When building backend APIs with Node.js—especially with frameworks like Express or NestJS—you’ll often find yourself handling user input via req.body, req.query, or req.params.
But here’s a subtle trap many developers fall into:
Mutating the request payload directly can cause hidden side effects.
In this post, we’ll explore:
- What those side effects are,
- How Express and NestJS treat the request payload,
- When you should deep copy the payload,
- And best practices for safe and predictable request handling.
🚨 What Side Effects Are We Talking About?
When you mutate req.body, you're changing the original object passed through the entire request pipeline. This introduces side effects—unintended consequences in other parts of your app.
1. Middleware Conflicts
// Middleware A
req.body.username = req.body.username.trim().toLowerCase();
// Middleware B
if (req.body.username !== originalFormat) {
throw new Error('Unexpected username format');
}
Here, Middleware B may behave incorrectly because Middleware A already modified the payload. These kinds of bugs can be hard to track down in large apps.
2. Test Pollution & Reuse
In test environments, mock req objects might be reused across tests. If you mutate req.body, one test could accidentally affect another.
❓ Do Express or NestJS Copy the Payload for You?
🚫 Express.js: No
Express does not clone the body, query, or params. They are mutable references. If you modify req.body, you're changing it for the rest of the request lifecycle.
🚫 NestJS: Also No (but with tools)
NestJS sits on top of Express or Fastify and gives you decorators like @Body(), but these still reference the same underlying mutable object.
However, NestJS gives you pipes, which let you transform and validate data. But even inside pipes, you have to explicitly clone if you want immutability.
✅ When Should You Deep Copy?
You should deep copy the payload when:
- You plan to transform or mutate it (e.g., normalization).
- You need to compare original vs modified values.
- You're working with pure functions or functional patterns.
- You want side-effect-free logic.
You don’t need to deep copy when:
- You’re only reading the values.
- You’re writing quick prototype code.
- Performance is critical and you're aware of the risks.
🛠️ How to Deep Copy Safely
Here are a few options:
🐢 Simple JSON Clone (works for shallow JSON-safe structures):
const payloadCopy = JSON.parse(JSON.stringify(req.body));
⚡ Better: Use Lodash
import { cloneDeep } from 'lodash';
const payloadCopy = cloneDeep(req.body);
🔐 Best Practices for Safe Request Handling
- ✅ Never mutate
req.bodydirectly unless absolutely necessary. - ✅ Use data transfer objects (DTOs) in NestJS to define contracts.
- ✅ Clone the payload early if you’re going to transform it.
- ✅ Use pipes in NestJS to isolate transformations cleanly.
- ✅ Stick to pure functions when handling request data in services or utilities.
🧪 Bonus: Middleware Example (Express)
app.use((req, res, next) => {
req.bodyOriginal = cloneDeep(req.body);
next();
});
Now, req.bodyOriginal holds the unmodified version for comparison or logging.
✨ Conclusion
Directly mutating incoming request payloads may seem harmless—until your app grows, and bugs start creeping in from shared state.
Avoid the trap. Make defensive copies of the data you're about to work on, and you'll build APIs that are easier to debug, reason about, and test.
If you found this helpful, feel free to share
Let’s connect!!: 🤝
Top comments (2)
you can also use *structuredClone * for deep copy thing
Some comments may only be visible to logged-in visitors. Sign in to view all comments.