build(deps-dev): Bump zod from 3.25.76 to 4.3.4

[dependabot]

Bumps zod from 3.25.76 to 4.3.4.

Release notes

Sourced from zod's releases.

v4.3.4

Commits:

• 1a8bea3b474eada6f219c163d0d3ad09fadabe72 Add integration tests
• e01cd02b2f23d7e9078d3813830b146f8a2258b4 Support patternProperties for looserecord (#5592)
• 089e5fbb0f58ce96d2c4fb34cd91724c78df4af5 Improve looseRecord docs
• decef9c418d9a598c3f1bada06891ba5d922c5cd Fix lint
• 9443aab00d44d5d5f4a7eada65fc0fc851781042 Drop iso time in fromJSONSchema
• 66bda7491a1b9eab83bdeec0c12f4efc7290bd48 Remove .refine() from ZodMiniType
• b4ab94ca608cd5b581bfc12b20dd8d95b35b3009 4.3.4

v4.3.3

Commits:

• f3b2151959d215d405f54dff3c7ab3bf1fd887ca v4.3.3

v4.3.2

Commits:

• bf96635d243118de6e4f260077aa137453790bf6 Loosen strictObjectinside intersection (#5587)
• f71dc0182ab0f0f9a6be6295b07faca269e10179 Remove Juno (#5590)
• 0f41e5a12a43e6913c9dcb501b2b5136ea86500d 4.3.2

v4.3.1

Commits:

• 0fe88407a4149c907929b757dc6618d8afe998fc allow non-overwriting extends with refinements. 4.3.1

v4.3.0

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#5534, #5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";
const schema = z.fromJSONSchema({
type: "object",
properties: {
name: { type: "string", minLength: 1 },
age: { type: "integer", minimum: 0 },
},
required: ["name"],
});
schema.parse({ name: "Alice", age: 30 }); // ✅
</tr></table>

... (truncated)

Commits

• b4ab94c 4.3.4
• 66bda74 Remove .refine() from ZodMiniType
• 9443aab Drop iso time in fromJSONSchema
• decef9c Fix lint
• 089e5fb Improve looseRecord docs
• e01cd02 Support patternProperties for looserecord (#5592)
• 1a8bea3 Add integration tests
• f3b2151 v4.3.3
• 0f41e5a 4.3.2
• f71dc01 Remove Juno (#5590)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[KATO-Hiro]

@coderabbitai

v3.25.76からv.4.3.4 までの破壊的な変更と、その影響の有無を調べて
また本プロジェクトに導入すると便利な新機能があれば示して

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find package.json to understand project structure
fd -t f "package.json" -x cat {}

# Search for zod imports and usage patterns in the codebase
rg -n --type=ts --type=js --type=tsx --type=jsx "import.*zod" -A 2 -B 1

# Search for zod usage patterns
rg -n --type=ts --type=js --type=tsx --type=jsx "z\." -C 2 | head -100

Length of output: 2998

---

🌐 Web query:

zod v4 breaking changes migration guide from v3

💡 Result:

Here are the key breaking changes and practical migration steps when moving from Zod v3 → v4.

Quick checklist (most important changes)

• Top-level string validators: string format helpers moved to top-level (e.g. z.email(), z.uuid(), z.url(), z.ipv4()/z.ipv6()) — stop relying on z.string().email() variants. [1][3]
• Error API consolidated: message/required_error/invalid_type_error → single error option (can be function). errorMap renamed/behaviour changed; ZodError shape and issue types changed (use z.treeifyError for formatted output). Update any custom error handling. [1][3]
• Object behavior: .nonstrict() semantics changed; use .passthrough()/strict() explicitly. Record/object API tweaks — review any object/record edge cases. [1]
• String format renames: ip/cidr variants replaced (e.g. .ip() → ipv4()/ipv6(), cidr → cidrv4/cidrv6). [1][2]
• Union/intersection API clarified: prefer explicit z.union(...) / z.intersection(...) over chained .or()/.and() patterns. [1]
• Removed/renamed utilities and internals: some quasi-internal exports from v3 removed — avoid relying on undocumented internals. [1]
• New packaging/core split: new packages like @zod/core and @zod/mini exist (affects library authors and some ecosystem packages). [1][2]

Practical migration steps

1. Upgrade dependency: install Zod v4 (or use the v4 subpath per Zod guidance). Run tests. [2]
2. Run a codemod: use community codemods (e.g. npx zod-v3-to-v4 or other codemods) to automate many mechanical changes. Review output manually. [2][4]
3. Replace string-format usages: switch z.string().email()/uuid()/ip()/cidr() → z.email()/z.uuid()/z.ipv4()/z.ipv6()/z.cidrv4()/z.cidrv6() (or keep top-level helpers). [1][3]
4. Update error messages: replace message/required_error/invalid_type_error options with the new error option (or error function) and adapt any errorMap usage. Update any code that relied on old ZodError.format/flatten to use z.treeifyError or new error structure. [1][3]
5. Fix object schemas: replace .nonstrict() usage with .passthrough()/.strip()/.strict() as appropriate. Review any behavior relying on extra keys. [1]
6. Search-and-replace other renamed APIs (unions, intersections, removed internals) and run full test suite; update 3rd‑party libs if they need v4 support. [1][2]

Helpful resources

• Official Zod v4 changelog / migration guide. [1]
• zod-v3-to-v4 codemod (run with npx). [2]
• Community migration/cheat‑sheets (practical examples and gotchas). [3][4]

If you want, I can:

• run an automated codemod command suggestion tailored to your repo layout, or
• produce a targeted find/replace list (exact patterns) for your codebase. Which would you prefer?

Sources
[1] Zod v4 migration/changelog.
[2] zod-v3-to-v4 codemod (GitHub / npm).
[3] Community migration cheat‑sheet (gist / notes).
[4] Additional codemod/guide pages referencing v4 changes.

---

🏁 Script executed:

#!/bin/bash
# Search for zod imports in TypeScript and Svelte files more broadly
rg -n "import.*zod|from.*zod" --type-add 'svelte:*.svelte' --type-add 'ts:*.ts' -t svelte -t ts -C 3

# Search for sveltekit-superforms usage which uses zod
rg -n "superforms|superForm" --type-add 'svelte:*.svelte' --type-add 'ts:*.ts' -t svelte -t ts -C 2 | head -50

# Look for any z. patterns that might indicate zod usage
rg -n "\bz\.(object|string|number|array|enum|union|optional|nullable)" --type-add 'svelte:*.svelte' --type-add 'ts:*.ts' -t svelte -t ts -C 2 | head -50

# Check for schema definitions
rg -n "Schema|schema.*=" --type-add 'svelte:*.svelte' --type-add 'ts:*.ts' -t svelte -t ts | head -50

Length of output: 15803

---

🏁 Script executed:

#!/bin/bash
# Read the full schema file to check for breaking changes
cat src/lib/zod/schema.ts

# Check for specific breaking change patterns in the schema
echo "=== Checking for string format methods ==="
rg -n "\.email\(\)|\.url\(\)|\.uuid\(\)|\.ip\(\)|\.cidr\(\)" src/lib/zod/schema.ts

echo "=== Checking for error message patterns ==="
rg -n "message:|required_error:|invalid_type_error:" src/lib/zod/schema.ts

echo "=== Checking for object methods ==="
rg -n "\.nonstrict\(\)|\.passthrough\(\)|\.strict\(\)" src/lib/zod/schema.ts

echo "=== Checking for .or() or .and() usage ==="
rg -n "\.or\(|\.and\(" src/lib/zod/schema.ts

Length of output: 4731

---

🏁 Script executed:

#!/bin/bash
# Check if there are any runtime issues by looking at test files
echo "=== Checking test imports and usage ==="
cat src/test/lib/zod/auth_schema.test.ts | head -50

# Check package.json for sveltekit-superforms version
echo "=== Current sveltekit-superforms version ==="
cat package.json | grep -A 1 -B 1 "sveltekit-superforms"

# Look for any error handling or ZodError usage
echo "=== Checking for ZodError usage ==="
rg -n "ZodError|zodError" --type-add 'svelte:*.svelte' --type-add 'ts:*.ts' -t svelte -t ts -C 2

# Check if there are any uses of ZodSchema type
echo "=== Checking ZodSchema type usage ==="
rg -n "ZodSchema" --type-add 'ts:*.ts' -t ts -C 2

Length of output: 4714

---

🌐 Web query:

sveltekit-superforms zod v4 compatibility 2.27

💡 Result:

Short answer: Yes — sveltekit-superforms added explicit Zod v4 support (zod4 and zod4Client adapters) in the v2.26+ series, and v2.27.x contains Zod 4 fixes (including tests, date handling and bigint). Use the zod4 adapter when working with Zod v4. (github.com)

Citations:

• 1: https://github.com/ciscoheat/sveltekit-superforms/releases?utm_source=openai

---

@KATO-Hiro

コードベースを調査しました。以下、zod v3.25.76からv4.3.4への破壊的な変更と影響についてまとめます。

🔴 主な破壊的な変更

1. 文字列フォーマットバリデータがトップレベルに移動

   • z.string().email() → z.email()
   • z.string().uuid() → z.uuid()
   • z.string().url() → z.url()
   • z.string().ip() → z.ipv4() / z.ipv6()

2. エラーAPIの統合

   • message/required_error/invalid_type_error → 単一の error オプション
   • ZodErrorの構造が変更

3. オブジェクト動作の変更

   • .nonstrict()のセマンティクスが変更
   • .passthrough()/.strict()を明示的に使用

4. sveltekit-superformsのアダプター変更（重要）

   • zod アダプター → zod4 アダプターへの変更が必要

✅ 本プロジェクトへの影響

コードベースを調査した結果、ほとんど影響がありません：

影響なし

• ✅ 文字列フォーマットバリデータ（.email(), .url() など）は使用していません
• ✅ エラーメッセージは既にv4互換の { message: ... } 構文を使用しています
• ✅ .nonstrict(), .passthrough(), .strict() は使用していません
• ✅ .or(), .and() のチェーンは使用していません
• ✅ .refine() は引き続きサポートされています

変更が必要な箇所

sveltekit-superformsのアダプター変更が必要です：

以下のファイルで変更が必要：

• src/routes/workbooks/create/+page.server.ts
• src/routes/workbooks/edit/[slug]/+page.server.ts
• src/routes/(admin)/account_transfer/+page.server.ts
• src/lib/utils/auth_forms.ts
• src/test/lib/utils/auth_forms.test.ts

// 変更前
import { zod } from 'sveltekit-superforms/adapters';

// 変更後
import { zod4 } from 'sveltekit-superforms/adapters';

// 使用箇所も変更
const form = await superValidate(request, zod4(workBookSchema));

🆕 本プロジェクトに有用な新機能

1. z.fromJSONSchema() - JSON SchemaをZodスキーマに変換

   import { z } from 'zod';
   
   const schema = z.fromJSONSchema({
     type: "object",
     properties: {
       name: { type: "string", minLength: 1 },
       age: { type: "integer", minimum: 0 }
     },
     required: ["name"]
   });

   • OpenAPI仕様などと統合する場合に便利

2. トップレベルのバリデータ

   // より簡潔に記述可能
   const emailSchema = z.email();  // 代わりに z.string().email()
   const urlSchema = z.url();      // 代わりに z.string().url()

3. z.looseRecord() - パターンプロパティのサポート改善

   • 動的なオブジェクトキーの検証がより柔軟に

4. 改善されたエラー処理

   import { z } from 'zod';
   
   const result = schema.safeParse(data);
   if (!result.success) {
     const treeifiedErrors = z.treeifyError(result.error);
   }

📝 推奨される対応

1. sveltekit-superformsのアダプターを zod から zod4 に変更（必須）
2. テストを実行して動作確認
3. 将来的に新機能（特にz.email()、z.url()などのトップレベルバリデータ）の採用を検討

現在のスキーマ実装は既にv4互換なので、アダプター変更以外は大きな修正は不要です！

[dependabot]

Superseded by #3027.