From a6e2ed1bd0a7acea7279ba012a808e3aa1e8dd8e Mon Sep 17 00:00:00 2001
From: Phillip Barta <barta.phillip@gmail.com>
Date: Tue, 20 Jan 2026 16:31:53 +0100
Subject: [PATCH 1/2] fix: improve limit option validation

---
 lib/utils.js  | 10 +++++++---
 test/utils.js | 51 ++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/lib/utils.js b/lib/utils.js
index e0bf9741..a1a8f4f6 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -60,13 +60,17 @@ function normalizeOptions (options, defaultType) {
   }
 
   var inflate = options?.inflate !== false
-  var limit = typeof options?.limit !== 'number'
-    ? bytes.parse(options?.limit || '100kb')
-    : options?.limit
+  var limit = options?.limit === undefined || options?.limit === null
+    ? 102400 // 100kb default
+    : bytes.parse(options.limit)
   var type = options?.type || defaultType
   var verify = options?.verify || false
   var defaultCharset = options?.defaultCharset || 'utf-8'
 
+  if (limit === null) {
+    throw new TypeError(`option limit "${String(options.limit)}" is invalid`)
+  }
+
   if (verify !== false && typeof verify !== 'function') {
     throw new TypeError('option verify must be function')
   }
diff --git a/test/utils.js b/test/utils.js
index 364d3838..62b9b1e6 100644
--- a/test/utils.js
+++ b/test/utils.js
@@ -71,6 +71,21 @@ describe('normalizeOptions(options, defaultType)', () => {
         assert.strictEqual(result.limit, 100 * 1024) // 100kb in bytes
       })
 
+      it('should return the default limit if limit is undefined', () => {
+        const result = normalizeOptions({ limit: undefined }, 'application/json')
+        assert.strictEqual(result.limit, 100 * 1024) // 100kb in bytes
+      })
+
+      it('should return the default limit if limit is null', () => {
+        const result = normalizeOptions({ limit: null }, 'application/json')
+        assert.strictEqual(result.limit, 100 * 1024) // 100kb in bytes
+      })
+
+      it('should accept zero as valid limit', () => {
+        const result = normalizeOptions({ limit: 0 }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
+
       it('should accept a number limit', () => {
         const result = normalizeOptions({ limit: 1234 }, 'application/json')
         assert.strictEqual(result.limit, 1234)
@@ -81,9 +96,39 @@ describe('normalizeOptions(options, defaultType)', () => {
         assert.strictEqual(result.limit, 200 * 1024) // 200kb in bytes
       })
 
-      it('should return null for an invalid limit', () => {
-        const result = normalizeOptions({ limit: 'invalid' }, 'application/json')
-        assert.strictEqual(result.limit, null)
+      it('should parse a string limit without a unit', () => {
+        const result = normalizeOptions({ limit: '200' }, 'application/json')
+        assert.strictEqual(result.limit, 200) // 200 bytes
+      })
+
+      it('should throw an error for an invalid string limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: 'invalid' }, 'application/json')
+        }, /option limit "invalid" is invalid/)
+        assert.throws(() => {
+          normalizeOptions({ limit: '' }, 'application/json')
+        }, /option limit "" is invalid/)
+      })
+
+      it('should throw an error for a NaN limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: NaN }, 'application/json')
+        }, /option limit "NaN" is invalid/)
+      })
+
+      it('should throw an error for a boolean limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: true }, 'application/json')
+        }, /option limit "true" is invalid/)
+        assert.throws(() => {
+          normalizeOptions({ limit: false }, 'application/json')
+        }, /option limit "false" is invalid/)
+      })
+
+      it('should throw an error for an object limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: { foo: 'bar' } }, 'application/json')
+        }, /option limit "\[object Object\]" is invalid/)
       })
     })
 

From a639447a4ac46ecd190199bc9704f835f72f6a0d Mon Sep 17 00:00:00 2001
From: Phillip Barta <barta.phillip@gmail.com>
Date: Mon, 2 Feb 2026 12:19:57 +0100
Subject: [PATCH 2/2] fix: use typeof for undefined check

Co-authored-by: Chris de Almeida <ctcpip@users.noreply.github.com>
---
 lib/utils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index a1a8f4f6..232e2e25 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -60,7 +60,7 @@ function normalizeOptions (options, defaultType) {
   }
 
   var inflate = options?.inflate !== false
-  var limit = options?.limit === undefined || options?.limit === null
+  var limit = typeof options?.limit === 'undefined' || options?.limit === null
     ? 102400 // 100kb default
     : bytes.parse(options.limit)
   var type = options?.type || defaultType