fix: validate that limit option is non-negative

Add validation to reject negative limit values like '-100kb' that were
previously silently accepted. This prevents configuration errors from
going unnoticed.

Fixes #705

Author: abhu85

lib/utils.js

@@ -63,6 +63,11 @@ function normalizeOptions (options, defaultType) {
   var limit = typeof options?.limit !== 'number'
     ? bytes.parse(options?.limit || '100kb')
     : options?.limit
+
+  if (limit !== null && limit < 0) {
+    throw new TypeError('option limit must be a non-negative number')
+  }
+
   var type = options?.type || defaultType
   var verify = options?.verify || false
   var defaultCharset = options?.defaultCharset || 'utf-8'

test/utils.js

@@ -85,6 +85,28 @@ describe('normalizeOptions(options, defaultType)', () => {
         const result = normalizeOptions({ limit: 'invalid' }, 'application/json')
         assert.strictEqual(result.limit, null)
       })
+
+      it('should throw an error for negative string limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: '-100kb' }, 'application/json')
+        }, /option limit must be a non-negative number/)
+      })
+
+      it('should throw an error for negative number limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: -1024 }, 'application/json')
+        }, /option limit must be a non-negative number/)
+      })
+
+      it('should accept zero limit', () => {
+        const result = normalizeOptions({ limit: 0 }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
+
+      it('should accept zero string limit', () => {
+        const result = normalizeOptions({ limit: '0kb' }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
     })
 
     describe('type', () => {