chore(deps): update dependency zod to v3.22.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
zod (source)	3.20.2 → 3.22.3

GitHub Vulnerability Alerts

CVE-2023-4316

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.

---

Release Notes

colinhacks/zod (zod)

v3.22.3

Compare Source

Commits:

• 1e23990 Commit
• 9bd3879 docs: remove obsolete text about readonly types (#​2676)
• f59be09 clarify datetime ISO 8601 (#​2673)
• 64dcc8e Update sponsors
• 18115a8 Formatting
• 28c1927 Update sponsors
• ad2ee9c 2718 Updated Custom Schemas documentation example to use type narrowing (#​2778)
• ae0f7a2 docs: update ref to discriminated-unions docs (#​2485)
• 2ba00fe [2609] fix ReDoS vulnerability in email regex (#​2824)
• 1e61d76 3.22.3

v3.22.2

Compare Source

Commits:

• 13d9e6b Fix lint
• 0d49f10 docs: add typeschema to ecosystem (#​2626)
• 8e4af7b X to Zod: add app.quicktype.io (#​2668)
• 792b3ef Fix superrefine types

v3.22.1

Compare Source

Commits:

Fix handing of this in ZodFunction schemas. The parse logic for function schemas now requires the Reflect API.

const methodObject = z.object({
  property: z.number(),
  method: z.function().args(z.string()).returns(z.number()),
});
const methodInstance = {
  property: 3,
  method: function (s: string) {
    return s.length + this.property;
  },
};
const parsed = methodObject.parse(methodInstance);
parsed.method("length=8"); // => 11 (8 length + 3 property)

• 932cc47 Initial prototype fix for issue #​2651 (#​2652)
• 0a055e7 3.22.1

v3.22.0

Compare Source

ZodReadonly

This release introduces ZodReadonly and the .readonly() method on ZodType.

Calling .readonly() on any schema returns a ZodReadonly instance that wraps the original schema. The new schema parses all inputs using the original schema, then calls Object.freeze() on the result. The inferred type is also marked as readonly.

const schema = z.object({ name: string }).readonly();
type schema = z.infer<typeof schema>;
// Readonly<{name: string}>

const result = schema.parse({ name: "fido" });
result.name = "simba"; // error

The inferred type uses TypeScript's built-in readonly types when relevant.

z.array(z.string()).readonly();
// readonly string[]

z.tuple([z.string(), z.number()]).readonly();
// readonly [string, number]

z.map(z.string(), z.date()).readonly();
// ReadonlyMap<string, Date>

z.set(z.string()).readonly();
// ReadonlySet<Promise<string>>

Commits:

• 6dad907 Comments
• 56ace68 Fix deno test
• 3809d54 Add superforms
• d1ad522 Add transloadit
• a3bb701 Testing on Typescript 5.0 (#​2221)
• 51e14be docs: update deprecated link (#​2219)
• a263814 fixed Datetime & IP TOC links
• 502384e docs: add mobx-zod-form to form integrations (#​2299)
• a8be450 docs: Add zocker to Ecosystem section (#​2416)
• 15de22a Allow subdomains and hyphens in ZodString.email (#​2274)
• 00f5783 Add zod-openapi to ecosystem (#​2434)
• 0a17340 docs: fix minor typo (#​2439)
• 60a2134 Add masterborn
• 0a90ed1 chore: move exports.types field to first spot @​ package.json. (#​2443)
• 67f35b1 docs: allow Zod to be used in dev tools at site (#​2432)
• 6795c57 Fix not working Deno doc link. (#​2428)
• 37e9c55 Generalize uuidRegex
• 0969950 adds ctx to preprocess (#​2426)
• af08390 fix: super refinement function types (#​2420)
• 36fef58 Make email regex reasonable (#​2157)
• f627d14 Document canary
• e06321c docs: add tapiduck to API libraries (#​2410)
• 11e507c docs: add ts as const example in zod enums (#​2412)
• 5427565 docs: add zod-fixture to mocking ecosystem (#​2409)
• d3bf7e6 docs: add zodock to mocking ecosystem (#​2394)
• 2270ae5 remove "as any" casts in createZodEnum (#​2332)
• 00bdd0a fix proto pollution vulnerability (#​2239)
• a3c5256 Fix error_handling unrecognized_keys example
• 4f75cbc Adds getters to Map for key + value (#​2356)
• ca7b032 FMC (#​2346)
• 6fec8bd docs: fix typo in link fragment (#​2329)
• 16f90bd Update README.md
• 2c80250 Update readme
• eaf64e0 Update sponsors
• c576311 Update readme
• 5e23b4f Add *.md pattern to prettier (#​2476)
• 898dced Revamp tests
• 6309322 Update test runners
• c0aece1 Add vitest config
• 73a5610 Update script
• 8d8e1a2 Fix deno test bug
• 9eb2508 Clean up configs
• cfbc7b3 Fix root jest config
• 8677f68 docs(comparison-yup): Yup added partial() and deepPartial() in v1 (#​2603)
• fb00edd docs: add VeeValidate form library for Vue.js (#​2578)
• ab8e717 docs: fix typo in z.object (#​2570)
• d870407 docs: fix incomplete Records example (#​2579)
• 5adae24 docs: add conform form integration (#​2577)
• 8b8ab3e Update README.md (#​2562)
• 6aab901 fix typo test name (#​2542)
• 81a89f5 Update nullish documentation to correct chaining order (#​2457)
• 78a4090 docs: update comparison with runtypes (#​2536)
• 1ecd624 Fix prettier
• 981d4b5 Add ZodReadonly (#​2634)
• fba438c 3.22.0

v3.21.4

Compare Source

Commits:

• 22f3cc6 3.21.4

v3.21.3

Compare Source

Commits:

• 14c08d8 added more .pipe examples
• 006e652 Fix npm canary action paths pattern (#​2148)
• bdcff0f Remove logging in tests
• a5830c6 Reverted #​1564
• c458381 Fix tests
• 2db0dca 3.21.3

v3.21.2

Compare Source

Commits:

• b276d71 Improve typings in generics
• 4d016b7 Improve type inference in generics
• f9895ab Improve types inside generic functions
• ac0135e Pass input into catchValue

v3.21.1

Compare Source

Features

Support for ULID validation

z.string().ulid();

Commits:

• 4f89461 Prettier
• bd6527a Update deps
• 126c77b added toLowerCase and toUpperCase back in for v3.21.0
• 1749657 Update README.md
• dabe63d updated z.custom example again :D
• 6b8f655 docs: improve cn readme (#​2143)
• 9012dc7 add .includes(value, options?) @​ ZodString. (#​1887)
• 67b981e Make safeParse().error a getter
• 346fde0 3.21.0-canary.20230304T235951
• b50d871 Add canary release CI
• b20cca2 Fix canary
• f7f5c50 Move action to .github/workflows
• f01fa0e Try to fix canary CI
• f5e8067 No git tag
• 5b304ae No dry run
• 20df80e Add tsc compilation test
• ead93d3 Document .pipe()
• d8e8653 Update headers
• 03c0ab1 Cache the evaluation of ParseInputLazyPath.path() for a moderate perf improvement (#​2137)
• e7b3b7b Improve string docs
• 83478f5 Remove zod dep
• 2f1868d Specify paths for canary
• e599966 Add sponsors
• 950bd17 Tweak x.custom example
• 728e56a Close #​2127
• 64883e4 feat: z.string().ulid() - add support for ulids (#​2049)
• e0d709b 3.20.1
• 9c33194 Remove comments, clean up utils
• 942e2db Fix tests

v3.21.0

Compare Source

Features

z.string().emoji()

Thanks @​joseph-lozano for #​2045! To validate that all characters in a string are emoji:

z.string().emoji()

...if that's something you want to do for some reason.

z.string().cuid2()

Thanks @​joulev for #​1813! To validate CUIDv2:

z.string().cuid2()

z.string().ip()

Thanks @​fvckDesa for #​2066. To validate that a string is a valid IP address:

const v4IP = "122.122.122.122";
const v6IP = "6097:adfa:6f0b:220d:db08:5021:6191:7990";

// matches both IPv4 and IPv6 by default
const ipSchema = z.string().ip();
ipSchema.parse(v4IP) //  pass
ipSchema.parse(v6IP) //  pass

To specify a particular version:

const ipv4Schema = z.string().ip({ version: "v4" });
const ipv6Schema = z.string().ip({ version: "v6" });

z.bigint().{gt|gte|lt|lte}()

