Claude Code generated semantically incorrect class-validator decorator composition

Resolved 💬 1 comment Opened Apr 20, 2026 by katy-laurel Closed May 27, 2026

Summary

Claude Code generated code with a subtle but critical semantic error in decorator composition that passed type-checking but caused runtime failures against real data. Two separate AI code review tools also failed to catch the bug during PR review.

What happened

Claude Code was used to sync entity classes between NestJS services into a shared SDK package. During the sync, it generated the following decorator composition on a string[] field:

@IsArray()
@IsOptional()
@ValidateNested({ each: true })
@Type(() => String)
titles?: string[];

@ValidateNested({ each: true }) combined with @Type(() => String) tells class-validator to treat each string element as a nested object requiring validation. Since strings are primitives (not objects), every string in the array fails with: "each value in nested property titles must be either object or array".

The correct pattern for a string array is:

@IsArray()
@IsOptional()
@IsString({ each: true })
titles?: string[];

In the same PR, Claude Code also generated entity fields with @IsNotEmpty() (via a custom decorator) on credential fields that legitimately contain empty strings in the database. The fix required adding allowEmpty: true.

Impact

  • The bug was deployed to a dev environment and caused HTTP 500 errors on a critical API flow
  • It was caught before reaching production, but only because a developer manually tested the flow
  • If it had reached production, it would have been a P1 incident affecting all users of the affected feature

Why this matters for Claude Code

  1. Decorator composition is a blind spot: Each decorator is individually valid, but the combination is semantically incorrect. Claude Code needs better understanding of how class-validator decorators interact at runtime — specifically that @ValidateNested expects class instances, not primitives.
  1. Data-dependent correctness: The allowEmpty issue only manifests when the database contains empty strings. Claude Code should be more conservative when generating validation decorators on fields that may contain edge-case values (empty strings, nulls, etc.), especially when syncing from a service where the data shape is determined by real-world usage, not just the type definition.
  1. AI review tools also missed it: Two separate AI code review bots reviewed the 1,200+ line PR and only flagged a cosmetic inconsistency. Neither caught the two breaking validation bugs. This suggests the class of error (correct syntax, incorrect semantics in decorator/annotation composition) is a systemic gap across current AI tooling.

Environment

  • Claude Code was used to generate the PR (badge: "Generated with Claude Code")
  • The PR was a large entity sync (~1,200 lines, ~30 files) — entity classes bulk-copied from a source service
  • NestJS + class-validator + class-transformer stack

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