fix(deps): update dependency zod to v3.22.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
zod (source)	3.21.4 -> 3.22.3

GitHub Vulnerability Alerts

CVE-2023-4316

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.

---

Release Notes

colinhacks/zod (zod)

v3.22.3

Compare Source

Commits:

• 1e23990 Commit
• 9bd3879 docs: remove obsolete text about readonly types (#​2676)
• f59be09 clarify datetime ISO 8601 (#​2673)
• 64dcc8e Update sponsors
• 18115a8 Formatting
• 28c1927 Update sponsors
• ad2ee9c 2718 Updated Custom Schemas documentation example to use type narrowing (#​2778)
• ae0f7a2 docs: update ref to discriminated-unions docs (#​2485)
• 2ba00fe [2609] fix ReDoS vulnerability in email regex (#​2824)
• 1e61d76 3.22.3

v3.22.2

Compare Source

Commits:

• 13d9e6b Fix lint
• 0d49f10 docs: add typeschema to ecosystem (#​2626)
• 8e4af7b X to Zod: add app.quicktype.io (#​2668)
• 792b3ef Fix superrefine types

v3.22.1

Compare Source

Commits:

Fix handing of this in ZodFunction schemas. The parse logic for function schemas now requires the Reflect API.

const methodObject = z.object({
  property: z.number(),
  method: z.function().args(z.string()).returns(z.number()),
});
const methodInstance = {
  property: 3,
  method: function (s: string) {
    return s.length + this.property;
  },
};
const parsed = methodObject.parse(methodInstance);
parsed.method("length=8"); // => 11 (8 length + 3 property)

• 932cc47 Initial prototype fix for issue #​2651 (#​2652)
• 0a055e7 3.22.1

v3.22.0

Compare Source

ZodReadonly

This release introduces ZodReadonly and the .readonly() method on ZodType.

Calling .readonly() on any schema returns a ZodReadonly instance that wraps the original schema. The new schema parses all inputs using the original schema, then calls Object.freeze() on the result. The inferred type is also marked as readonly.

const schema = z.object({ name: string }).readonly();
type schema = z.infer<typeof schema>;
// Readonly<{name: string}>

const result = schema.parse({ name: "fido" });
result.name = "simba"; // error

The inferred type uses TypeScript's built-in readonly types when relevant.

z.array(z.string()).readonly();
// readonly string[]

z.tuple([z.string(), z.number()]).readonly();
// readonly [string, number]

z.map(z.string(), z.date()).readonly();
// ReadonlyMap<string, Date>

z.set(z.string()).readonly();
// ReadonlySet<Promise<string>>

Commits:

• 6dad907 Comments
• 56ace68 Fix deno test
• 3809d54 Add superforms
• d1ad522 Add transloadit
• a3bb701 Testing on Typescript 5.0 (#​2221)
• 51e14be docs: update deprecated link (#​2219)
• a263814 fixed Datetime & IP TOC links
• 502384e docs: add mobx-zod-form to form integrations (#​2299)
• a8be450 docs: Add zocker to Ecosystem section (#​2416)
• 15de22a Allow subdomains and hyphens in ZodString.email (#​2274)
• 00f5783 Add zod-openapi to ecosystem (#​2434)
• 0a17340 docs: fix minor typo (#​2439)
• 60a2134 Add masterborn
• 0a90ed1 chore: move exports.types field to first spot @​ package.json. (#​2443)
• 67f35b1 docs: allow Zod to be used in dev tools at site (#​2432)
• 6795c57 Fix not working Deno doc link. (#​2428)
• 37e9c55 Generalize uuidRegex
• 0969950 adds ctx to preprocess (#​2426)
• af08390 fix: super refinement function types (#​2420)
• 36fef58 Make email regex reasonable (#​2157)
• f627d14 Document canary
• e06321c docs: add tapiduck to API libraries (#​2410)
• 11e507c docs: add ts as const example in zod enums (#​2412)
• 5427565 docs: add zod-fixture to mocking ecosystem (#​2409)
• d3bf7e6 docs: add zodock to mocking ecosystem (#​2394)
• 2270ae5 remove "as any" casts in createZodEnum (#​2332)
• 00bdd0a fix proto pollution vulnerability (#​2239)
• a3c5256 Fix error_handling unrecognized_keys example
• 4f75cbc Adds getters to Map for key + value (#​2356)
• ca7b032 FMC (#​2346)
• 6fec8bd docs: fix typo in link fragment (#​2329)
• 16f90bd Update README.md
• 2c80250 Update readme
• eaf64e0 Update sponsors
• c576311 Update readme
• 5e23b4f Add *.md pattern to prettier (#​2476)
• 898dced Revamp tests
• 6309322 Update test runners
• c0aece1 Add vitest config
• 73a5610 Update script
• 8d8e1a2 Fix deno test bug
• 9eb2508 Clean up configs
• cfbc7b3 Fix root jest config
• 8677f68 docs(comparison-yup): Yup added partial() and deepPartial() in v1 (#​2603)
• fb00edd docs: add VeeValidate form library for Vue.js (#​2578)
• ab8e717 docs: fix typo in z.object (#​2570)
• d870407 docs: fix incomplete Records example (#​2579)
• 5adae24 docs: add conform form integration (#​2577)
• 8b8ab3e Update README.md (#​2562)
• 6aab901 fix typo test name (#​2542)
• 81a89f5 Update nullish documentation to correct chaining order (#​2457)
• 78a4090 docs: update comparison with runtypes (#​2536)
• 1ecd624 Fix prettier
• 981d4b5 Add ZodReadonly (#​2634)
• fba438c 3.22.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarcloud]

Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	None	0	5.67 kB	lukeed

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/[email protected]	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	docs/package.json pnpm-lock.yaml
Install scripts	npm/[email protected]	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	docs/package.json pnpm-lock.yaml

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]