Thanks @​igalklebanov for #1711! ZodBigInt gets the same set of methods found on ZodNumber:

z.bigint().gt(BigInt(5));
z.bigint().gte(BigInt(5));
z.bigint().lt(BigInt(5));
z.bigint().lte(BigInt(5));
z.bigint().positive();
z.bigint().negative();
z.bigint().nonnegative();
z.bigint().nonpositive();
z.bigint().multipleOf(BigInt(5));

z.enum(...).extract() and z.enum(...).exclude()

Thanks @​santosmarco-caribou for #​1652! To add or remove elements from a ZodEnum:

const FoodEnum = z.enum(["Pasta", "Pizza", "Tacos", "Burgers", "Salad"]);
const ItalianEnum = FoodEnum.extract(["Pasta", "Pizza"]); // ZodEnum<["Pasta", "Pizza"]>
const UnhealthyEnum = FoodEnum.exclude(["Salad"]); // ZodEnum<["Pasta", "Pizza", "Tacos", "Burgers"]>

This API is inspired by the Exclude and Extract TypeScript built-ins.

Pass a function to .catch()

Thanks @​0xWryth for #​2087! The .catch() method now accepts a function that receives the caught error:

const numberWithErrorCatch = z.number().catch((ctx) => {
  ctx.error; // ZodError
  return 42;
});

Compiler performance

Zod 3.20.2 introduced an accidental type recursion that caused long compilation times for some users. These kinds of bugs are very hard to diagnose. Big shoutout to @​gydroperit for some heroic efforts here: #​2107 Zod 3.21 resolves these issues:

• #​2142
• #​1741
• https://stackoverflow.com/questions/74881472/slow-typescript-autocompletion-in-vs-code-for-zod

Commits:

• 3c54461 fix typo in readme
• c244fb6 feat: z.string().emoji() (#​2045)
• 39cbb69 Fix emoji validation, fix lint
• d8f07bb Fix emoji
• 9b7dd81 Improve variable name clarity (#​2048)
• 5cec187 Add documentation for the param parameter of z.custom
• 654f529 Merge pull request #​2057 from trygveaa/add-documentation-for-z-custom-params
• 981af65 Merge pull request #​2019 from vbud/patch-1
• a7c2969 Update error_handling
• 8f3d028 BRAND Record to Non Partial (#​2097)
• 5ec98e1 Fix email issues in pull request #​1982 (#​2058)
• 7d40ba5 feat(#​2059): z.string.ip() - add support for IP address (#​2066)
• e559605 feat: add .catch error (#​2087)
• defdab9 Fix record tests
• 8de36eb FIX: emoji regex and tests (#​2090)
• 16beeb5 lowercase method for ZodString (#​2038)
• 75cb9e8 add checks @​ ZodBigInt. (#​1711)
• c4d4e49 Update ERROR_HANDLING.md (#​2022)
• d6f0890 added link to deno land
• 4cf1960 Refactoring of ZodFormattedError type to improve tsc check time (#​2107)
• 867a921 Bump http-cache-semantics from 4.1.0 to 4.1.1 (#​1985)
• edc3a67 Deprecate deepPartial
• e59f639 Add custom tests
• a6b44ed Remove logging
• a1fc3fb commented out toLowerCase and toUpperCase
• e71cc52 Update README_ZH.md (#​2139)
• 3af38fb add ZodNumber.safe() & ZodNumber.isSafe. (#​1753)
• 6ef82ee Add benchmark flags
• 5463593 Support brands in recursive types
• 8074523 Update readme
• b6794a4 Add index signature for passthrough
• 3c6cdd2 Make generic optional in objectOutputType
• bc43ad1 Fix rollup build
• 6a0545a 3.21.0
• 7c07339 Fix brand
• 0aa6021 Clean up tests

v3.20.6

Compare Source

Commits:

• e693919 3.20.6

v3.20.5

Compare Source

Commits:

• e71c7be Fix extract/exclude type error

v3.20.4

Compare Source

Commits:

• b8d731f Set input type of ZodCatch to unknown
• 06c237c Revert merge changes
• c8ce27e 3.20.4

v3.20.3

Compare Source

Features

• Add string cuid2() validation by @​joulev in #​1813
• Add ZodNumber.isFinite, make ZodNumber.isInt true if .multipleOf(int). by @​igalklebanov in #​1714
• feat: Add extract/exclude methods to ZodEnum by @​santosmarco-caribou in #​1652

Fixes and documentation

• add more test cases for z.coerce. by @​igalklebanov in #​1680
• Add Modular Forms to form integrations in README by @​fabian-hiller in #​1695
• docs: Instruct users to return z.NEVER in .superRefine() when providing a type predicate by @​zetaraku in #​1742
• Fix small typo in ERROR_HANDLING.md by @​t-shiratori in #​1720
• Improve accuracy of the isAsync type guard by @​aaronccasanova in #​1719
• fix: Fix ZodCatch by @​santosmarco-caribou in #​1733
• Fix datetime offset without comma by @​ooga in #​1749
• Discriminated union example fails to parse by @​matthewfallshaw in #​1713
• fix: [#​1693] Tuple with empty items by @​metuan in #​1712
• fix: #​1668 email regex safari compat by @​AnatoleLucet in #​1683
• docs: fix typo by @​zetaraku in #​1699
• fix installation links in table of contents by @​DetachHead in #​1700
• Updated deno/lib/README.md to match zod/README.md by @​JacobWeisenburger in #​1791
• fix(#​1743): Fix passing params in root class by @​santosmarco-caribou in #​1756
• change the chaining order of nullish method by @​p10ns11y in #​1702
• Propagate custom error type to ZodFormattedError subfields by @​carlgieringer in #​1617
• fix deno literal test. by @​igalklebanov in #​1794
• Document .describe() by @​rattrayalex in #​1819
• update homepage link in package.json by @​Gpx in #​1830
• fix: compile error in sample code by @​jtgi in #​1822
• Readme: Move "Coercion for primitives" section by @​tordans in #​1842
• Readme: Add internal links "or" <-> "union" by @​tordans in #​1846
• Readme: Add example for string validation for an optional field to chapter "Unions" by @​tordans in #​1849
• Readme: Add intro to chapter Literals by @​tordans in #​1877
• fix: faker.js link in readme by @​markacola in #​1843
• Minor typo fix by @​iamchandru6470 in #​1945
• chore(documentation): Update CHANGELOG to redirect to Github Releases by @​mitchwd in #​1936
• fix: [#​1839] remove caught errors from issues by @​maxArturo in #​1926
• fix: [#​1784] dark mode in the documentation by @​fvckDesa in #​1932
• Allow also "[+-]hh" as datetime offset by @​rafw87 in #​1797
• Feature/add resolves method to zod promise by @​bolencki13 in #​1871
• test: add benchmark tests for date and symbol by @​pnts-se in #​1796
• export the email regex by @​andresBobsled in #​2007
• Add React form validation library to ecosystem by @​crutchcorn in #​1999
• fix: make sure only mask keys with truthy values are respected at runtime @​ .pick, .omit, .partial & .required. by @​igalklebanov in #​1875
• fix: failing prettier checks on merge by @​maxArturo in #​1969
• deny unexpected keys @​ ZodObject's .omit(mask),.pick(mask),.required(mask) & .partial(mask) at compile time. by @​igalklebanov in #​1564
• docs: punctuation by @​jly36963 in #​1973
• fix[#​1979]: Increment Email validation by @​fvckDesa in #​1982
• test: additional unit-tests for object by @​pnts-se in #​1729

New Contributors

• @​fabian-hiller made their first contribution in #​1695
• @​zetaraku made their first contribution in #​1742
• @​t-shiratori made their first contribution in #​1720
• @​aaronccasanova made their first contribution in #​1719
• @​ooga made their first contribution in #​1749
• @​matthewfallshaw made their first contribution in #​1713
• @​metuan made their first contribution in #​1712
• @​AnatoleLucet made their first contribution in #​1683
• @​DetachHead made their first contribution in #​1700
• @​p10ns11y made their first contribution in #​1702
• @​carlgieringer made their first contribution in #​1617
• @​rattrayalex made their first contribution in #​1819
• @​Gpx made their first contribution in #​1830
• @​jtgi made their first contribution in #​1822
• @​tordans made their first contribution in #​1842
• @​markacola made their first contribution in #​1843
• @​iamchandru6470 made their first contribution in #​1945
• @​mitchwd made their first contribution in #​1936
• @​fvckDesa made their first contribution in #​1932
• @​rafw87 made their first contribution in #​1797
• @​bolencki13 made their first contribution in #​1871
• @​joulev made their first contribution in #​1813
• @​pnts-se made their first contribution in #​1796
• @​andresBobsled made their first contribution in #​2007
• @​crutchcorn made their first contribution in #​1999
• @​jly36963 made their first contribution in #​1973

Full Changelog: colinhacks/zod@v3.20.2...v3.20.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.