chore(deps): update dependency zod to v3.25.76

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
zod (source)	3.25.55 → 3.25.76

---

Release Notes

colinhacks/zod (zod)

v3.25.76

Compare Source

Commits:

• 91c9ca6 fix: cleanup _idmap of $ZodRegistry (#​4837)
• 9cce1c5 docs: fix typo in flattenError example on error-formatting page (#​4819) (#​4833)
• a3560ae v3.25.76 (#​4838)
• 5060661 Release 3.25.76
• 7baee4e Update index.mdx (#​4831)

v3.25.75

Compare Source

Commits:

• c5f349b Fix z.undefined() behavior in toJSONSchema

v3.25.74

Compare Source

Commits:

• ae0dbe1 Partial record
• 39c5f71 3.25.74

v3.25.73

Compare Source

Commits:

• 1021d3c v3.25.73 (#​4822)

v3.25.72

Compare Source

Commits:

• 4a4dac7 Warn about id uniqueness check on Metadata page (#​4782)
• 7a5838d feat(locale): Add Esperanto (eo) locale (#​4743)
• 36fe14e Fix optionality of schemas (#​4769)
• 20c8c4b Fix re-export bug
• 8b0df10 3.25.72

v3.25.71

Compare Source

Commits:

• 66a0f34 Move source to /src (#​4808)
• 2a15f44 3.25.71

v3.25.70

Compare Source

Commits:

• bd81c7c Add ecosystem listing to homepage
• 1ddb971 Add Mobb to sponsors
• 30ba440 Clean up ecosystem.mdx
• 0ef1b85 Add svelte-jsonschema-form to form integrations (#​4784)
• 14715f1 docs: fix Lambda spelling (#​4804)
• f6da030 Add back src (#​4806)
• 364200a Revert "Add back src (#​4806)"
• 16e1b67 v3.25.70 (#​4807)

v3.25.69

Compare Source

Commits:

• f46946c Improve release workflow
• b6fe831 Do not clobber defaults in
• 7f986d0 Skip attw test if Zod isn't built
• 5576182 Add exact to too_big/too_small issue formats (#​4802)
• 8fd2fc3 3.25.69

v3.25.68

Compare Source

Commits:

• d3e0f86 feat: add zod-xlsx back to the ecosystem.tsx (#​4718)
• 86112d9 chore: update lint-staged from v12 to v16 (#​4703)
• 218a267 chore: remove unused octokit (#​4708)
• a7cb6ed fix(v4): add exact to length check issue (#​4617)
• b888170 Close #​4035
• 5879baf Fix fmt
• bd1bdda Fix build
• ddadfb8 Simplify basics, document reportInput
• d5e2368 Add z.stringFormat() (#​4737)
• ee5615d Drop example and examples entirely
• 4080fd9 Add treeshaking discussion to docs
• cf6157a Docs
• 39947ac Use import star everywhere
• 7e296ae WIP
• bb42be4 Update treeshake target
• 0a49fa3 Improve mini docs
• 1b0a5e5 Add dep
• 90fa0cd Switch to zshy (#​4777)
• af3841b Rename play.ts
• cf12ccf 3.25.68
• 34ae421 Update snapshot

v3.25.67

Compare Source

Commits:

• 7afe790 Make $ZodLiteralDef generic
• 91274c3 3.25.67
• c22944b Fix race condition

v3.25.66

Compare Source

Commits:

• 2b3e87b Update api.ts (#​4724)
• 100e9aa chore: include zod-validation-error to Ecosystem page (#​4722)
• de3517e fix(docs): prevent FOUC on website homepage logo (#​4716)
• 222a663 Change ZodObject default to $strip. Set inst.shape in zod mini
• fb00618 3.25.66

v3.25.65

Compare Source

Commits:

• 6530994 Clean up ecosystem
• 131fdbd fix(docs): Use array as argument of templateLiteral (#​4701)
• ed648b1 chore: remove deprecated @​types/chalk (#​4685)
• 12dd489 Add catchall to zod-mini
• fcb722a Add uuid to changelog
• 8c74035 3.25.65

v3.25.64

Compare Source

Commits:

• b142ea8 Fix $strip
• b6e59c3 Check for existence of Error.captureStackTrace
• 0c686af Remove type from mime issue path
• af88d74 Fix test

v3.25.63

Compare Source

Commits:

• 7ed0c36 Allow hours-only offsets. Normalize. (#​4676)
• 112fff6 Fix iso tests
• 6176dcb Improve ISO second handling (#​4680)
• 8e20a20 Use consistent variable names for IP examples (#​4679)
• 29e4973 refactor: remove unnecessary assertion (#​4672)
• c626fe1 chore: update husky from v7 to v9 (#​4682)
• f350a69 3.25.63

v3.25.62

Compare Source

Commits:

• c568dea Drop | undefined from json schema types
• 1614fd8 3.25.62

v3.25.61

Compare Source

Commits:

• 1c2ad87 Loose signature for index signature shapes
• afa7e67 3.25.61
• 82b43fa Fix test

v3.25.60

Compare Source

• no changes

v3.25.59

Compare Source

Commits:

• aec5c4a Fix formatting
• d3389cb refactor: change if in else to else if (#​4664)
• ffc41bd Improve JSON Schema typing

v3.25.58

Compare Source

Commits:

• 21ee3f6 Add Zod Sockets to Ecosystem (#​4655)
• 6707ebb v4: Preserve function types in .meta() (#​4636)
• 3cecd98 Added Superforms for SvelteKit (#​4635)
• 305399f Fix adjectives in Japanese (#​4648)
• 04dc83e feat(locale): Add Pashto (ps) locale support (#​4594)
• ed933d9 refactor: remove unused import & imported multiple times (#​4588)
• 0d87aa4 Make id lazy
• f98ed6d npmrc
• 7262301 remove external
• 2904af2 3.25.58

v3.25.57

Compare Source

Commits:

• daae643 docs: fix broken link in Zod Core errors docs (#​4640)
• e57ddca Replace non existing error instance. (#​4649)
• 20b464d Add tests, use ReadonlyArray
• 9548f11 chore: allow readonly arrays in z.literal (#​4643)
• 303f1e9 fix: issc type at ZodCheckLessThan (#​4659)
• fa83a8a Fix pluto
• 32ae1cd Improve stringbool (#​4661)
• 76ddfe3 3.25.57

v3.25.56

Compare Source

Commits:

• 64bfb70 3.25.56

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: SQL Injection and Cross-site Scripting in npm class-validator CVE: GHSA-fj58-h2fr-3pp2 SQL Injection and Cross-site Scripting in class-validator (CRITICAL) Affected versions: < 0.14.0 Patched version: 0.14.0 From: ? → npm/@subql/substrate-wasm-processor@1.0.0 → npm/class-validator@0.13.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/class-validator@0.13.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE CVE: GHSA-r275-fr43-pm7q simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE (CRITICAL) Affected versions: >= 3.15.0 < 3.32.3 Patched version: 3.32.3 From: ? → npm/@subql/cli@6.0.2 → npm/simple-git@3.28.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/simple-git@3.28.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @webbuf/webbuf is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: ? → npm/@autonomys/auto-dag-data@1.6.5 → npm/@webbuf/webbuf@3.0.26 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webbuf/webbuf@3.0.26. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Protestware or unwanted behavior: npm es5-ext Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: ? → npm/websocket@1.0.35 → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	text-encoding@​0.7.0
	axios@​1.9.0
	@​keyvhq/​core@​2.1.7
	@​types/​mime-types@​2.1.4
	@​subql/​types@​3.14.1
	@​subql/​common-substrate@​4.5.1
	@​types/​stream-fork@​1.0.5
	@​keyvhq/​sqlite@​2.1.7
	@​autonomys/​file-server@​1.6.5
	jest@​30.0.5
	@​types/​pg-format@​1.0.5
	@​subql/​substrate-wasm-processor@​1.0.0
	@​autonomys/​asynchronous@​1.6.5
	@​types/​express@​5.0.2
	@​typescript-eslint/​parser@​8.33.1
	cache-sqlite-lru-ttl@​1.0.0
	@​types/​supertest@​6.0.3
	stream-fork@​1.0.5
	@​types/​pg@​8.15.4
	@​types/​cpu-features@​0.0.3
	db-migrate-pg@​1.5.2
	@​types/​websocket@​1.0.10
	pg-format@​1.0.4
	@​autonomys/​rpc@​1.6.5
	@​types/​k6@​1.0.2
	@​types/​text-encoding@​0.0.40
	@​autonomys/​auto-dag-data@​1.6.5
	@​subql/​node@​5.11.2
	eslint-plugin-require-extensions@​0.1.3
	@​autonomys/​auto-utils@​1.6.5
	cpu-features@​0.0.10
	@​typescript-eslint/​eslint-plugin@​8.33.1
	websocket@​1.0.35
See 23 more rows in the dashboard

View full report