Skip to content

Update dependency zod to v4.4.1#3355

Closed
renovate[bot] wants to merge 2 commits intomasterfrom
renovate/zod-4.x-lockfile
Closed

Update dependency zod to v4.4.1#3355
renovate[bot] wants to merge 2 commits intomasterfrom
renovate/zod-4.x-lockfile

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 30, 2026

This PR contains the following updates:

Package Change Age Confidence
zod (source) 4.3.64.4.1 age confidence

Release Notes

colinhacks/zod (zod)

v4.4.1

Compare Source

v4.4.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 30, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedzod@​4.3.6 ⏵ 4.4.1100 +1100100 +196 +8100

View full report

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 30, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@RobinTail
Copy link
Copy Markdown
Owner

RobinTail commented Apr 30, 2026
edited
Loading

The Zod plugin operation on patching the ZodType::brand() method is ruined by colinhacks/zod#5897 — that PR, landed in commit colinhacks/zod@8fcb71a, changed the order of assigning the instance property. It's now using the same prototype assignment for the brand made by the plugin (currently fails to do that with runtime error). The error can be fixed by adding configurable: true in the plugin, but the overwriting in the Zod engine makes the plugin's band ineffective completely.

@RobinTail
Copy link
Copy Markdown
Owner

RobinTail commented Apr 30, 2026
edited
Loading

Problem Analysis

Zod 4.4 changed how brand (and other builder methods) are attached to schemas:

  1. _installLazyMethods is a standalone function (not on prototypes) that installs lazy getters on Cls. prototype

  2. These getters are defined with configurable: true and when first accessed:

    • Bind the method to the instance
    • Cache it as an own enumerable property on the instance via
      Object.defineProperty(this, key, ...)

  3. The plugin tries to redefine brand on the prototype, but Zod's mechanism keeps overwriting it
    The core issue: Zod's lazy method mechanism defines brand on the prototype, and when accessed, creates an own
    property on the instance. The plugin's patch gets into a conflict with this.

Resolution

We are not going to fix this issue in v27, as it is proven impossible to fix nicely. Instead, we accept the breaking change
made in Zod 4.4.0 and inability to maintain the current approach in the Zod Plugin. v27 will release a patch declaring Zod version limit ~4.3.4. v28 will remove that limit (^4.3.4) but offer the new xBrand method instead of trying to override the existing brand one (that will be a breaking change).

@RobinTail RobinTail closed this Apr 30, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 30, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^4.3.4). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate Bot deleted the renovate/zod-4.x-lockfile branch April 30, 2026 08:25
@RobinTail RobinTail mentioned this pull request Apr 30, 2026
Merged
RobinTail added a commit that referenced this pull request Apr 30, 2026
@RobinTail @pullfrog
FIX(deps): Reducing compatibility with Zod (#3357)
22d9b86 
4.4 will be supported in #3208 
due to Zod's breaking changes revaled in #3355 
see
#3355 (comment)
for details

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Clarified Zod compatibility: support limited to versions below 4.4.0
due to upstream behavior changes; note that broader Zod 4.4+ support
will be delivered in a future major release.

* **Chores**
* Tightened dependency version constraints across packages and updated
release notes and README to enforce the stated Zod compatibility
boundaries.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RobinTail