Skip to content

fix(deps): update dependency zod to ^4.3.5 - abandoned#4803

Open
homarr-renovate[bot] wants to merge 6 commits intodevfrom
renovate/zod-4-x
Open

fix(deps): update dependency zod to ^4.3.5 - abandoned#4803
homarr-renovate[bot] wants to merge 6 commits intodevfrom
renovate/zod-4-x

Conversation

@homarr-renovate
Copy link
Contributor

@homarr-renovate homarr-renovate bot commented Jan 5, 2026

This PR contains the following updates:

Package Change Age Confidence
zod (source) ^4.2.1 -> ^4.3.5 age confidence

Release Notes

colinhacks/zod (zod)

v4.3.5

Compare Source

Commits:

v4.3.4

Compare Source

Commits:

v4.3.3

Compare Source

Commits:

v4.3.2

Compare Source

Commits:

v4.3.1

Compare Source

Commits:
  • 0fe8840 allow non-overwriting extends with refinements. 4.3.1

v4.3.0

Compare Source

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#​5534, #​5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";

const schema = z.fromJSONSchema({
  type: "object",
  properties: {
    name: { type: "string", minLength: 1 },
    age: { type: "integer", minimum: 0 },
  },
  required: ["name"],
});

schema.parse({ name: "Alice", age: 30 }); // ✅

The API should be considered experimental. There are no guarantees of 1:1 "round-trip soundness": MySchema > z.toJSONSchema() > z.fromJSONSchema(). There are several features of Zod that don't exist in JSON Schema and vice versa, which makes this virtually impossible.

Features supported:

  • All primitive types (string, number, integer, boolean, null, object, array)
  • String formats (email, uri, uuid, date-time, date, time, ipv4, ipv6, and more)
  • Composition (anyOf, oneOf, allOf)
  • Object constraints (additionalProperties, patternProperties, propertyNames)
  • Array constraints (prefixItems, items, minItems, maxItems)
  • $ref for local references and circular schemas
  • Custom metadata is preserved
z.xor() — exclusive union (#​5534)

A new exclusive union type that requires exactly one option to match. Unlike z.union() which passes if any option matches, z.xor() fails if zero or more than one option matches.

const schema = z.xor([z.string(), z.number()]);

schema.parse("hello"); // ✅
schema.parse(42);      // ✅
schema.parse(true);    // ❌ zero matches

When converted to JSON Schema, z.xor() produces oneOf instead of anyOf.

z.looseRecord() — partial record validation (#​5534)

A new record variant that only validates keys matching the key schema, passing through non-matching keys unchanged. This is used to represent patternProperties in JSON Schema.

const schema = z.looseRecord(z.string().regex(/^S_/), z.string());

schema.parse({ S_name: "John", other: 123 });
// ✅ { S_name: "John", other: 123 }
// only S_name is validated, "other" passes through
.exactOptional() — strict optional properties (#​5589)

A new wrapper that makes a property key-optional (can be omitted) but does not accept undefined as an explicit value.

const schema = z.object({
  a: z.string().optional(),      // accepts `undefined`
  b: z.string().exactOptional(), // does not accept `undefined`
});

schema.parse({});                  // ✅
schema.parse({ a: undefined });    // ✅
schema.parse({ b: undefined });    // ❌

This makes it possible to accurately represent the full spectrum of optionality expressible using exactOptionalPropertyTypes.

.apply()

A utility method for applying arbitrary transformations to a schema, enabling cleaner schema composition. (#​5463)

const setCommonChecks = <T extends z.ZodNumber>(schema: T) => {
  return schema.min(0).max(100);
};

const schema = z.number().apply(setCommonChecks).nullable();
.brand() cardinality

The .brand() method now accepts a second argument to control whether the brand applies to input, output, or both. Closes #​4764, #​4836.

// output only (default)
z.string().brand<"UserId">();           // output is branded (default)
z.string().brand<"UserId", "out">();    // output is branded
z.string().brand<"UserId", "in">();     // input is branded
z.string().brand<"UserId", "inout">();  // both are branded
Type predicates on .refine() (#​5575)

The .refine() method now supports type predicates to narrow the output type:

const schema = z.string().refine((s): s is "a" => s === "a");

type Input = z.input<typeof schema>;   // string
type Output = z.output<typeof schema>; // "a"
ZodMap methods: min, max, nonempty, size (#​5316)

ZodMap now has parity with ZodSet and ZodArray:

const schema = z.map(z.string(), z.number())
  .min(1)
  .max(10)
  .nonempty();

schema.size; // access the size constraint
.with() alias for .check() (359c0db)

A new .with() method has been added as a more readable alias for .check(). Over time, more APIs have been added that don't qualify as "checks". The new method provides a readable alternative that doesn't muddy semantics.

z.string().with(
  z.minLength(5),
  z.toLowerCase()
);

// equivalent to:
z.string().check(
  z.minLength(5),
  z.trim(),
  z.toLowerCase()
);
z.slugify() transform

Transform strings into URL-friendly slugs. Works great with .with():

// Zod
z.string().slugify().parse("Hello World");           // "hello-world"

// Zod Mini
// using .with() for explicit check composition
z.string().with(z.slugify()).parse("Hello World");   // "hello-world"
z.meta() and z.describe() in Zod Mini (947b4eb)

Zod Mini now exports z.meta() and z.describe() as top-level functions for adding metadata to schemas:

import * as z from "zod/mini";

// add description
const schema = z.string().with(
  z.describe("A user's name"),
);

// add arbitrary metadata
const schema2 = z.number().with(
  z.meta({ deprecated: true })
);
More ergonomic intersections #​5587

When intersecting schemas that include z.strictObject(), Zod 4 now only rejects keys that are unrecognized by both sides of the intersection. Previously, any unrecognized key from either side would cause an error.

This means keys that are recognized by at least one side of the intersection will now pass validation:

const A = z.strictObject({ a: z.string() });
const B = z.object({ b: z.string() });

const C = z.intersection(A, B);

// Keys recognized by either side now work
C.parse({ a: "foo", b: "bar" }); // ✅ { a: "foo", b: "bar" }

// Extra keys are stripped (follows strip behavior from B)
C.parse({ a: "foo", b: "bar", c: "extra" }); // ✅ { a: "foo", b: "bar" }

When both sides are strict, only keys unrecognized by both sides will error:

const A = z.strictObject({ a: z.string() });
const B = z.strictObject({ b: z.string() });

const C = z.intersection(A, B);

// Keys recognized by either side work
C.parse({ a: "foo", b: "bar" }); // ✅

// Keys unrecognized by BOTH sides error
C.parse({ a: "foo", b: "bar", c: "extra" }); 
// ❌ ZodError: Unrecognized key: "c"
New locales
import * as z from "zod";
import { uz } from "zod/locales";

z.config(uz());




Bug fixes

All of these changes fix soundness issues in Zod. As with any bug fix there's some chance of breakage if you were intentionally or unintentionally relying on this unsound behavior.

⚠️ .pick() and .omit() disallowed on object schemas containing refinements (#​5317)

Using .pick() or .omit() on object schemas with refinements now throws an error. Previously, this would silently drop the refinements, leading to unexpected behavior.

const schema = z.object({
  password: z.string(),
  confirmPassword: z.string(),
}).refine(data => data.password === data.confirmPassword);

schema.pick({ password: true });
// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ❌

Migration: The easiest way to migrate is to create a new schema using the shape of the old one.

const newSchema = z.object(schema.shape).pick({ ... })
⚠️ overwriting properties with.extend() disallowed on object schemas with refinements (#​5317)

Similarly, .extend() will throws on schemas with refinements if you are overwriting existing properties.

const schema = z.object({ 
  a: z.string() 
}).refine(/* ... */);

schema.extend({ a: z.number() }); // 4.3: throws error ❌

Instead you can use .safeExtend(), which statically ensures that you aren't changing the type signature of any pre-existing properties.

const schema = z.object({ 
  a: z.string(),
}).refine(/* ... */);

schema.safeExtend({ 
  a: z.string().min(5).max(10) 
}); // ✅ allows overwrite, preserves refinement
⚠️ Stricter object masking methods (#​5581)

Object masking methods (.pick(), .omit()) now validate that the keys provided actually exist in the schema:

const schema = z.object({ a: z.string() });

// 4.3: throws error for unrecognized keys
schema.pick({ nonexistent: true });
// error: unrecognized key: "nonexistent"




Additional changes
  • Fixed JSON Schema generation for z.iso.time with minute precision (#​5557)
  • Fixed error details for tuples with extraneous elements (#​5555)
  • Fixed includes method params typing to accept string | $ZodCheckIncludesParams (#​5556)
  • Fixed numeric formats error messages to be inclusive (#​5485)
  • Fixed implementAsync inferred type to always be a promise (#​5476)
  • Tightened E.164 regex to require a non-zero leading digit and 7–15 digits total (#​5524)
  • Fixed Dutch (nl) error strings (#​5529)
  • Convert Date instances to numbers in minimum/maximum checks (#​5351)
  • Improved numeric keys handling in z.record() (#​5585)
  • Lazy initialization of ~standard schema property (#​5363)
  • Functions marked as @__NO_SIDE_EFFECTS__ for better tree-shaking (#​5475)
  • Improved metadata tracking across child-parent relationships (#​5578)
  • Improved locale translation approach (#​5584)
  • Dropped id uniqueness enforcement at registry level (#​5574)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@homarr-renovate homarr-renovate bot enabled auto-merge (squash) January 5, 2026 05:38
homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 5, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

@deepsource-io
Copy link
Contributor

deepsource-io bot commented Jan 5, 2026

Here's the code health analysis summary for commits 2e58acc..a6fbe82. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScript✅ SuccessView Check ↗

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

@homarr-renovate homarr-renovate bot changed the title fix(deps): update dependency zod to ^4.3.0 fix(deps): update dependency zod to ^4.3.2 Jan 5, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 5, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

@homarr-renovate homarr-renovate bot changed the title fix(deps): update dependency zod to ^4.3.2 fix(deps): update dependency zod to ^4.3.3 Jan 5, 2026
homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 5, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

@homarr-renovate homarr-renovate bot changed the title fix(deps): update dependency zod to ^4.3.3 fix(deps): update dependency zod to ^4.3.4 Jan 5, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 6, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 8, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 17, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

homarr-approvals[bot]
homarr-approvals bot previously approved these changes Jan 18, 2026
Copy link

@homarr-approvals homarr-approvals bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by GitHub Action

@homarr-renovate
Copy link
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@homarr-renovate homarr-renovate bot changed the title fix(deps): update dependency zod to ^4.3.5 fix(deps): update dependency zod to ^4.3.5 - abandoned Feb 25, 2026
@homarr-renovate
Copy link
Contributor Author

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant