32, float64, int, int8, int16, int32, int64, uint8, uint16, uint32, uint64, object } from "../../src/index.js";
 
 describe("NumberSchema", () => {
   it("accepts valid numbers", () => {
@@ -61,6 +61,43 @@ describe("NumberSchema", () => {
     expect(result.success).toBe(false);
     if (!result.success) expect(result.issues[0].code).toBe("coercion_failed");
   });
+
+  // Bare `.coerce()` (no args) must imply string source on a numeric target.
+  // Regression: previously no-op'd, so a string input failed with invalid_type.
+  it("coerces string to number with no-arg coerce()", () => {
+    const s = number().coerce();
+    expect(s.parse("3.14")).toBe(3.14);
+  });
+
+  // Full string->number coercion matrix (no-arg form). ASCII decimal float
+  // incl. exponent, trimmed. No hex/Infinity/NaN/underscores.
+  describe("string->number matrix via no-arg coerce()", () => {
+    const s = number().coerce();
+
+    it.each([
+      ["3.14", 3.14],
+      ["-1.5e3", -1500],
+      ["  2  ", 2],
+      ["0", 0],
+    ])("accepts %j -> %j", (input, expected) => {
+      expect(s.parse(input as string)).toBe(expected);
+    });
+
+    it.each([
+      "0x10",
+      "Infinity",
+      "NaN",
+      "",
+      "1_000",
+      "abc",
+    ])("rejects %j with coercion_failed", (input) => {
+      const result = s.safeParse(input);
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        expect(result.issues[0].code).toBe("coercion_failed");
+      }
+    });
+  });
 });
 
 describe("Float32Schema", () => {
@@ -102,6 +139,66 @@ describe("IntSchema", () => {
     const result = s.safeParse("3.14");
     expect(result.success).toBe(false);
   });
+
+  it("coerces string to int with no-arg coerce()", () => {
+    const s = int().coerce();
+    expect(s.parse("42")).toBe(42);
+  });
+
+  // Full string->int coercion matrix (no-arg form). ASCII `^-?\d+$`, trimmed.
+  describe("string->int matrix via no-arg coerce()", () => {
+    const s = int().coerce();
+
+    it.each([
+      ["42", 42],
+      ["  42  ", 42],
+      ["-7", -7],
+    ])("accepts %j -> %j", (input, expected) => {
+      expect(s.parse(input as string)).toBe(expected);
+    });
+
+    it.each([
+      "3.14",
+      "0x10",
+      "1_000",
+      "+5",
+      "Infinity",
+      "",
+      "abc",
+    ])("rejects %j with coercion_failed", (input) => {
+      const result = s.safeParse(input);
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        expect(result.issues[0].code).toBe("coercion_failed");
+      }
+    });
+  });
+});
+
+// Reproduces the reported field-level coercion failure: an object whose
+// numeric fields use bare `.coerce()` must coerce string inputs, not reject
+// them with invalid_type.
+describe("object with no-arg coerce() on numeric fields", () => {
+  it("coerces all string fields to numbers", () => {
+    const schema = object({
+      lumpSum: number().coerce().min(0),
+      monthlyContributions: number().coerce().min(0),
+      investmentTerm: number().coerce().min(1),
+    });
+    const result = schema.safeParse({
+      lumpSum: "1000000",
+      monthlyContributions: "1000",
+      investmentTerm: "20",
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data).toEqual({
+        lumpSum: 1000000,
+        monthlyContributions: 1000,
+        investmentTerm: 20,
+      });
+    }
+  });
 });
 
 describe("Int8Schema", () => {

package/tests/unit/primitives.test.ts

@@ -35,6 +35,47 @@ describe("BoolSchema", () => {
     expect(result.success).toBe(false);
     if (!result.success) expect(result.issues[0].code).toBe("coercion_failed");
   });
+
+  it("coerces string to bool with no-arg coerce()", () => {
+    const s = bool().coerce();
+    expect(s.parse("true")).toBe(true);
+    expect(s.parse("false")).toBe(false);
+  });
+
+  // Full string->bool coercion matrix (no-arg form). Trim + case-insensitive.
+  // true <- "true"/"TRUE"/"1"; false <- "false"/"0". Nothing else.
+  describe("string->bool matrix via no-arg coerce()", () => {
+    const s = bool().coerce();
+
+    it.each([
+      ["true", true],
+      ["TRUE", true],
+      ["1", true],
+      ["  true  ", true],
+      ["false", false],
+      ["0", false],
+      ["  FALSE  ", false],
+    ])("accepts %j -> %j", (input, expected) => {
+      expect(s.parse(input as string)).toBe(expected);
+    });
+
+    it.each([
+      "yes",
+      "no",
+      "on",
+      "off",
+      "t",
+      "f",
+      "2",
+      "",
+    ])("rejects %j with coercion_failed", (input) => {
+      const result = s.safeParse(input);
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        expect(result.issues[0].code).toBe("coercion_failed");
+      }
+    });
+  });
 });
 
 describe("NullSchema", () => {

package/tests/unit/security.test.ts

@@ -61,6 +61,41 @@ describe("CVE-2016-4055 / CVE-2022-25883 - ReDoS catastrophic backtracking", ()
   });
 });
 
