Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency zod to v3.22.3 [SECURITY] #640

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
zod (source) 3.19.1 -> 3.22.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-4316

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.


Release Notes

colinhacks/zod (zod)

v3.22.3

Compare Source

Commits:

v3.22.2

Compare Source

Commits:

v3.22.1

Compare Source

Commits:

Fix handing of this in ZodFunction schemas. The parse logic for function schemas now requires the Reflect API.

const methodObject = z.object({
  property: z.number(),
  method: z.function().args(z.string()).returns(z.number()),
});
const methodInstance = {
  property: 3,
  method: function (s: string) {
    return s.length + this.property;
  },
};
const parsed = methodObject.parse(methodInstance);
parsed.method("length=8"); // => 11 (8 length + 3 property)

v3.22.0

Compare Source

ZodReadonly

This release introduces ZodReadonly and the .readonly() method on ZodType.

Calling .readonly() on any schema returns a ZodReadonly instance that wraps the original schema. The new schema parses all inputs using the original schema, then calls Object.freeze() on the result. The inferred type is also marked as readonly.

const schema = z.object({ name: string }).readonly();
type schema = z.infer<typeof schema>;
// Readonly<{name: string}>

const result = schema.parse({ name: "fido" });
result.name = "simba"; // error

The inferred type uses TypeScript's built-in readonly types when relevant.

z.array(z.string()).readonly();
// readonly string[]

z.tuple([z.string(), z.number()]).readonly();
// readonly [string, number]

z.map(z.string(), z.date()).readonly();
// ReadonlyMap<string, Date>

z.set(z.string()).readonly();
// ReadonlySet<Promise<string>>

Commits:

v3.21.4

Compare Source

Commits:

v3.21.3

Compare Source

Commits:

v3.21.2

Compare Source

Commits:

  • b276d71 Improve typings in generics
  • 4d016b7 Improve type inference in generics
  • f9895ab Improve types inside generic functions
  • ac0135e Pass input into catchValue

v3.21.1

Compare Source

Features

Support for ULID validation

z.string().ulid();

Commits:

v3.21.0

Compare Source

Features

z.string().emoji()

Thanks @​joseph-lozano for https://github.com/colinhacks/zod/pull/2045! To validate that all characters in a string are emoji:

z.string().emoji()

...if that's something you want to do for some reason.

z.string().cuid2()

Thanks @​joulev for https://github.com/colinhacks/zod/pull/1813! To validate CUIDv2:

z.string().cuid2()
z.string().ip()

Thanks @​fvckDesa for https://github.com/colinhacks/zod/pull/2066. To validate that a string is a valid IP address:

const v4IP = "122.122.122.122";
const v6IP = "6097:adfa:6f0b:220d:db08:5021:6191:7990";

// matches both IPv4 and IPv6 by default
const ipSchema = z.string().ip();
ipSchema.parse(v4IP) //  pass
ipSchema.parse(v6IP) //  pass

To specify a particular version:

const ipv4Schema = z.string().ip({ version: "v4" });
const ipv6Schema = z.string().ip({ version: "v6" });
z.bigint().{gt|gte|lt|lte}()

Thanks @​igalklebanov for #1711! ZodBigInt gets the same set of methods found on ZodNumber:

z.bigint().gt(BigInt(5));
z.bigint().gte(BigInt(5));
z.bigint().lt(BigInt(5));
z.bigint().lte(BigInt(5));
z.bigint().positive();
z.bigint().negative();
z.bigint().nonnegative();
z.bigint().nonpositive();
z.bigint().multipleOf(BigInt(5));
z.enum(...).extract() and z.enum(...).exclude()

Thanks @​santosmarco-caribou for https://github.com/colinhacks/zod/pull/1652! To add or remove elements from a ZodEnum:

const FoodEnum = z.enum(["Pasta", "Pizza", "Tacos", "Burgers", "Salad"]);
const ItalianEnum = FoodEnum.extract(["Pasta", "Pizza"]); // ZodEnum<["Pasta", "Pizza"]>
const UnhealthyEnum = FoodEnum.exclude(["Salad"]); // ZodEnum<["Pasta", "Pizza", "Tacos", "Burgers"]>

This API is inspired by the Exclude and Extract TypeScript built-ins.

Pass a function to .catch()

Thanks @​0xWryth for https://github.com/colinhacks/zod/pull/2087! The .catch() method now accepts a function that receives the caught error:

const numberWithErrorCatch = z.number().catch((ctx) => {
  ctx.error; // ZodError
  return 42;
});

Compiler performance

Zod 3.20.2 introduced an accidental type recursion that caused long compilation times for some users. These kinds of bugs are very hard to diagnose. Big shoutout to @​gydroperit for some heroic efforts here: https://github.com/colinhacks/zod/pull/2107 Zod 3.21 resolves these issues:

Commits:

v3.20.6

Compare Source

Commits:

v3.20.5

Compare Source

Commits:

  • e71c7be Fix extract/exclude type error

v3.20.4

Compare Source

Commits:

v3.20.3

Compare Source

Features

Fixes and documentation

New Contributors

Full Changelog: colinhacks/zod@v3.20.2...v3.20.3

v3.20.2

Compare Source

Commits:

v3.20.1

Compare Source

Commits:

v3.20.0: -beta

Compare Source

Breaking changes

There are no breaking API changes, however TypeScript versions 4.4 and earlier are no longer officially supported.

New features

The most feature-packed release since Zod 3.0!

.pipe()

A new schema method .pipe() is now available on all schemas. which can be used to chain multiple schemas into a "validation pipeline". Typically this will be used in conjunction with .transform().

z.string()
  .transform(val => val.length)
  .pipe(z.number().min(5))

The .pipe() method returns a ZodPipeline instance.

z.coerce

Zod now provides a more convenient way to coerce primitive values.

const schema = z.coerce.string();
schema.parse("tuna"); // => "tuna"
schema.parse(12); // => "12"
schema.parse(true); // => "true"

During the parsing step, the input is passed through the String() function, which is a JavaScript built-in for coercing data into strings. Note that the returned schema is a ZodString instance so you can use all string methods.

z.coerce.string().email().min(5);

All primitive types support coercion.

z.coerce.string();   // String(input)
z.coerce.number();   // Number(input)
z.coerce.boolean();  // Boolean(input)
z.coerce.bigint();   // BigInt(input)
z.coerce.date();     // new Date(input)
.catch()

A new schema method .catch() is now available on all schemas. It can be used to provide a "catchall" value that will be returned in the event of a parsing error.

const schema = z.string().catch("fallback");

schema.parse("kate"); // => "kate"
schema.parse(4); // => "fallback"

The .catch() method returns a ZodCatch instance.

z.symbol()

A long-missing hole in Zod's type system is finally filled! Thanks @​santosmarco-caribou.

const schema = z.symbol();
schema.parse(Symbol('asdf'));

Relatedly, you can also pass symbols into z.literal().

const TUNA = Symbol("tuna");
const schema = z.literal(TUNA);

schema.parse(TUNA); // Symbol(tuna)
schema.parse(Symbol("nottuna")); // Error
z.string().datetime()

A new method has been added to ZodString to validate ISO datetime strings. Thanks @​samchungy!

z.string().datetime();

This method defaults to only allowing UTC datetimes (the ones that end in "Z"). No timezone offsets are allowed; arbitrary sub-second precision is supported.

const dt = z.string().datetime();
dt.parse("2020-01-01T00:00:00Z"); // 🟢
dt.parse("2020-01-01T00:00:00.123Z"); // 🟢
dt.parse("2020-01-01T00:00:00.123456Z"); // 🟢 (arbitrary precision)
dt.parse("2020-01-01T00:00:00+02:00"); // 🔴 (no offsets allowed)

Offsets can be supported with the offset parameter.

const a = z.string().datetime({ offset: true });
a.parse("2020-01-01T00:00:00+02:00"); // 🟢 offset allowed

You can additionally constrain the allowable precision. This specifies the number of digits that should follow the decimal point.

const b = z.string().datetime({ precision: 3 })
b.parse("2020-01-01T00:00:00.123Z"); // 🟢 precision of 3 decimal points
b.parse("2020-01-01T00:00:00Z"); // 🔴 invalid precision
z.number().finite()

Restrict a number schema to finite values. Thanks @​igalklebanov.

const schema = z.number().finite();
schema.parse(5); 🟢
schema.parse(Infinity); 🔴
schema.parse(-Infinity); 🔴

What's Changed


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Oct 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants