Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore(deps): update zod to v4 #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(deps): update zod to v4 #105

wants to merge 1 commit into from
+9 βˆ’9

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 3, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
zod (source) 3.25.76 -> 4.1.12 age confidence

Release Notes

colinhacks/zod (zod)

v4.1.12

Compare Source

Commits:

v4.1.11

Compare Source

Commits:

v4.1.10

Compare Source

Commits:

v4.1.9

Compare Source

Commits:

v4.1.8

Compare Source

Commits:

v4.1.7

Compare Source

Commits:

v4.1.6

Compare Source

v4.1.5

Compare Source

Commits:

v4.1.4

Compare Source

Commits:

  • 3291c61 fix(v4): toJSONSchema - wrong tuple with null output when targeting openapi-3.0 (#​5156)
  • 23f41c7 test(v4): toJSONSchema - use validateOpenAPI30Schema in all relevant scenarios (#​5163)
  • 0a09fd2 Update installation instructions
  • 4ea5fec 4.1.4

v4.1.3

Compare Source

Commits:

v4.1.2

Compare Source

Commits:

v4.1.1

Compare Source

Commits:

v4.1.0

Compare Source

The first minor version since the introduction of Zod 4 back in May. This version contains a number of features that barely missed the cut for the 4.0 release. With Zod 4 stable and widely adopted, there's more time to resume feature development.

Codecs

This is the flagship feature of this release. Codecs are a new API & schema type that encapsulates a bi-directional transformation. It's a huge missing piece in Zod that's finally filled, and it unlocks some totally new ways to use Zod.

const stringToDate = z.codec(
  z.iso.datetime(),  // input schema: ISO date string
  z.date(),          // output schema: Date object
  {
    decode: (isoString) => new Date(isoString), 
    encode: (date) => date.toISOString(),
  }
);

New top-level functions are added for processing inputs in the forward direction ("decoding") and backward direction ("encoding").

stringToDate.decode("2025-08-21T20:59:45.500Z")
// => Date

stringToDate.encode(new Date())
// => "2025-08-21T20:59:45.500Z"

NoteΒ β€” For bundle size reasons, these new methods have not added to Zod Mini schemas. Instead, this functionality is available via equivalent top-level functions.

// equivalent at runtime
z.decode(stringToDate, "2024-01-15T10:30:00.000Z");
z.encode(stringToDate, new Date());
.parse() vs .decode()

Both .parse() and decode() process data in the "forward" direction. They behave identically at runtime.

stringToDate.parse("2025-08-21T20:59:45.500Z");
stringToDate.decode("2025-08-21T20:59:45.500Z");

There is an important difference however. While .parse() accepts any input, .decode() expects a strongly typed input. That is, it expects an input of type string, whereas .parse() accepts unknown.

stringToDate.parse(Symbol('not-a-string'));
// => fails at runtime, but no TypeScript error

stringToDate.decode(Symbol("not-a-string"));
//                     ^ ❌ Argument of type 'symbol' is not assignable to parameter of type 'Date'. ts(2345)

This is a highly requested feature unto itself:

Encoding

You can use any Zod schema with .encode(). The vast majority of Zod schemas are non-transforming (the input and output types are identical) so .decode() and .encode() behave identically. Only certain schema types change their behavior:

  • Codecs β€” runs from B->A and executes the encode transform during encoding
  • Pipes β€” these execute B->A instead of A->B
  • Defaults and prefaults β€” Only applied in the forward direction
  • Catch β€”Β Only applied in the forward direction

Note β€” To avoid increasing bundle size unnecessarily, these new methods are not available on Zod Mini schemas. For those schemas, equivalent top-level functions are provided.

The usual async and safe variants exist as well:

// decode methods
stringToDate.decode("2024-01-15T10:30:00.000Z")
await stringToDate.decodeAsync("2024-01-15T10:30:00.000Z")
stringToDate.safeDecode("2024-01-15T10:30:00.000Z")
await stringToDate.safeDecodeAsync("2024-01-15T10:30:00.000Z")

// encode methods
stringToDate.encode(new Date())
await stringToDate.encodeAsync(new Date())
stringToDate.safeEncode(new Date())
await stringToDate.safeEncodeAsync(new Date())
Example codecs

Below are some "worked examples" for some commonly-needed codecs. These examples are all tested internally for correctness. Just copy/paste them into your project as needed. There is a more comprehensive set available at zod.dev/codecs.

stringToBigInt

Converts bigint into a serializable form.

const stringToBigInt = z.codec(z.string(), z.bigint(), {
  decode: (str) => BigInt(str),
  encode: (bigint) => bigint.toString(),
});

stringToBigInt.decode("12345");  // => 12345n
stringToBigInt.encode(12345n);   // => "12345"
json

Parses/stringifies JSON data.