+// ---------------------------------------------------------------------------
+// 1b. Regex anchor newline bypass - CWE-20 / spec 3.1
+// ---------------------------------------------------------------------------
+// ECMA-262 is the portable baseline: "^"/"$" without the multiline flag match
+// only the start/end of the whole string. JS already enforces this; these tests
+// lock the invariant so it stays consistent with the other SDKs (which rewrite
+// "^"/"$" to absolute anchors). A trailing-newline match would be a whitelist
+// (newline/CRLF/log-injection) bypass.
+describe("CWE-20 - regex anchor newline bypass", () => {
+  it("$ anchor does not match before a trailing newline", () => {
+    const s = string().pattern("^[a-z]+$");
+    expect(s.safeParse("abc").success).toBe(true);
+    expect(s.safeParse("abc\n").success).toBe(false);
+    expect(s.safeParse("abc\nEVIL").success).toBe(false);
+  });
+
+  it("^ anchor is string-start, not line-start", () => {
+    const s = string().pattern("^admin$");
+    expect(s.safeParse("admin").success).toBe(true);
+    expect(s.safeParse("x\nadmin").success).toBe(false);
+    expect(s.safeParse("admin\n").success).toBe(false);
+  });
+
+  it("applies the same anchoring to imported patterns", () => {
+    const schema = importSchema({
+      anyvaliVersion: "1.0",
+      schemaVersion: "1.1",
+      root: { kind: "string", pattern: "^[a-z]+$" },
+      definitions: {},
+      extensions: {},
+    });
+    expect(schema.safeParse("abc\n").success).toBe(false);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // 2. Prototype Pollution - CVE-2019-10744 / CVE-2020-8203
 // ---------------------------------------------------------------------------
@@ -416,6 +451,93 @@ describe("CWE-190 - Integer overflow and boundary checks", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// 4b. float32 range bypass - CWE-20 / spec 1.4
+// ---------------------------------------------------------------------------
+// float32 MUST reject values outside the binary32 representable range. If it
+// silently accepts any float64, a schema using float32 as a narrowing guard is
+// bypassed: a value that cannot survive a round-trip through a real 32-bit
+// float passes validation and is later truncated to Infinity downstream.
+describe("CWE-20 - float32 out-of-range bypass", () => {
+  it("rejects a value just above the float32 maximum", () => {
+    // 3.5e38 > FLT_MAX (~3.4028e38)
+    const result = float32().safeParse(3.5e38);
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.issues[0].code).toBe("too_large");
+    }
+  });
+
+  it("rejects a value far above the float32 range", () => {
+    expect(float32().safeParse(1e300).success).toBe(false);
+  });
+
+  it("rejects a large negative value below the float32 range", () => {
+    expect(float32().safeParse(-1e300).success).toBe(false);
+  });
+
+  it("accepts values inside the float32 range and zero", () => {
+    expect(float32().safeParse(1.5).success).toBe(true);
+    expect(float32().safeParse(0).success).toBe(true);
+    expect(float32().safeParse(3.4e38).success).toBe(true);
+  });
+
+  it("rejects out-of-range float32 imported from interchange", () => {
+    const schema = importSchema({
+      anyvaliVersion: "1.0",
+      schemaVersion: "1.1",
+      root: { kind: "float32" },
+      definitions: {},
+      extensions: {},
+    });
+    expect(schema.safeParse(3.5e38).success).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 4c. string->number coercion bypass - CWE-20 / spec 5.1
+// ---------------------------------------------------------------------------
+// string->number coercion MUST parse decimal floating-point only. JS Number()
+// also accepts hex/octal/binary literals, so "0x10" would coerce to 16 and slip
+// past a decimal-only contract (and diverge from every other SDK).
+describe("CWE-20 - non-decimal string->number coercion bypass", () => {
+  const c = number().coerce({ from: "string" });
+
+  it("rejects hexadecimal literal strings", () => {
+    expect(c.safeParse("0x10").success).toBe(false);
+  });
+
+  it("rejects octal literal strings", () => {
+    expect(c.safeParse("0o17").success).toBe(false);
+  });
+
+  it("rejects binary literal strings", () => {
+    expect(c.safeParse("0b101").success).toBe(false);
+  });
+
+  it("rejects Infinity literal strings", () => {
+    expect(c.safeParse("Infinity").success).toBe(false);
+    expect(c.safeParse("-Infinity").success).toBe(false);
+  });
+
+  it("still accepts ordinary decimal and exponential strings", () => {
+    expect(c.parse("3.14")).toBe(3.14);
+    expect(c.parse("  -42 ")).toBe(-42);
+    expect(c.parse("1e3")).toBe(1000);
+  });
+
+  it("rejects hex coercion imported from interchange", () => {
+    const schema = importSchema({
+      anyvaliVersion: "1.0",
+      schemaVersion: "1.1",
+      root: { kind: "number", coerce: "string->number" },
+      definitions: {},
+      extensions: {},
+    });
+    expect(schema.safeParse("0x10").success).toBe(false);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // 5. NaN/Infinity injection - CWE-20
 // ---------------------------------------------------------------------------