TypeScript, Security, and Type Juggling with Ariel Shulman & Liran Tal - JSJ 679

12 snips

May 29, 2025

Ariel Shulman, a TypeScript expert and full stack developer, and Liran Tal, a security advocate from Snyk, dive into the nuances of TypeScript and its security implications. They discuss how TypeScript is widely adopted, yet often misinterpreted as a security tool. Key insights include the concept of type juggling and the vulnerabilities it can introduce. They also explore Zod for runtime type checking, highlighting its pros and pitfalls. Join them as they unpack the balance between type safety and real-world application complexities.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

TypeScript Isn't a Security Tool

TypeScript is widely adopted but not a security tool as it only provides build-time checking.
Developers often have misplaced trust in TypeScript for security, which can lead to vulnerabilities.

INSIGHT

Types Disappear at Runtime

TypeScript type checking happens only during build time and does not affect runtime.
Types disappear when code runs, so runtime errors due to unexpected types can still occur.

ADVICE

Be Cautious with 'any' and Casts

Avoid using the "any" type where possible as it breaks TypeScript's reliability.
Use localized casts like "as unknown as string" cautiously when necessary but keep them minimal.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode, we dove headfirst into the swirling waters of TypeScript, its real-world use cases, and where it starts to fall short—especially when it comes to security. Joining us from sunny Tel Aviv (and a slightly cooler Portland), we had the brilliant Ariel Shulman and security advocate Liran Tal bring the heat on everything from type safety to runtime vulnerabilities.

We started off with a friendly debate: Has TypeScript really taken over the world? Our verdict? Pretty much. Whether it’s starter projects, enterprise codebases, or AI-generated snippets, TypeScript has become the de facto standard. But as we quickly found out, that doesn’t mean it’s perfect.

Key Takeaways:
-TypeScript ≠ Security
We tend to trust TypeScript a bit too much. It’s a build-time tool, not a runtime enforcer. As Liran pointed out, “TypeScript is not a security tool,” and treating it like one leads to dangerous assumptions.
-Type Juggling is Real (and Sneaky)
We explored how something as innocent as using as string on request data can open the door to vulnerabilities like HTTP parameter pollution and prototype pollution. Just because your IDE is happy doesn’t mean your runtime is.
-Enter Zod – Runtime Type Checking to the Rescue?
Zod got some love for bridging the dev-time/runtime gap by validating data on the fly and inferring TypeScript types. But even Zod isn’t foolproof. For example, unless you're using .strict(), extra fields can sneak past your validations, leading to mass assignment bugs.
-Common Developer Fallacies
We discussed the misplaced confidence developers have in things like code coverage and TypeScript alone. One of the big takeaways: defense in depth matters. Just like testing, layering your security practices (like using Zod, type guards, and proper sanitization) is key.
-TypeScript Best Practices Are Evolving
From discriminated unions to avoiding any, from using Maps over plain objects to prevent prototype pollution—TypeScript developers are adapting. And tools like modern Node.js now support type stripping, which makes working with .ts files at runtime a bit easier.

Become a supporter of this podcast: https://www.spreaker.com/podcast/javascript-jabber--6102064/support.