feat: update zod

[wilsonrivera]

Summary by CodeRabbit

• Chores
  • Simplified dependency overrides: removed several legacy overrides and relaxed the zod constraint to a caret range.
  • Upgraded the form resolver to a newer major release.
  • Bumped zod versions across packages for consistency.
  • Pinned one protobuf dependency to an exact version (removed caret).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

Initially, we believed that updating zod to version 3.25.76 would resolve an issue encountered when running bunx wgc, however, we ran into problems due to how we had setup dependencies, eventually we were able to resolve the dependency issue by removing the override for a few of the packages and undoing the version pinning for zod instead of directly updating it

[coderabbitai]

Walkthrough

Relaxed zod pins to caret ranges, removed several entries from pnpm.overrides, moved patchedDependencies from inside pnpm.overrides to top-level pnpm.patchedDependencies, bumped versions in studio and controlplane, loosened zod in cli, and pinned @bufbuild/protobuf in connect.

Changes

Cohort / File(s)	Summary
Root pnpm config package.json	In pnpm.overrides changed "zod": "3.24.2" → "zod": "^3.24.2", removed overrides for chalk, ansi-styles, strip-ansi, ansi-regex. Moved patchedDependencies out of pnpm.overrides to top-level pnpm.patchedDependencies with "graphql@16.9.0": "patches/graphql@16.9.0.patch".
Studio dependency bumps studio/package.json	Updated @hookform/resolvers from ^3.3.1 → ^4.1.3; updated zod from ^3.22.4 → ^3.24.2.
CLI dependency loosened cli/package.json	Relaxed zod from 3.24.2 → ^3.24.2.
Control plane dependency bump controlplane/package.json	Updated zod from ^3.22.4 → ^3.24.2.
Connect dependency pinned connect/package.json	Pinned @bufbuild/protobuf from ^1.9.0 → 1.9.0 (caret removed).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify top-level pnpm.patchedDependencies is effective and patch path exists.
• Check removing the listed overrides doesn't reintroduce vulnerable transitive versions (inspect lockfile).
• Confirm @hookform/resolvers and zod version changes compile in affected packages.
• Confirm pinning @bufbuild/protobuf in connect doesn't break transitive compatibility.

Possibly related PRs

• feat: make dependency versions be fixed #2357 — Overlapping dependency specifier changes (zod and package.json overrides/pinning) that may touch same files and resolutions.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: updating the zod dependency across multiple packages in the monorepo.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@9be1a0e). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2384   +/-   ##
=======================================
  Coverage        ?   32.61%           
=======================================
  Files           ?      340           
  Lines           ?    33837           
  Branches        ?      251           
=======================================
  Hits            ?    11035           
  Misses          ?    21806           
  Partials        ?      996           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-d7fe2a7cd154c4d668c830ffdfbd35dcde7a8280-nonroot

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9be1a0e and 80c7bb1.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• cli/package.json (1 hunks)
• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: build_push_image
• GitHub Check: image_scan
• GitHub Check: build_test
• GitHub Check: build_push_image (nonroot)
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)

🔇 Additional comments (1)

package.json (1)

66-95: pnpm.overrides correctly kept in sync with direct dependency.

The zod version (3.25.76) in pnpm.overrides matches the version in cli/package.json, ensuring all workspace packages use the same version uniformly. This override mechanism prevents version conflicts and non-deterministic hoisting across the monorepo, including packages that declare compatible caret ranges like controlplane and studio.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)

View full job summary

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80c7bb1 and ea20021.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: build_push_image
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: image_scan (nonroot)
• GitHub Check: image_scan
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

package.json (1)

66-90: No action required — top-level overrides is valid in pnpm 9.12.3.

pnpm supports both pnpm.overrides (nested format) and the standard top-level overrides field. Both are valid and are merged during dependency resolution, with pnpm.overrides taking precedence when both are present. The code's use of top-level overrides is correct and fully supported by pnpm 9.12.3.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

controlplane/emails/package.json (1)

21-21: Verify email build and dev scripts work with react-email 4.3.2.

The version bump from 4.0.3 to 4.3.2 is a minor update within the same major version. Before merging, ensure the dev and build scripts execute without errors to confirm the email CLI and component exports function correctly with this version.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cd109f and 3a6fafb.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• controlplane/emails/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: build-router
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: image_scan (nonroot)
• GitHub Check: build_test
• GitHub Check: image_scan
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_push_image
• GitHub Check: Analyze (go)
• GitHub Check: build_test

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4964304 and 8c32172.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• cli/package.json (2 hunks)
• controlplane/package.json (1 hunks)
• package.json (2 hunks)
• studio/package.json (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• controlplane/package.json

🚧 Files skipped from review as they are similar to previous changes (2)

• studio/package.json
• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: build-router
• GitHub Check: image_scan (nonroot)
• GitHub Check: image_scan
• GitHub Check: build_push_image (nonroot)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_push_image
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_push_image
• GitHub Check: build_test

🔇 Additional comments (1)

cli/package.json (1)

43-43: Dependency pin relaxed; verify lock file pins versions.

Shifting @bufbuild/protobuf from exact pin to caret range (^1.9.0) is acceptable, but ensure pnpm-lock.yaml locks the resolved version to maintain reproducibility across installations and CI runs.

[StarpTech]

LGTM