A Lightweight Typescript Library for Assertion-Based Runtime Data Validation

Posted5 months agoActive4 months ago

nayajunimesh

30 points

35 comments

github.comTechstory

calmmixed

Debate

60/100

TypescriptValidation LibrariesPerformance Optimization

Key topics

Typescript

Validation Libraries

Performance Optimization

A new lightweight TypeScript library for assertion-based runtime data validation is introduced, sparking discussion on its performance benefits and comparisons to existing libraries like Zod and arktype.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

N/A

Peak period

36-48h

Avg / period

5.8

Comment distribution35 data points

Loading chart...

Based on 35 loaded comments

Key moments

01Story posted
Aug 24, 2025 at 12:43 AM EDT
5 months ago
Step 01
02First comment
Aug 24, 2025 at 12:43 AM EDT
0s after posting
Step 02
03Peak activity
18 comments in 36-48h
Hottest window of the conversation
Step 03
04Latest activity
Aug 28, 2025 at 8:08 AM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (35 comments)

Showing 35 comments

nayajunimeshAuthor

5 months ago

1 reply

Most validation libraries like Zod create deep clones of your data during validation, which can impact performance in high-throughput applications. I built decode-kit to take a different approach: assertion-based validation that validates and narrows TypeScript types in-place, without any copying or transformation. Here's what the API looks like in practice:

import { object, string, number, validate } from "decode-kit";

// Example of untrusted data (e.g., from an API) const input: unknown = { id: 123, name: "Alice" };

// Validate the data (throws if validation fails) validate(input, object({ id: number(), name: string() }));

// `input` is now typed as { id: number; name: string } console.log(input.id, input.name);

When validation fails, decode-kit takes an equally thoughtful approach. Rather than being prescriptive about error formatting, it exposes a structured error system with an AST-like path that precisely indicates where validation failed. It does include a sensible default error message for debugging, but you can also traverse the error path to build whatever error handling approach fits your application - from simple logging to sophisticated user-facing messages.

The library also follows a fail-fast approach, immediately throwing when validation fails, which provides both better performance and clearer error messages by focusing on the first issue encountered.

I'd love to hear your thoughts and feedback on this approach.

kenward

5 months ago

1 reply

> fail-fast approach, immediately throwing when validation fails

would this mask any errors that would occur later in the validation?

nayajunimeshAuthor

5 months ago

1 reply

With the fail-fast approach, yes - unless we introduce an option to collect all errors. In my own applications, I have found this to be a better default because the 'average' requests is valid and paying a constant overhead just to be thorough on rare invalid cases can be wasteful.

My overall takeaway has mostly been to not optimize for the worst case by default. Keep fail-fast as baseline for boundaries and hot paths, and selectively enable “collect all” where it demonstrably saves human time.

yencabulator

4 months ago

1 reply

A useful counterexample, where one wants to see all errors, is validating form input. But it's very much ok to say your library is not meant for that use case!

nayajunimeshAuthor

4 months ago

1 reply

That is a good point! How do you feel about fail-fast by default but being able to configure a validator to collect all errors (like Zod does by default)? Something like array(number(), { failFast: false });

We currently expose error as a tree structure so that it's easy to map an error to a value or build custom error messages (we only provide debug error message) and I haven't been able to come up with a satisfactory error API that accommodates multiple error paths, but you raise an excellent point. Thanks for pointing out.

yencabulator

4 months ago

My instinct is to say keep it small, simple & focused.

scottmas

5 months ago

2 replies

The whole benefit over zod seems to be perf, so could you do some benchmarking? I wonder if it’s worth it

nayajunimeshAuthor

5 months ago

1 reply

Yes, the primary focus is memory efficiency; performance improvement is a side effect of that. From my own benchmarks, I have found that to be the case. If you're validating thousands of objects per second or working with memory constraints, the difference becomes quite significant. Happy to share the full benchmark code if you'd like to run them yourself!

typeofhuman

5 months ago

You should include this benchmark in your repo and README if you want to build trust.

I think anything that declares itself as a performance improvement over the competition ought to prove it!

nayajunimeshAuthor

4 months ago

Hey, I did some benchmarks if you're interested - benchmarks results are in the README.md.

https://github.com/nimeshnayaju/zod (Fork of Zod's repo which already included benchmarks comparing Zod 4 against Zod 3, so I simply integrated my validation library)

https://github.com/nimeshnayaju/valibot-benchmarks (An unofficial benchmark suggested in another comment comparing Valibot against Zod)

revskill

5 months ago

1 reply

Love it. I hate zod.

esafak

5 months ago

Why?

jasonlernerman

5 months ago

1 reply

arktype does this too!

matt-attack

5 months ago

Arktype is fantastic.

seabass

5 months ago

2 replies

I was surprised by the source including a bunch of try/catch, which results in deopts for that code path as far as I understand, given that the stated benefit over Zod and other validators was that this should be run in performance critical code. I’d be curious to see benchmarks that show whether this is faster than zod, valibot, and zod4 mini in hot code paths.

CharlesW

5 months ago

2 replies

OP, you could potentially leverage an existing benchmark suite: https://naruaway.github.io/valibot-benchmarks/

nayajunimeshAuthor

5 months ago

1 reply

Thank you, this is quite helpful. Will take a detailed look very soon!

typeofhuman

5 months ago

1 reply

How do you know you're tool is more performant?

nayajunimeshAuthor

4 months ago

Hey, I did some benchmarks if you're interested - benchmarks results are in the README.md.

https://github.com/nimeshnayaju/zod (Fork of Zod's repo which already included benchmarks comparing Zod 4 against Zod 3, so I simply integrated my validation library)

https://github.com/nimeshnayaju/valibot-benchmarks (An unofficial benchmark suggested in another comment comparing Valibot against Zod)

nayajunimeshAuthor

4 months ago

1 reply

Hey, thanks for the link! I was able to add the library to the benchmark quite easily. Here's the fork if you're interested:

https://github.com/nimeshnayaju/valibot-benchmarks

I have included the results I obtained from running the benchmark in the README.md. I'd love for you to also take a look at the changed code to see if I may have missed something with the integration. Curious to hear your feedback too!

CharlesW

4 months ago

Nicely done, and thanks for following up!

nayajunimeshAuthor

5 months ago

1 reply

We do use try/catch in a few places. However, in normal operations (valid input), no exceptions are thrown - the try/catch blocks are present in certain validators but do not execute their catch clauses. AFAIK, modern engines generally don’t impose large steady-state penalties merely for the presence of a try/catch when no exception is thrown; the measurable cost is usually when exceptions are actually thrown. When an element/property fails, the catch is used to construct precise error paths. That’s intentionally trading some failure-path overhead for better developer diagnostics.

In the new few days, I'll prepare benchmarks to compare with Zod and Valibot!

seabass

5 months ago

1 reply

The information I have on this could be outdated, so take this with a grain of salt, but it used to be the case that in hot code paths the presence of a try/catch would force a deoptimization whether or not you throw. The optimizing compiler in v8, for example, would specifically not run on any functions containing try/catch due to its inability to speculatively inline the optimized code. If you're feeling up to it, you can prove whether that is still the case with `d8 --allow-natives-syntax --trace-deopt ./your-script.js` and sprinkle in some `%OptimizeFunctionOnNextCall` in your code. I did a quick search for `try {` in the zod 4 source and didn't see anything, so I suspect that the performance issues surrounding try/catch are still at least somewhat around, unless they are simply avoiding try/catch for code cleanliness which could totally be the case. Regardless, I'd encourage you to look into whether plain old boolean return values in your validators would work for your project. Just include the `throw` part without all the `try/catch` and the code itself will likely be simpler, faster, and easy for the JIT to optimize. Good luck on those benchmarks.

nayajunimeshAuthor

4 months ago

Hey, this comment was actually very helpful. While running benchmarks, I noticed my union validator was consistently underperforming, and your insight about try/catch deoptimization made it much easier to pinpoint the issue. I ended up updating the validation logic to not use try catch frivolously and I saw significant performance improvement.

For benchmarks, I forked Zod, which already included benchmarks comparing Zod 4 against Zod 3. Here are the results (in README.md) if you're interested:

https://github.com/nimeshnayaju/zod

I noticed significantly better performance than both Zod 3 and Zod 4 across most validation scenarios (especially validations that involved rules like min/max length, etc), with the exception of simple object parsing.

I also forked another benchmark suggested in a different comment if you're interested (I noticed similar results).

https://github.com/nimeshnayaju/valibot-benchmarks

sizediterable

5 months ago

3 replies

Need it be said https://lexi-lambda.github.io/blog/2019/11/05/parse-don-t-va...

ale

5 months ago

1 reply

Libraries like these are meant for runtime validation. I agree though. I prefer to use the compiler itself (tsc --noEmit) than recreating the validation logic.

mirekrusin

5 months ago

It doesn't compete with static type system, it complements it. Static type system in typescript can't do anything with unknown/any values that are crossing i/o boundary - they require runtime assertion to bring them into statically typed, safer world.

tomjakubowski

5 months ago

1 reply

Libraries like runtypes, zod, et al. market themselves as validation libraries, but they function as parsing libraries in the sense this article means: with them you "parse" untyped POJOs at the I/O boundary and get typed values (or a raised exception) out the other end.

Typescript language features like branded types, private constructors can make it so those values can only be constructed through the parse method.

They're really not much different, in terms of type safety*, from something like Serde.

*: they are of course different in other important ways -- like that Serde can flexibly work with all kinds of serialized formats.

nayajunimeshAuthor

5 months ago

We actually use the idea of branded types in one of the validators (iso8601), and I also understand that it doesn't replace fully transformed values.

https://github.com/nimeshnayaju/valleys?tab=readme-ov-file#i...

nayajunimeshAuthor

5 months ago

I understand completely, and the library is intentionally unopinionated in that regard. We simply ensure that the value passed matches the provided schema and ruleset and refine the type in-place.

In certain cases (like validating that an input is ISO8601 format), we refine the input type to a branded type (we have a Iso8601 branded type). At runtime it's just a string, but at compile time TypeScript treats it as a distinct type that can only be obtained through validation. But, it is still not transforming or parsing the data in the way that the blog post intends, which is by design.

https://github.com/nimeshnayaju/valleys?tab=readme-ov-file#i...

gr4vityWall

5 months ago

1 reply

It would be nice to provide some benchmarks comparing it to Zod, arktype, etc. Comparing it across different runtimes (Node.js, Bun, web browsers, etc.) would be great, too.

nayajunimeshAuthor

4 months ago

1 reply

Hey, I did some benchmarks if you're interested - benchmarks results are in the README.md.

https://github.com/nimeshnayaju/zod (Fork of Zod's repo which already included benchmarks comparing Zod 4 against Zod 3, so I simply integrated my validation library)

https://github.com/nimeshnayaju/valibot-benchmarks (An unofficial benchmark from another user comparing Valibot against Zod)

gr4vityWall

4 months ago

Thanks, I appreciate that you added them. :)

They show a lot of potential and promising results. Any guess why Valley is slower for parsing objects with primitive values?

orangee

5 months ago

assertion-based API is a neat concept

cluckindan

5 months ago

This would be way more powerful if there was a way to infer a validator from a TypeScript type.

View full discussion on Hacker News

ID: 45001466Type: storyLast synced: 11/20/2025, 3:19:57 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN