Skip to content

fix(deps): update dependency zod to v3.22.3 [security]#186

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-zod-vulnerability
Open

fix(deps): update dependency zod to v3.22.3 [security]#186
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-zod-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Oct 9, 2023

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
zod (source) 3.20.63.22.3 age confidence

Zod denial of service vulnerability

CVE-2023-4316 / GHSA-m95q-7qp3-xv42

More information

Details

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

colinhacks/zod (zod)

v3.22.3

Compare Source

Commits:

v3.22.2

Compare Source

Commits:

v3.22.1

Compare Source

Commits:

Fix handing of this in ZodFunction schemas. The parse logic for function schemas now requires the Reflect API.

const methodObject = z.object({
  property: z.number(),
  method: z.function().args(z.string()).returns(z.number()),
});
const methodInstance = {
  property: 3,
  method: function (s: string) {
    return s.length + this.property;
  },
};
const parsed = methodObject.parse(methodInstance);
parsed.method("length=8"); // => 11 (8 length + 3 property)

v3.22.0

Compare Source

ZodReadonly

This release introduces ZodReadonly and the .readonly() method on ZodType.

Calling .readonly() on any schema returns a ZodReadonly instance that wraps the original schema. The new schema parses all inputs using the original schema, then calls Object.freeze() on the result. The inferred type is also marked as readonly.

const schema = z.object({ name: string }).readonly();
type schema = z.infer<typeof schema>;
// Readonly<{name: string}>

const result = schema.parse({ name: "fido" });
result.name = "simba"; // error

The inferred type uses TypeScript's built-in readonly types when relevant.

z.array(z.string()).readonly();
// readonly string[]

z.tuple([z.string(), z.number()]).readonly();
// readonly [string, number]

z.map(z.string(), z.date()).readonly();
// ReadonlyMap<string, Date>

z.set(z.string()).readonly();
// ReadonlySet<Promise<string>>

Commits:

v3.21.4

Compare Source

Commits:

v3.21.3

Compare Source

Commits:

v3.21.2

Compare Source

Commits:

  • b276d71 Improve typings in generics
  • 4d016b7 Improve type inference in generics
  • f9895ab Improve types inside generic functions
  • ac0135e Pass input into catchValue

v3.21.1

Compare Source

Features

Support for ULID validation

z.string().ulid();

Commits:

v3.21.0

Compare Source

Features

z.string().emoji()

Thanks @​joseph-lozano for #​2045! To validate that all characters in a string are emoji:

z.string().emoji()

...if that's something you want to do for some reason.

z.string().cuid2()

Thanks @​joulev for #​1813! To validate CUIDv2:

z.string().cuid2()
z.string().ip()

Thanks @​fvckDesa for #​2066. To validate that a string is a valid IP address:

const v4IP = "122.122.122.122";
const v6IP = "6097:adfa:6f0b:220d:db08:5021:6191:7990";

// matches both IPv4 and IPv6 by default
const ipSchema = z.string().ip();
ipSchema.parse(v4IP) //  pass
ipSchema.parse(v6IP) //  pass

To specify a particular version:

const ipv4Schema = z.string().ip({ version: "v4" });
const ipv6Schema = z.string().ip({ version: "v6" });
z.bigint().{gt|gte|lt|lte}()

Thanks @​igalklebanov for #1711! ZodBigInt gets the same set of methods found on ZodNumber:

z.bigint().gt(BigInt(5));
z.bigint().gte(BigInt(5));
z.bigint().lt(BigInt(5));
z.bigint().lte(BigInt(5));
z.bigint().positive();
z.bigint().negative();
z.bigint().nonnegative();
z.bigint().nonpositive();
z.bigint().multipleOf(BigInt(5));
z.enum(...).extract() and z.enum(...).exclude()

Thanks @​santosmarco-caribou for #​1652! To add or remove elements from a ZodEnum:

const FoodEnum = z.enum(["Pasta", "Pizza", "Tacos", "Burgers", "Salad"]);
const ItalianEnum = FoodEnum.extract(["Pasta", "Pizza"]); // ZodEnum<["Pasta", "Pizza"]>
const UnhealthyEnum = FoodEnum.exclude(["Salad"]); // ZodEnum<["Pasta", "Pizza", "Tacos", "Burgers"]>

This API is inspired by the Exclude and Extract TypeScript built-ins.

Pass a function to .catch()

Thanks @​0xWryth for #​2087! The .catch() method now accepts a function that receives the caught error:

const numberWithErrorCatch = z.number().catch((ctx) => {
  ctx.error; // ZodError
  return 42;
});

Compiler performance

Zod 3.20.2 introduced an accidental type recursion that caused long compilation times for some users. These kinds of bugs are very hard to diagnose. Big shoutout to @​gydroperit for some heroic efforts here: #​2107 Zod 3.21 resolves these issues:

Commits:


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 4e8d9c7 to 3bf57f1 Compare September 12, 2024 15:15
@coderabbitai

coderabbitai Bot commented Sep 12, 2024

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 5 times, most recently from fce2388 to e8d9a37 Compare September 16, 2024 04:15
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 3 times, most recently from e4d0006 to 75c91ad Compare September 25, 2024 16:48
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 2 times, most recently from 51fbfb4 to a6d8f05 Compare October 7, 2024 03:45
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 2 times, most recently from 3836439 to 74cc97a Compare October 21, 2024 03:24
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 2 times, most recently from ddb74cd to c52d43c Compare November 4, 2024 03:38
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from c52d43c to 26615b1 Compare November 11, 2024 03:34
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 26615b1 to fda608f Compare January 22, 2025 05:33
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from fda608f to da2a064 Compare August 10, 2025 12:29
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from da2a064 to 03b1b48 Compare August 19, 2025 14:06
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 03b1b48 to 7fa64db Compare September 25, 2025 19:03
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 7fa64db to 865f854 Compare November 11, 2025 00:47
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 865f854 to 89b4fe3 Compare November 18, 2025 11:43
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 89b4fe3 to 31efbb2 Compare December 31, 2025 14:10
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 31efbb2 to 18a09df Compare January 8, 2026 17:43
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 18a09df to b6ea333 Compare January 19, 2026 18:13
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from b6ea333 to b6f052c Compare February 2, 2026 20:29
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 2 times, most recently from 25a3912 to 1400be3 Compare February 17, 2026 19:04
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 1400be3 to ef59967 Compare March 5, 2026 17:53
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from ef59967 to 629d009 Compare March 13, 2026 16:50
@renovate renovate Bot changed the title fix(deps): update dependency zod to v3.22.3 [security] fix(deps): update dependency zod to v3.22.3 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-zod-vulnerability branch March 27, 2026 00:56
@renovate renovate Bot changed the title fix(deps): update dependency zod to v3.22.3 [security] - autoclosed fix(deps): update dependency zod to v3.22.3 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 4 times, most recently from 7942149 to ce78e7f Compare April 1, 2026 20:12
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from ce78e7f to aab539f Compare April 8, 2026 19:18
@renovate renovate Bot changed the title fix(deps): update dependency zod to v3.22.3 [security] fix(deps): update dependency zod to v3.22.3 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency zod to v3.22.3 [security] - autoclosed fix(deps): update dependency zod to v3.22.3 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from aab539f to 1373f81 Compare April 27, 2026 22:09
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch 2 times, most recently from a225f81 to 4f403eb Compare May 18, 2026 11:02
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 4f403eb to 26c3550 Compare May 28, 2026 19:16
@renovate renovate Bot force-pushed the renovate/npm-zod-vulnerability branch from 26c3550 to e793391 Compare June 11, 2026 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants