Skip to content

chore(deps): bump zod to v4#933

Open
SnowboardTechie wants to merge 1 commit into
mainfrom
chore/catalog-zod-4
Open

chore(deps): bump zod to v4#933
SnowboardTechie wants to merge 1 commit into
mainfrom
chore/catalog-zod-4

Conversation

@SnowboardTechie

@SnowboardTechie SnowboardTechie commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Bumps the catalog zod range ^3.25.76^4.4.3 (latest 4.x).
  • zod is a runtime dependency of the published @common-grants/sdk and @common-grants/cli, so this is a release-warranting change — a patch changeset is included (per ADR-0010 + chore(deps): bump the runtime group across 1 directory with 3 updates #821 precedent).
  • All resulting v4 breaking changes are adapted (see below); pnpm run ci is green across every package.
  • No public API changes — the SDK/CLI surface is unchanged.
  • Time to review: ~10 minutes

Changes proposed

zod: ^3.25.76^4.4.3 in the catalog: block of pnpm-workspace.yaml, lockfile regenerated, plus the v4 source/test adaptations.

Breaking changes handled

  • z.record() single-arg dropped → two-arg z.record(z.string(), …): models.ts (otherDates, customFields, customFilters), with-custom-fields.ts (DEFAULT_VALUE_SCHEMAS.object + the error-message example), and two specs.
  • ZodType generic dropped its middle Def param: z.ZodType<Out, Def, In>z.ZodType<Out, In> (client OppSchema).
  • ZodObject generics collapsed (UnknownKeysParam / catchall removed): HasCustomFieldsz.ZodObject<Shape>.
  • AnyZodObject removedz.ZodObject (extensible-schema-coverage test).
  • Response helpers (Ok/Paginated/Sorted/Filtered/Created) switched their generic constraint from the deprecated z.ZodTypeAny to z.ZodType, so v4 carries the concrete output type through .extend (fixes .data inference in the client).
  • CLI validation message wording changed Invalid urlInvalid URL (error-handling test assertion).

Changeset: .changeset/zod-v4.mdpatch for @common-grants/sdk and @common-grants/cli (the two published packages that depend on zod at runtime via dependencies). The website also consumes zod but is private and not changeset-tracked.

Out of scope: templates/express-js pins zod directly (not catalog-managed, not in the workspace, not in CI) — per the repo's "templates are manually maintained, refreshed deliberately" convention, its pin is left untouched and would be a separate deliberate refresh.

Context for reviewers

Local verification (documented nix dev env, Node 22):

  • pnpm run ci → green across core, changelog-emitter, cli (119), sdk (380), website (69). No TS errors, prettier clean, cspell clean.
  • pnpm audit --audit-level high: the one high (undici via website > wrangler > miniflare) is pre-existing on mainundici@7.24.8 is byte-identical between main and this branch; the lockfile diff does not touch undici. This bump introduces no new advisories.

Consumer integration (per the repo rule that SDK/runtime changes are validated from a downstream consumer): the local v4 SDK was packed to a tarball and installed into the consumer harness alongside the ts-cg-grants-gov plugin. The SDK packs to a valid publish shape and the consumer plugin builds, type-checks (tsc), and packs successfully against the v4 SDK tarball; the installed SDK correctly declares and resolves zod@4.4.3 downstream. The harness's existing example scenarios fail on missing exports (PluginError, F, classifyFilters) — that is pre-existing scenario drift against an older SDK surface (those symbols don't exist on main, with or without this bump), not a v4 regression.

Additional information

The deprecated v4 method forms still used in the codebase (z.string().uuid()/url()/datetime(), .strict(), .passthrough(), .merge(), z.ZodTypeAny in non-inference positions) compile and run unchanged under v4, so they are intentionally left as-is to keep the diff minimal; they can be modernized separately if desired.

@github-actions github-actions Bot added cli Issue or PR related to the @common-grants/cli library dependencies Pull requests that update a dependency file sdk Issue or PR related to our SDKs typescript Issue or PR related to TypeScript tooling ts-sdk Related to TypeScript SDK labels Jun 18, 2026
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🚀 Website Preview Deployed!

Preview your changes at: https://cg-pr-933.billy-daly.workers.dev

This preview will be automatically deleted when the PR is closed.

Bump the catalog zod range ^3.25.76 -> ^4.4.3. zod is a runtime dependency
of the published @common-grants/sdk and @common-grants/cli, so this is a
release-warranting change (changeset included).

Breaking changes adapted for zod v4:
- z.record(X) single-arg form dropped -> z.record(z.string(), X)
  (models.ts otherDates/customFields/customFilters, with-custom-fields.ts
  DEFAULT_VALUE_SCHEMAS.object + the error-message example, and three specs).
- ZodType generic dropped its middle Def param: z.ZodType<Out, Def, In> ->
  z.ZodType<Out, In> (client OppSchema; plugin transform framework
  define-plugin.ts + transforms.ts, where z.ZodType<T, z.ZodTypeDef, any>
  -> z.ZodType<T, any>).
- ZodObject generics collapsed (UnknownKeysParam / catchall removed):
  HasCustomFields now z.ZodObject<Shape>.
- AnyZodObject removed -> z.ZodObject (extensible-schema-coverage test).
- Response helpers (Ok/Paginated/Sorted/Filtered/Created) switched their
  generic constraint from the deprecated z.ZodTypeAny to z.ZodType so v4
  carries the concrete output type through .extend (fixes .data inference).
- CLI validation error wording changed "Invalid url" -> "Invalid URL"
  (error-handling test assertion).

templates/express-js pins zod directly and is a manually-maintained,
out-of-workspace template (not catalog-managed, not in CI) -- left untouched.

Verified: pnpm run ci green across core, changelog-emitter, cli, sdk, website.
@SnowboardTechie SnowboardTechie marked this pull request as ready for review June 22, 2026 23:26
@SnowboardTechie SnowboardTechie requested a review from widal001 July 7, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cli Issue or PR related to the @common-grants/cli library dependencies Pull requests that update a dependency file sdk Issue or PR related to our SDKs ts-sdk Related to TypeScript SDK typescript Issue or PR related to TypeScript tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant