fix(core): harden token amount validation by FidelCoder · Pull Request #2340 · x402-foundation/x402

FidelCoder · 2026-05-16T22:11:51Z

Summary

Fixes #2090.

Replaces the decimal validation regex in convertToTokenAmount() with a linear validator to avoid ReDoS-style backtracking on long invalid input.

Preserve valid integer, decimal, trailing-decimal, and negative amount behavior.
Keep rejecting scientific notation and malformed numeric strings.
Add regression coverage for long adversarial invalid input.

git diff --check
Not run: pnpm --filter @x402/core test -- test/unit/utils/utils.test.ts because local Node is v18.19.1 and pnpm requires Node v22.13+
Not run: pnpm --filter @x402/core lint:check because local Node is v18.19.1 and pnpm requires Node v22.13+
Not run: pnpm --filter @x402/core format:check because local Node is v18.19.1 and pnpm requires Node v22.13+
Not run: pnpm --filter @x402/core build because local Node is v18.19.1 and pnpm requires Node v22.13+

vercel · 2026-05-16T22:11:57Z

@FidelCoder is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

fix(core): harden token amount validation

2c17382

github-actions Bot added typescript sdk Changes to core v2 packages labels May 16, 2026