Validators

A collection of minimal, dependency-free, security-focused input validation helpers for modern web and edge environments.

Overview

Validators provides safe standalone, auditable modules designed to replace overcomplicated or vulnerable validation libraries. Each module focuses on a single responsibility and avoids risky features such as eval, regex backtracking, or URL parsing ambiguities.

Available modules:

• is-card-safe — Credit card validator with Luhn check and brand detection (Visa, Mastercard, Amex, etc.).
  

• is-email-safe — Strict RFC-like ASCII email validation, no external dependencies.
  

• is-iban-safe — ISO 13616 / ISO 7064 IBAN validator powered by the official SWIFT registry.
  

• is-ip-safe — IPv4 and IPv6 address validator with normalization and compression-safe parsing.
  

• is-json-safe — JSON structure validator and sanitizer that enforces depth, size, and key limits.
  

• is-password-safe — Password strength and safety validator (entropy, sequences, dictionary words, and repetition checks).
  

• is-phone-e164 — E.164 international phone number validator with normalization.
  

• is-url-safe — Conservative http(s)-only URL validator resistant to bypass attacks.
  

• is-us-tin-safe — Validates U.S. Taxpayer Identification Numbers (EIN, SSN, ITIN).
  

• is-vat-safe — EU VAT ID pattern validator for all member states (format-only, no checksum).
  

All helpers are designed for use in:

• Browsers (ESM)
• Node.js / Deno / Bun (import)
• Edge runtimes (Cloudflare Workers, Vercel Edge, etc.)

Each module has its own README.md, tests, and can be imported individually.

🔗 Live Demos (GitHub Pages)

You can try each validator interactively in your browser:

• Card Validator Test
• Email Validator Test
• IBAN Validator Test
• IP Validator Test
• JSON Validator Test
• Password Validator Test
• Phone Validator Test
• URL Validator Test
• US TIN Validator Test
• EU VAT Validator Test

Each page loads its respective module and allows interactive validation.

Install

npm i @yvancg/validators # or per-module packages when published

API Guarantees

• No eval or dynamic code.
• Regexes fuzz-tested for catastrophic backtracking.

Design Principles

1. Safety first: Reject malformed or ambiguous inputs by default.
2. No dependencies: Avoids third-party packages that may introduce vulnerabilities.
3. Auditable simplicity: Clear logic under 150 lines per module.
4. Portability: Works across environments without build tools.
5. Transparency: Open source with no hidden telemetry or build steps.

Example Usage

import { validateCard } from './is-card-safe/card.js';
import { isEmailSafe } from './is-email-safe/email.js';
import { isIbanSafe } from './is-iban-safe/iban.js';
import { isIpSafe } from './is-ip-safe/ip.js';
import { isJsonSafe } from './is-json-safe/json.js';
import { validatePassword } from './is-password-safe/password.js';
import { isPhoneE164 } from './is-phone-e164/phone.js';
import { isUrlSafe } from './is-url-safe/url.js';
import { validateITIN } from './is-us-tin-safe/tin.js';
import { isVatSafe } from './is-vat-safe/vat.js';

console.log(validateCard('4111111111111111'));              // { ok: true, brand: 'visa', ... }
console.log(isEmailSafe('user@example.com'));               // true
console.log(isIbanSafe('DE44500105175407324931'))           // { ok: true, ... }
console.log(isIpSafe('192.168.0.1'));                       // true
console.log(isJsonSafe('{"user":"alice","id":123}'));       // true
console.log(validatePassword('Aj4?mX9^kL3!yZ'));						 // { ok: true, score: 3, entropyBits: 88, ... }
console.log(isPhoneE164('+12025550123'));                   // true
console.log(isUrlSafe('https://example.com'));              // true
console.log(validateITIN('12-3456789'));                    // { ok: true, type: 'ein', ... }
console.log(isVatSafe('DE123456789'));                      // { ok: true, country: 'DE', ... }

Folder Structure

validators/
  ├─ .github/
  │   └─ FUNDING.yml
  ├─ LICENSE
  ├─ README.md
  ├─ SECURITY.md
  ├─ is-card-safe/
  ├─ is-email-safe/
  ├─ is-iban-safe/
  ├─ is-ip-safe/
  ├─ is-json-safe/
  ├─ is-password-safe/
  ├─ is-phone-e164/
  ├─ is-url-safe/
  ├─ is-us-tin-safe/
  └─ is-vat-safe/

Security Notes

• All regexes are tested for ReDoS safety.
• No dynamic code execution or eval-like patterns are used.
• URLs are normalized before validation and restricted to http and https schemes.
• Emails and phones are validated according to conservative subsets of relevant RFCs and ITU standards.

Contributing

Pull requests for additional safe validators (e.g., IBAN, domain names, etc.) are welcome. Please maintain the following rules:

• Pure functions only (no side effects)
• No external dependencies
• 100% test coverage for new logic
• TypeScript or plain ESM JavaScript

License

Licensed under the MIT License — see LICENSE.

Funding

If you find this project useful, please consider sponsoring its continued maintenance and security audits.

You can sponsor this project through:

• GitHub Sponsors: https://github.com/sponsors/yvancg
• Or any link listed in .github/FUNDING.yml

---

© 2025 Y Consulting LLC / Validators Project