const jsonCodec = z.codec(z.string(), z.json(), {
  decode: (jsonString, ctx) => {
    try {
      return JSON.parse(jsonString);
    } catch (err: any) {
      ctx.issues.push({
        code: "invalid_format",
        format: "json_string",
        input: jsonString,
        message: err.message,
      });
      return z.NEVER;
    }
  },
  encode: (value) => JSON.stringify(value),
});

To further validate the data, .pipe() the result of this codec into another schema.

const Params = z.object({ name: z.string(), age: z.number() });
const JsonToParams = jsonCodec.pipe(Params);

JsonToParams.decode('{"name":"Alice","age":30}');  // => { name: "Alice", age: 30 }
JsonToParams.encode({ name: "Bob", age: 25 });     // => '{"name":"Bob","age":25}'
Further reading

For more examples and a technical breakdown of how encoding works, reads theannouncement blog post and new Codecs docs page. The docs page contains implementations for several other commonly-needed codecs:

.safeExtend()

The existing way to add additional fields to an object is to use .extend().

const A = z.object({ a: z.string() })
const B = A.extend({ b: z.string() })

Unfortunately this is a bit of a misnomer, as it allows you to overwrite existing fields. This means the result of .extend() may not literally extend the original type (in the TypeScript sense).

const A = z.object({ a: z.string() }) // { a: string }
const B = A.extend({ a: z.number() }) // { a: number }

To enforce true extends logic, Zod 4.1 introduces a new .safeExtend() method. This statically enforces that the newly added properties conform to the existing ones.

z.object({ a: z.string() }).safeExtend({ a: z.number().min(5) }); // βœ…
z.object({ a: z.string() }).safeExtend({ a: z.any() }); // βœ…
z.object({ a: z.string() }).safeExtend({ a: z.number() });
//                                       ^  ❌ ZodNumber is not assignable

Importantly, this new API allows you to safely extend objects containing refinements.

const AB = z.object({ a: z.string(), b: z.string() }).refine(val => val.a === val.b);
const ABC = AB.safeExtend({ c: z.string() });
// ABC includes the refinements defined on AB

Previously (in Zod 4.x) any refinements attached to the base schema were dropped in the extended result. This was too unexpected. It now throws an error. (Zod 3 did not support extension of refined objects either.)

z.hash()

A new top-level string format for validating hashes produced using various common algorithms & encodings.

const md5Schema = z.hash("md5");          
// => ZodCustomStringFormat<"md5_hex">

const sha256Base64 = z.hash("sha256", { enc: "base64" }); 
// => ZodCustomStringFormat<"sha256_base64">

The following hash algorithms and encodings are supported. Each cell provides information about the expected number of characters/padding.

Algorithm / Encoding "hex" "base64" "base64url"
"md5" 32 24 (22 + "==") 22
"sha1" 40 28 (27 + "=") 27
"sha256" 64 44 (43 + "=") 43
"sha384" 96 64 (no padding) 64
"sha512" 128 88 (86 + "==") 86

z.hex()

To validate hexadecimal strings of any length.

const hexSchema = z.hex();

hexSchema.parse("123abc");    // βœ… "123abc"
hexSchema.parse("DEADBEEF");  // βœ… "DEADBEEF" 
hexSchema.parse("xyz");       // ❌ ZodError

Additional changes

  1. z.uuid() now supports the "Max UUID" (FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF) per the RFC
  2. $ZodFunction is now a subtype of $ZodType

Commits

v4.0.17

Compare Source

Commits:

v4.0.16

Compare Source

Commits:

v4.0.15

Compare Source

Commits:

v4.0.14

Compare Source

Commits:

v4.0.13

Compare Source

Commits:

v4.0.12

Compare Source

Commits:

v4.0.11

Compare Source

Commits:

v4.0.10

Compare Source

Commits:

v4.0.9

Compare Source

Commits:

v4.0.8

Compare Source

Commits:

v4.0.7

Compare Source

Commits:

v4.0.6

Compare Source

Commits:

v4.0.5

Compare Source

Commits:

v4.0.4

Compare Source

Commits:

  • 9335f05 Adds ZodFirstPartyTypeKind stub to fix module resolution failure inside zod-to-json-schema

v4.0.3

Compare Source

Commits:

v4.0.2

Compare Source

v4.0.1: v4.0.0

Compare Source

With this release, [email protected] has been published to npm. There were no code changes between 3.25.76 and 4.0.0!

Zod 4 has been stable for the past 6 weeks, but it was published inside [email protected] on npm. this transitionary window gave the ecosystem time to incrementally support for Zod 4 (without dropping support for Zod 3). As there is now near-universal support for Zod 4 in the ecosystem, ths time feels right to finally put a bow on things πŸŽ€

To upgrade to Zod 4:

npm upgrade zod@^4.0.0

If you’ve already migrated to Zod 4 using the subpaths, there are no changes required. however you can optionally simplify your imports (recommended)

// after upgrading to [email protected]:
import * as z from "zod"; // Zod 4 (regular)
import * as z from "zod/mini" // Zod 4 Mini

// these still work, but are no longer needed 
import * as z from "zod/v4"; 
import * as z from "zod/v4-mini":

// if you still need Zod 3
import * as z from "zod/v3"; // Zod 3

Library authors β€” if you've already implemented Zod 4 support according to the best practices outlined in the Library authors guide, bump your peer dependency to include zod@^4.0.0:

// package.json
{
  "peerDependencies": {
    "zod": "^3.25.0 || ^4.0.0"
  }
}

There should be no other code changes necessary. No code changes were made between the latest 3.25.x release and 4.0.0. This does not require a major version bump.

v4.0.0

Compare Source

Configuration

πŸ“… Schedule: Branch creation - "before 9am on Monday" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 3, 2025
edited
Loading

Warning

Rate limit exceeded

@renovate[bot] has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 8 minutes and 24 seconds before requesting another review.

