From 22e431e15ff775bc4363edc2e564113f0db74d83 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 May 2026 14:19:19 +0000 Subject: [PATCH 1/2] chore(deps)(deps): bump zod from 3.24.2 to 4.4.3 Bumps [zod](https://github.com/colinhacks/zod) from 3.24.2 to 4.4.3. - [Release notes](https://github.com/colinhacks/zod/releases) - [Commits](https://github.com/colinhacks/zod/compare/v3.24.2...v4.4.3) --- updated-dependencies: - dependency-name: zod dependency-version: 4.4.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- packages/cli/package.json | 2 +- packages/migrate/package.json | 2 +- packages/protect/package.json | 2 +- packages/schema/package.json | 2 +- packages/stack/package.json | 2 +- packages/wizard/package.json | 2 +- pnpm-lock.yaml | 59 ++++++++++++++++------------------- 7 files changed, 33 insertions(+), 38 deletions(-) diff --git a/packages/cli/package.json b/packages/cli/package.json index 7cb2ad65..f424a6d2 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -48,7 +48,7 @@ "pg": "8.20.0", "picocolors": "^1.1.1", "posthog-node": "^5.33.5", - "zod": "^4.3.6" + "zod": "^4.4.3" }, "peerDependencies": { "@cipherstash/stack": ">=0.6.0" diff --git a/packages/migrate/package.json b/packages/migrate/package.json index 3f84d664..18263144 100644 --- a/packages/migrate/package.json +++ b/packages/migrate/package.json @@ -42,7 +42,7 @@ "lint": "biome check ." }, "dependencies": { - "zod": "^3.24.2" + "zod": "^4.4.3" }, "peerDependencies": { "@cipherstash/stack": ">=0.6.0", diff --git a/packages/protect/package.json b/packages/protect/package.json index 94a02bb4..5a2c70a6 100644 --- a/packages/protect/package.json +++ b/packages/protect/package.json @@ -73,7 +73,7 @@ "@cipherstash/schema": "workspace:*", "@stricli/core": "^1.2.6", "dotenv": "17.4.2", - "zod": "^3.24.2" + "zod": "^4.4.3" }, "optionalDependencies": { "@rollup/rollup-linux-x64-gnu": "4.60.3" diff --git a/packages/schema/package.json b/packages/schema/package.json index cb3cc7ba..fa43c2d4 100644 --- a/packages/schema/package.json +++ b/packages/schema/package.json @@ -41,7 +41,7 @@ "vitest": "catalog:repo" }, "dependencies": { - "zod": "^3.24.2" + "zod": "^4.4.3" }, "publishConfig": { "access": "public" diff --git a/packages/stack/package.json b/packages/stack/package.json index c4d0c22a..ef34e4ae 100644 --- a/packages/stack/package.json +++ b/packages/stack/package.json @@ -206,7 +206,7 @@ "@cipherstash/protect-ffi": "0.21.4", "evlog": "1.9.0", "uuid": "14.0.0", - "zod": "3.24.2" + "zod": "4.4.3" }, "peerDependencies": { "@supabase/supabase-js": ">=2", diff --git a/packages/wizard/package.json b/packages/wizard/package.json index d5516155..d9978558 100644 --- a/packages/wizard/package.json +++ b/packages/wizard/package.json @@ -31,7 +31,7 @@ "pg": "8.20.0", "picocolors": "^1.1.1", "posthog-node": "^5.33.5", - "zod": "^4.3.6" + "zod": "^4.4.3" }, "devDependencies": { "@types/pg": "^8.20.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7e35f2a0..4fb2186e 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -215,8 +215,8 @@ importers: specifier: ^5.33.5 version: 5.33.5 zod: - specifier: ^4.3.6 - version: 4.3.6 + specifier: ^4.4.3 + version: 4.4.3 devDependencies: '@cipherstash/stack': specifier: workspace:* @@ -286,8 +286,8 @@ importers: packages/migrate: dependencies: zod: - specifier: ^3.24.2 - version: 3.24.2 + specifier: ^4.4.3 + version: 4.4.3 devDependencies: '@cipherstash/stack': specifier: workspace:* @@ -434,8 +434,8 @@ importers: specifier: 17.4.2 version: 17.4.2 zod: - specifier: ^3.24.2 - version: 3.24.2 + specifier: ^4.4.3 + version: 4.4.3 devDependencies: '@supabase/supabase-js': specifier: ^2.105.4 @@ -494,8 +494,8 @@ importers: packages/schema: dependencies: zod: - specifier: ^3.24.2 - version: 3.24.2 + specifier: ^4.4.3 + version: 4.4.3 devDependencies: tsup: specifier: catalog:repo @@ -522,8 +522,8 @@ importers: specifier: 14.0.0 version: 14.0.0 zod: - specifier: 3.24.2 - version: 3.24.2 + specifier: 4.4.3 + version: 4.4.3 devDependencies: '@clack/prompts': specifier: ^1.3.0 @@ -566,7 +566,7 @@ importers: dependencies: '@anthropic-ai/claude-agent-sdk': specifier: ^0.2.138 - version: 0.2.138(zod@4.3.6) + version: 0.2.138(zod@4.4.3) '@cipherstash/auth': specifier: catalog:repo version: 0.36.0 @@ -586,8 +586,8 @@ importers: specifier: ^5.33.5 version: 5.33.5 zod: - specifier: ^4.3.6 - version: 4.3.6 + specifier: ^4.4.3 + version: 4.4.3 devDependencies: '@types/pg': specifier: ^8.20.0 @@ -4006,11 +4006,8 @@ packages: peerDependencies: zod: ^3.25.28 || ^4 - zod@3.24.2: - resolution: {integrity: sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ==} - - zod@4.3.6: - resolution: {integrity: sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==} + zod@4.4.3: + resolution: {integrity: sha512-ytENFjIJFl2UwYglde2jchW2Hwm4GJFLDiSXWdTrJQBIN9Fcyp7n4DhxJEiWNAJMV1/BqWfW/kkg71UDcHJyTQ==} snapshots: @@ -4038,11 +4035,11 @@ snapshots: '@anthropic-ai/claude-agent-sdk-win32-x64@0.2.138': optional: true - '@anthropic-ai/claude-agent-sdk@0.2.138(zod@4.3.6)': + '@anthropic-ai/claude-agent-sdk@0.2.138(zod@4.4.3)': dependencies: - '@anthropic-ai/sdk': 0.81.0(zod@4.3.6) - '@modelcontextprotocol/sdk': 1.29.0(zod@4.3.6) - zod: 4.3.6 + '@anthropic-ai/sdk': 0.81.0(zod@4.4.3) + '@modelcontextprotocol/sdk': 1.29.0(zod@4.4.3) + zod: 4.4.3 optionalDependencies: '@anthropic-ai/claude-agent-sdk-darwin-arm64': 0.2.138 '@anthropic-ai/claude-agent-sdk-darwin-x64': 0.2.138 @@ -4056,11 +4053,11 @@ snapshots: - '@cfworker/json-schema' - supports-color - '@anthropic-ai/sdk@0.81.0(zod@4.3.6)': + '@anthropic-ai/sdk@0.81.0(zod@4.4.3)': dependencies: json-schema-to-ts: 3.1.1 optionalDependencies: - zod: 4.3.6 + zod: 4.4.3 '@apidevtools/json-schema-ref-parser@11.9.3': dependencies: @@ -4900,7 +4897,7 @@ snapshots: globby: 11.1.0 read-yaml-file: 1.1.0 - '@modelcontextprotocol/sdk@1.29.0(zod@4.3.6)': + '@modelcontextprotocol/sdk@1.29.0(zod@4.4.3)': dependencies: '@hono/node-server': 1.19.14(hono@4.12.18) ajv: 8.20.0 @@ -4917,8 +4914,8 @@ snapshots: json-schema-typed: 8.0.2 pkce-challenge: 5.0.1 raw-body: 3.0.2 - zod: 4.3.6 - zod-to-json-schema: 3.25.2(zod@4.3.6) + zod: 4.4.3 + zod-to-json-schema: 3.25.2(zod@4.4.3) transitivePeerDependencies: - supports-color @@ -7102,10 +7099,8 @@ snapshots: yoctocolors@2.1.2: {} - zod-to-json-schema@3.25.2(zod@4.3.6): + zod-to-json-schema@3.25.2(zod@4.4.3): dependencies: - zod: 4.3.6 - - zod@3.24.2: {} + zod: 4.4.3 - zod@4.3.6: {} + zod@4.4.3: {} From 3856da46f43b26a34df23ee919d272726732a64a Mon Sep 17 00:00:00 2001 From: Lindsay Holmwood Date: Wed, 20 May 2026 00:56:44 +1000 Subject: [PATCH 2/2] fix: migrate schema definitions to zod 4 zod 4 requires an explicit key schema for z.record, so the single-arg z.record(value) calls now pass z.record(z.string(), value). zod 4's .default() takes an already-parsed output value and skips parsing, so the object .default({}) that relied on parsing to fill nested defaults becomes .prefault({}), which preserves the parse-the-default behaviour. encryptConfigSchema is annotated z.ZodType and EncryptConfig is now an explicit type. The fully-inferred zod 4 type for the triply-nested tables record is too deep for consumers to instantiate, which degraded `tables` to unknown