feat: bump zod 3.25 → 4.3#24
Merged
Merged
Conversation
Closes #21. Smaller migration than the issue anticipated because the codebase never used the APIs that changed incompatibly (`.merge()`, `.deepPartial()`, coerce, `.email()`/`.url()`, `.format()` on ZodError). - zod: 3.25.76 → 4.3.6 in @opencodehub/mcp + @opencodehub/sarif - sarif schemas: `z.record(z.string())` → `z.record(z.string(), z.string())` (Zod 4 drops the single-arg form and requires an explicit key schema) `.passthrough()` is deprecated in Zod 4 but still functional and the recommended smallest-diff path; all 11 SARIF call sites continue to work against the Zod 4 runtime. A separate cleanup PR can migrate them to `z.looseObject(...)` or `.loose()` if/when we want. Zod 3.25.76 remains in the dep tree transitively via @graphty/algorithms → pupt. Direct deps are exclusively on 4.3.6; no source-level mixing. Verified locally under @types/node@20.19.16 / Node 22: - pnpm -r build: clean - pnpm -r exec tsc --noEmit: clean - pnpm -r test: 952 pass / 0 fail - pnpm -F @opencodehub/sarif run validate-schema: 4 pass / 0 fail - biome ci, banned-strings, license-checker: green
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #21. Much smaller migration than anticipated — the codebase never used the Zod 3 APIs that changed incompatibly in Zod 4.
zod:3.25.76→4.3.6in@opencodehub/mcp+@opencodehub/sarifpackages/sarif/src/schemas.ts:z.record(z.string())→z.record(z.string(), z.string())(Zod 4 requires an explicit key schema)What we didn't have to touch
The issue flagged these as migration hazards — none of them apply:
.merge()— not used anywhere in the codebase (the one.merge()match inpackages/cli/src/commands/setup.tsis a customwriter.merge, not Zod)..partial()/.deepPartial()— not used.z.coerce.*— not used.z.string().email()/.url()— not used..format()/.flatten()onZodError— not used..safeParse(x)/.parse(x)— both still return/throw the same shapes in Zod 4.On
.passthrough()Used 11 times in
packages/sarif/src/schemas.ts. It's deprecated in Zod 4 but still functional and is the smallest-diff migration path. A separate cleanup PR can migrate these toz.looseObject(...)or.loose()if we want.Dep-tree note
zod@3.25.76remains in the tree transitively via@graphty/algorithms→pupt→zod. Our direct deps are exclusively on4.3.6; no source-level mixing. The two versions coexist harmlessly.Test plan
pnpm -r buildcleanpnpm -r exec tsc --noEmitcleanpnpm -r test→ 952 pass / 0 failpnpm -F @opencodehub/sarif run validate-schema→ 4 pass / 0 failbiome ci .cleanbash scripts/check-banned-strings.shcleanlicense-checker-rseidelsohncleanFollow-up (out of scope)
.passthrough()call sites toz.looseObject(...)when convenient.