express-validator
Express.js middleware for validating and sanitizing request data (body, params, query, headers, cookies). Built on top of validator.js. Provides a chainable API: body('email').isEmail().normalizeEmail(), param('id').isUUID(), query('page').isInt({min: 1}). Validation results collected via validationResult() or matchedData(). The de-facto standard for Express.js request validation.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Input validation library — primary security purpose is preventing injection and XSS via sanitization. escape() and normalizeEmail() sanitizers prevent common attacks. Well-maintained security-focused library.
⚡ Reliability
Best When
You're building Express.js APIs and need validation middleware that integrates naturally with Express's middleware chain and validator.js's format validators.
Avoid When
You want TypeScript type inference from validation schemas or need framework-agnostic validation — use Zod instead.
Use Cases
- • Validate and sanitize request bodies in Express.js API endpoints (email format, required fields, type coercion)
- • Validate route parameters (UUID format, integer ranges) before database queries to prevent invalid queries
- • Sanitize user input (trim, escape HTML, normalize email) to prevent XSS and clean data before storage
- • Validate query string parameters for API filter/pagination endpoints with clear error messages
- • Create reusable validation chains as middleware arrays applied to multiple routes sharing the same validation rules
Not For
- • Complex nested object validation with TypeScript type safety — use Zod for type-safe schema validation with inference
- • Non-Express frameworks — use Joi or Zod directly for framework-agnostic validation
- • Schema-first validation — express-validator is imperative; Zod or Joi are schema-first for reusable schemas across frontend/backend
Interface
Authentication
No authentication — validation middleware.
Pricing
Fully free, MIT licensed.
Agent Metadata
Known Gotchas
- ⚠ Validation chains don't reject requests — must explicitly call validationResult(req) and check for errors; missing this check means invalid data passes through
- ⚠ Sanitizers mutate req.body/params/query — use matchedData(req) instead of req.body to get only validated+sanitized data; req.body still contains original unsanitized values
- ⚠ Async validators require await inside custom() — custom validators returning promises must use the async validator pattern or return a rejected promise for errors
- ⚠ Array validation with wildcard notation: body('items.*.name').notEmpty() — wildcard validation must be set up correctly; test with array inputs
- ⚠ v7 checkSchema() API changed from v6 — schema-based validation format differs between major versions; check changelog when upgrading
- ⚠ Order of validation chains matters — sanitizers applied in chain order; withMessage() must follow the validator it applies to in the chain
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for express-validator.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-07.