# tRPC Type Safety Bypass with Any

- ID: trpc-type-inference-bypass
- Severity: MEDIUM
- CWE: CWE-704 (CWE-704)
- Languages: JavaScript, TypeScript
- Frameworks: trpc

## Description

Using 'any' type in tRPC procedures defeats type safety and allows unvalidated
data to pass through, enabling injection and runtime errors.

## Detection Message

tRPC code uses 'any' type which defeats type safety. Use proper TypeScript types or Zod inference.

## Remediation

Use Zod schemas and infer types instead of 'any'.

```typescript
import { z } from 'zod';

const getUserInput = z.object({
  userId: z.number().int().positive()
});

export const userRouter = router({
  getUser: publicProcedure
    .input(getUserInput)
    .query(async ({ input }) => {
      return await db.user.findUnique({ where: { id: input.userId } });
    })
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-704/type-inference-bypass

## Documentation

[object Object]

## Related Rules

- **TypeScript Unconstrained Generic Type Parameters** [MEDIUM]: 
- **TypeScript Strict Mode Disabled** [HIGH]: 
- **Unsafe 'any' Type in Security-Sensitive Context** [HIGH]: 
- **TypeScript Unsafe Type Guard** [HIGH]: