Add type guard for Yup ValidationError before accessing inner property

[Copilot]

The code accessed e.inner without verifying the error type, risking runtime failures if non-Yup errors are thrown during validation.

Changes

• Type guard function: Added isValidationErrorWithInner() to safely check for Yup ValidationError with inner array
• Fallback error handling: Returns structured error object with message when error lacks inner property
• Applied to two catch blocks: Main validation (lines 119-137) and bundle item validation (lines 162-182)

// Before
catch (e) {
  result = {
    isValid: false,
    errors: e.inner?.map((error) => ({ ...error })) || []
  };
}

// After
catch (e) {
  result = {
    isValid: false,
    errors: isValidationErrorWithInner(e)
      ? e.inner.map((error) => ({ ...error }))
      : [{ message: e instanceof Error ? e.message : "Validation failed with unknown error", path: "", value: undefined }]
  };
}

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR improves error handling in the checkExchangePolicy function by adding a type guard to safely check for Yup ValidationError with an inner array before accessing it. This prevents potential runtime failures when non-Yup errors are thrown during validation.

Changes:

• Added isValidationErrorWithInner() type guard function to safely detect Yup ValidationError objects
• Updated two catch blocks to use the type guard with fallback error handling for non-Yup errors
• Minor package-lock.json update (yaml package marked as peer dependency)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.

File	Description
packages/core-sdk/src/offers/checkExchangePolicy.ts	Adds type guard function and applies it to validation error handling in two catch blocks with fallback error structures
package-lock.json	Automatic lockfile update marking yaml as peer dependency (unrelated to main PR changes)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When spreading Yup ValidationError objects with the spread operator, additional properties beyond message, path, and value may be copied into the result. While this may not cause immediate issues, it could lead to unexpected behavior if the result is strictly validated elsewhere or if consumers rely on the type definition. Consider explicitly mapping only the expected properties to ensure the result structure exactly matches the CheckExchangePolicyResult type.

Suggested change

	return { ...error };
	return {
	message: error.message,
	path: error.path ?? "",
	value: error.value
	};

[Copilot]

There are no test cases covering the new error handling path for non-Yup ValidationError scenarios. The fallback error handling (lines 128-135 and 171-180) that returns "Validation failed with unknown error" is not tested. Consider adding test cases to verify that errors without the inner property are handled correctly and return the expected error structure.

[Copilot]

The type guard's return type declares path?: string and value?: unknown as optional, but the CheckExchangePolicyResult type (lines 5-12) requires these properties to be non-optional (path: string and value: unknown). This type mismatch could lead to runtime errors when consumers expect these properties to always be present. Additionally, the type guard only validates that inner is an array but doesn't verify that the array elements have the required structure with a message property.

Suggested change

	): error is { inner: Array<{ message: string; path?: string; value?: unknown }> } {
	return (
	typeof error === "object" &&
	error !== null &&
	"inner" in error &&
	Array.isArray((error as { inner: unknown }).inner)
	);
	): error is { inner: Array<{ message: string; path: string; value: unknown }> } {
	if (
	typeof error !== "object" ||
	error === null ||
	!("inner" in error) ||
	!Array.isArray((error as { inner: unknown }).inner)
	) {
	return false;
	}
	const { inner } = error as { inner: unknown[] };
	return inner.every((item) => {
	if (typeof item !== "object" || item === null) {
	return false;
	}
	const candidate = item as {
	message?: unknown;
	path?: unknown;
	value?: unknown;
	};
	return (
	typeof candidate.message === "string" &&
	typeof candidate.path === "string" &&
	"value" in candidate
	);
	});

[Copilot]

When spreading Yup ValidationError objects with the spread operator, additional properties beyond message, path, and value may be copied into the result. While this may not cause immediate issues, it could lead to unexpected behavior if the result is strictly validated elsewhere or if consumers rely on the type definition. Consider explicitly mapping only the expected properties to ensure the result structure exactly matches the CheckExchangePolicyResult type.

Suggested change

	? e.inner.map((error) => {
	return { ...error };
	})
	? e.inner.map((error) => ({
	message: error.message,
	path: error.path ?? "",
	value: error.value
	}))