βŒ› How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between fad71f5 and 546f302.

β›” Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
πŸ“’ Files selected for processing (2)
  • packages/blocks/package.json (1 hunks)
  • packages/database-integrations/package.json (1 hunks)
πŸ“ Walkthrough

Walkthrough

Bumps the zod dependency from 3.25.76 to 4.1.12 in two packages: packages/blocks and packages/database-integrations. No other code, export, or public API changes were made in this PR.

Sequence Diagram(s)

(omitted β€” dependency version upgrade; no control-flow or new feature to diagram)

Possibly related PRs

Suggested reviewers

  • saltenasl
  • Artmann

Pre-merge checks

βœ… Passed checks (2 passed)
Check name Status Explanation
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check βœ… Passed Title clearly summarizes the main change: updating the zod dependency to v4, matching the changeset.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Nov 3, 2025
edited
Loading

Codecov Report

βœ… All modified and coverable lines are covered by tests.
βœ… Project coverage is 95.31%. Comparing base (4c28c16) to head (546f302).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #105   +/-   ##
=======================================
  Coverage   95.31%   95.31%           
=======================================
  Files          26       26           
  Lines         726      726           
  Branches      210      207    -3     
=======================================
  Hits          692      692           
  Misses         34       34

β˜” View full report in Codecov by Sentry.
πŸ“’ Have feedback on the report? Share it here.

πŸš€ New features to boost your workflow:
  • πŸ“¦ JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/zod-4.x branch 7 times, most recently from fe55215 to 731f4d7 Compare November 4, 2025 13:03
coderabbitai[bot]
coderabbitai bot requested changes Nov 4, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between b3c030b and 731f4d7.

β›” Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
πŸ“’ Files selected for processing (2)
  • packages/blocks/package.json (1 hunks)
  • packages/database-integrations/package.json (1 hunks)
πŸ”‡ Additional comments (1)
packages/database-integrations/package.json (1)

35-35: No issues found β€” zod v4 is compatible with this package.

The main user-facing breaking change is default handling with .default().optional(), which this codebase doesn't use. Deprecated methods like .strict() remain available for backwards compatibility. The database-integrations package only contains schema definitions using z.object(), z.string(), .optional(), .extend(), z.record(), and type inferenceβ€”all fully supported in v4.

@renovate renovate bot force-pushed the renovate/zod-4.x branch 2 times, most recently from 1817727 to 2d62ae2 Compare November 4, 2025 17:10
coderabbitai[bot]
coderabbitai bot requested changes Nov 4, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 731f4d7 and 2d62ae2.

β›” Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
πŸ“’ Files selected for processing (2)
  • packages/blocks/package.json (1 hunks)
  • packages/database-integrations/package.json (1 hunks)
πŸ”‡ Additional comments (1)
packages/database-integrations/package.json (1)

35-35: Zod v4 appears compatible; confirm tests pass before merging.

The package uses only stable zod APIs (z.object, z.string, z.literal, z.optional, z.discriminatedUnion, z.infer, z.ZodSchema) with no deprecated error patterns or .nonstrict() calls. However, run npm test in packages/database-integrations/ to verify the 100+ .safeParse() calls in the test suite work with v4.1.12.

@renovate renovate bot force-pushed the renovate/zod-4.x branch from 2d62ae2 to fad71f5 Compare November 4, 2025 18:43
coderabbitai[bot]
coderabbitai bot requested changes Nov 4, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 2d62ae2 and fad71f5.

β›” Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
πŸ“’ Files selected for processing (2)
  • packages/blocks/package.json (1 hunks)
  • packages/database-integrations/package.json (1 hunks)
πŸ”‡ Additional comments (1)
packages/database-integrations/package.json (1)

35-35: No schema changes needed for zod v4 upgrade.

Verification found no z.record() calls in database-integrations. Schemas use z.object() and z.discriminatedUnion() exclusively, which have no breaking changes in zod v4. Safe to proceed.

@renovate renovate bot force-pushed the renovate/zod-4.x branch 4 times, most recently from 2954c00 to 1ee42cf Compare November 5, 2025 14:33
@renovate renovate bot force-pushed the renovate/zod-4.x branch from 1ee42cf to 546f302 Compare November 6, 2025 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

dependencies renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant