From ddf7f57327aa58168f6f9764e149e0ae3f05abbf Mon Sep 17 00:00:00 2001
From: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
Date: Wed, 22 Apr 2026 20:03:25 -0500
Subject: [PATCH] =?UTF-8?q?feat:=20bump=20zod=203.25.76=20=E2=86=92=204.3.?=
 =?UTF-8?q?6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #21. Smaller migration than the issue anticipated because the
codebase never used the APIs that changed incompatibly (`.merge()`,
`.deepPartial()`, coerce, `.email()`/`.url()`, `.format()` on ZodError).

- zod: 3.25.76 → 4.3.6 in @opencodehub/mcp + @opencodehub/sarif
- sarif schemas: `z.record(z.string())` → `z.record(z.string(), z.string())`
  (Zod 4 drops the single-arg form and requires an explicit key schema)

`.passthrough()` is deprecated in Zod 4 but still functional and the
recommended smallest-diff path; all 11 SARIF call sites continue to work
against the Zod 4 runtime. A separate cleanup PR can migrate them to
`z.looseObject(...)` or `.loose()` if/when we want.

Zod 3.25.76 remains in the dep tree transitively via
@graphty/algorithms → pupt. Direct deps are exclusively on 4.3.6; no
source-level mixing.

Verified locally under @types/node@20.19.16 / Node 22:
- pnpm -r build: clean
- pnpm -r exec tsc --noEmit: clean
- pnpm -r test: 952 pass / 0 fail
- pnpm -F @opencodehub/sarif run validate-schema: 4 pass / 0 fail
- biome ci, banned-strings, license-checker: green
---
 packages/mcp/package.json     |  2 +-
 packages/sarif/package.json   |  2 +-
 packages/sarif/src/schemas.ts |  4 ++--
 pnpm-lock.yaml                | 25 +++++++++++++++----------
 4 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/packages/mcp/package.json b/packages/mcp/package.json
index 2dd36ad8..f0747660 100644
--- a/packages/mcp/package.json
+++ b/packages/mcp/package.json
@@ -28,7 +28,7 @@
     "@opencodehub/search": "workspace:*",
     "@opencodehub/storage": "workspace:*",
     "lru-cache": "11.3.5",
-    "zod": "3.25.76"
+    "zod": "4.3.6"
   },
   "devDependencies": {
     "@types/node": "20.19.16",
diff --git a/packages/sarif/package.json b/packages/sarif/package.json
index 79a15636..6c356ba9 100644
--- a/packages/sarif/package.json
+++ b/packages/sarif/package.json
@@ -25,7 +25,7 @@
   "dependencies": {
     "@types/sarif": "2.1.7",
     "yaml": "2.8.3",
-    "zod": "3.25.76"
+    "zod": "4.3.6"
   },
   "devDependencies": {
     "@types/node": "20.19.16",
diff --git a/packages/sarif/src/schemas.ts b/packages/sarif/src/schemas.ts
index f98229b0..66b7225a 100644
--- a/packages/sarif/src/schemas.ts
+++ b/packages/sarif/src/schemas.ts
@@ -78,8 +78,8 @@ export const SarifResultSchema = z
     level: z.enum(["none", "note", "warning", "error"]).optional(),
     message: SarifMessageSchema.optional(),
     locations: z.array(SarifLocationSchema).optional(),
-    partialFingerprints: z.record(z.string()).optional(),
-    fingerprints: z.record(z.string()).optional(),
+    partialFingerprints: z.record(z.string(), z.string()).optional(),
+    fingerprints: z.record(z.string(), z.string()).optional(),
     properties: SarifPropertyBagSchema.optional(),
   })
   .passthrough();
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3d964dad..7e46a09c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -284,7 +284,7 @@ importers:
     dependencies:
       '@modelcontextprotocol/sdk':
         specifier: 1.29.0
-        version: 1.29.0(zod@3.25.76)
+        version: 1.29.0(zod@4.3.6)
       '@opencodehub/analysis':
         specifier: workspace:*
         version: link:../analysis
@@ -310,8 +310,8 @@ importers:
         specifier: 11.3.5
         version: 11.3.5
       zod:
-        specifier: 3.25.76
-        version: 3.25.76
+        specifier: 4.3.6
+        version: 4.3.6
     devDependencies:
       '@types/node':
         specifier: 20.19.16
@@ -329,8 +329,8 @@ importers:
         specifier: 2.8.3
         version: 2.8.3
       zod:
-        specifier: 3.25.76
-        version: 3.25.76
+        specifier: 4.3.6
+        version: 4.3.6
     devDependencies:
       '@types/node':
         specifier: 20.19.16
@@ -3310,6 +3310,9 @@ packages:
   zod@3.25.76:
     resolution: {integrity: sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==}
 
+  zod@4.3.6:
+    resolution: {integrity: sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==}
+
 snapshots:
 
   '@apidevtools/json-schema-ref-parser@14.0.1':
@@ -3761,7 +3764,7 @@ snapshots:
 
   '@kwsites/promise-deferred@1.1.1': {}
 
-  '@modelcontextprotocol/sdk@1.29.0(zod@3.25.76)':
+  '@modelcontextprotocol/sdk@1.29.0(zod@4.3.6)':
     dependencies:
       '@hono/node-server': 1.19.14(hono@4.12.14)
       ajv: 8.18.0
@@ -3778,8 +3781,8 @@ snapshots:
       json-schema-typed: 8.0.2
       pkce-challenge: 5.0.1
       raw-body: 3.0.2
-      zod: 3.25.76
-      zod-to-json-schema: 3.25.2(zod@3.25.76)
+      zod: 4.3.6
+      zod-to-json-schema: 3.25.2(zod@4.3.6)
     transitivePeerDependencies:
       - supports-color
 
@@ -6282,10 +6285,12 @@ snapshots:
 
   yoctocolors@2.1.2: {}
 
-  zod-to-json-schema@3.25.2(zod@3.25.76):
+  zod-to-json-schema@3.25.2(zod@4.3.6):
     dependencies:
-      zod: 3.25.76
+      zod: 4.3.6
 
   zod@3.25.76: {}
 
+  zod@4.3.6: {}
+
 time: {}