across package boundaries. --- packages/migrate/src/manifest.ts | 2 +- packages/schema/src/index.ts | 19 ++++++++++++++----- packages/stack/src/schema/index.ts | 19 ++++++++++++++----- 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/packages/migrate/src/manifest.ts b/packages/migrate/src/manifest.ts index c3ad4043..8472489f 100644 --- a/packages/migrate/src/manifest.ts +++ b/packages/migrate/src/manifest.ts @@ -69,7 +69,7 @@ const ManifestColumnSchema = z.object({ const ManifestSchema = z.object({ version: z.literal(1).default(1), /** Map of table name → array of column intents for that table. */ - tables: z.record(z.array(ManifestColumnSchema)), + tables: z.record(z.string(), z.array(ManifestColumnSchema)), }) export type Manifest = z.infer diff --git a/packages/schema/src/index.ts b/packages/schema/src/index.ts index bf2714c0..b9965ee6 100644 --- a/packages/schema/src/index.ts +++ b/packages/schema/src/index.ts @@ -78,18 +78,24 @@ const indexesSchema = z }) .default({}) +// `.prefault` (not `.default`) because the default `{}` is an *input* value +// that must be parsed to fill in `cast_as` and `indexes` defaults. In zod 4 +// `.default` takes an already-parsed output value and skips parsing. const columnSchema = z .object({ cast_as: castAsEnum, indexes: indexesSchema, }) - .default({}) + .prefault({}) -const tableSchema = z.record(columnSchema).default({}) +const tableSchema = z.record(z.string(), columnSchema).default({}) -const tablesSchema = z.record(tableSchema).default({}) +const tablesSchema = z.record(z.string(), tableSchema).default({}) -export const encryptConfigSchema = z.object({ +// Annotated as ZodType so the emitted .d.ts exposes a shallow +// type. The fully-inferred zod 4 type for this triply-nested record is too +// deep for consumers to instantiate, which degrades `tables` to `unknown`. +export const encryptConfigSchema: z.ZodType = z.object({ v: z.number(), tables: tablesSchema, }) @@ -127,7 +133,10 @@ export type ProtectTableColumn = { } } } -export type EncryptConfig = z.infer +export type EncryptConfig = { + v: number + tables: Record> +} // ------------------------ // Interface definitions diff --git a/packages/stack/src/schema/index.ts b/packages/stack/src/schema/index.ts index a8c5873d..61f4b8ea 100644 --- a/packages/stack/src/schema/index.ts +++ b/packages/stack/src/schema/index.ts @@ -128,19 +128,25 @@ const indexesSchema = z }) .default({}) +// `.prefault` (not `.default`) because the default `{}` is an *input* value +// that must be parsed to fill in `cast_as` and `indexes` defaults. In zod 4 +// `.default` takes an already-parsed output value and skips parsing. const columnSchema = z .object({ cast_as: castAsEnum, indexes: indexesSchema, }) - .default({}) + .prefault({}) -const tableSchema = z.record(columnSchema).default({}) +const tableSchema = z.record(z.string(), columnSchema).default({}) -const tablesSchema = z.record(tableSchema).default({}) +const tablesSchema = z.record(z.string(), tableSchema).default({}) +// Annotated as ZodType so the emitted .d.ts exposes a shallow +// type. The fully-inferred zod 4 type for this triply-nested record is too +// deep for consumers to instantiate, which degrades `tables` to `unknown`. /** @internal */ -export const encryptConfigSchema = z.object({ +export const encryptConfigSchema: z.ZodType = z.object({ v: z.number(), tables: tablesSchema, }) @@ -183,7 +189,10 @@ export type EncryptedTableColumn = { } } } -export type EncryptConfig = z.infer +export type EncryptConfig = { + v: number + tables: Record> +} // ------------------------ // Interface definitions