chore(deps): bump zod to 4.1

[unnoq]

Summary by CodeRabbit

• New Features
  • None; no user-facing changes.
• Chores
  • Upgraded development dependency “zod” to ^4.1.1 across packages and example apps for improved tooling compatibility. No runtime impact expected.
• Tests
  • Expanded coverage for hash string validation, including MD5 hex and base64-encoded SHA-256 cases.
• Refactor
  • Improved type safety in schema conversion logic without altering behavior.

This release is primarily maintenance-oriented and should be invisible to end users.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
orpc	Ready	Preview	Comment	Aug 24, 2025 9:31am

[coderabbitai]

Walkthrough

This PR bumps devDependency zod from ^4.0.17 to ^4.1.1 across multiple packages and playgrounds, updates internal TypeScript unions in Zod v4 converter/coercer to include "function" as unsupported, and adds two converter string tests for z.hash patterns. No runtime or public API changes are indicated.

Changes

Cohort / File(s)	Change summary
DevDependency bump: zod to ^4.1.1 apps/content/package.json, packages/client/package.json, packages/contract/package.json, packages/json-schema/package.json, packages/nest/package.json, packages/openapi/package.json, packages/react-query/package.json, packages/react/package.json, packages/shared/package.json, packages/solid-query/package.json, packages/svelte-query/package.json, packages/tanstack-query/package.json, packages/trpc/package.json, packages/zod/package.json, playgrounds/astro/package.json, playgrounds/browser-extension/package.json, playgrounds/bun-websocket-otel/package.json, playgrounds/cloudflare-worker/package.json, playgrounds/contract-first/package.json, playgrounds/electron/package.json, playgrounds/nest/package.json, playgrounds/next/package.json, playgrounds/nuxt/package.json, playgrounds/solid-start/package.json, playgrounds/svelte-kit/package.json, playgrounds/tanstack-start/package.json	Update devDependencies.zod from ^4.0.17 to ^4.1.1; no other edits.
Zod v4 converter/coercer typing packages/zod/src/zod4/converter.ts, packages/zod/src/zod4/coercer.ts	Expand local _unsupported union to include 'function'; behavior remains unchanged.
Zod converter tests packages/zod/src/zod4/converter.string.test.ts	Add tests for z.hash("md5") (hex) and z.hash("sha256", { enc: "base64" }) patterns.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat(zod): promote zod4 converter to stable #763 — Also changes packages/zod/src/zod4/converter.ts, touching related converter internals.
• feat(zod): adapt zod 4 update #506 — Modifies zod v4 converter/coercer code in packages/zod/src/zod4/*, overlapping affected areas.
• feat(zod): zod 3.25.49 support #586 — Addresses the same zod v4 conversion/coercion module set, closely related to these edits.

Suggested labels

size:XXL

Poem

Thump-thump goes my tiny heart—update time!
I nibbled zod to four-point-one-dot-one, sublime.
Function? Not today, says the schema warren;
Tests hop in line, hashes neatly sworn in.
Carrot-shaped commits, cozy and clean—
Another burrow patched, swift and serene. 🥕🐇

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/deps/upgrade-to-zod-4.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @unnoq, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the zod dependency across various packages and playgrounds within the monorepo from version 4.0.17 to 4.1.1. This update also includes internal adjustments to the zod package's schema conversion logic, specifically enhancing its handling of function types and adding new test cases for hash schema validation.

Highlights

• Dependency Update: The zod dependency has been bumped from ^4.0.17 to ^4.1.1 in all relevant package.json files across applications, packages, and playgrounds.
• Lockfile Synchronization: The pnpm-lock.yaml file has been updated to reflect the new zod version and ensure consistency across the project's dependencies.
• Zod Schema Coercion Enhancement: The experimental_ZodSmartCoercionPlugin in packages/zod/src/zod4/coercer.ts now explicitly includes 'function' as a recognized type for schema coercion.
• JSON Schema Converter Update: The ZodToJsonSchemaConverter in packages/zod/src/zod4/converter.ts has been updated to acknowledge 'function' as an unsupported type for direct JSON schema conversion.
• New Zod Hash Schema Tests: New test cases have been added in packages/zod/src/zod4/converter.string.test.ts to validate z.hash schemas for MD5 and SHA256 with Base64 encoding.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request updates the zod dependency to version 4.1.1 across the monorepo. The changes include updating multiple package.json files, the pnpm-lock.yaml file, and making minor code adjustments to handle new types and features from the updated dependency. The code changes appear safe and correct. My main feedback is on improving dependency management within the monorepo to simplify future updates.

[gemini-code-assist]

I noticed that the zod dependency version is explicitly defined and updated in multiple package.json files across this monorepo. To improve maintainability and ensure all packages use a consistent version, you could define the zod version in the root package.json and reference it using the workspace:* protocol in the individual package manifests.

This approach centralizes version management, which simplifies future updates as you would only need to change the version number in one place.

For example:

Root package.json:

{
  "devDependencies": {
    "zod": "^4.1.1"
  }
}

This package's package.json:

{
  "devDependencies": {
    "zod": "workspace:*"
  }
}

[gemini-code-assist]

I see that the zod dependency version is explicitly managed in many package.json files. For better maintainability in a monorepo, consider defining the version in the root package.json and using workspace:* in the individual packages. This ensures version consistency and simplifies future updates.

Example:

Root package.json:

{
  "devDependencies": {
    "zod": "^4.1.1"
  }
}

This package's package.json:

{
  "devDependencies": {
    "zod": "workspace:*"
  }
}

[gemini-code-assist]

I've noticed that the zod dependency is versioned individually in multiple packages. To improve maintainability and ensure consistency across the monorepo, you could define the version in the root package.json and reference it with workspace:* in the packages. This will make future updates easier to manage.

Example:

Root package.json:

{
  "devDependencies": {
    "zod": "^4.1.1"
  }
}

This package's package.json:

{
  "devDependencies": {
    "zod": "workspace:*"
  }
}

[pkg-pr-new]

More templates

• @orpc/astro-playground
• @orpc/browser-extension-playground
• @orpc/bun-websocket-otel-playground
• @orpc/cloudflare-worker-playground
• @orpc/contract-first-playground
• @orpc/electron-playground
• @orpc/nest-playground
• @orpc/next-playground
• @orpc/nuxt-playground
• @orpc/solid-start-playground
• @orpc/svelte-kit-playground
• @orpc/tanstack-start-playground

@orpc/arktype

npm i https://pkg.pr.new/@orpc/arktype@925

@orpc/client

npm i https://pkg.pr.new/@orpc/client@925

@orpc/contract

npm i https://pkg.pr.new/@orpc/contract@925

@orpc/experimental-durable-event-iterator

npm i https://pkg.pr.new/@orpc/experimental-durable-event-iterator@925

@orpc/hey-api

npm i https://pkg.pr.new/@orpc/hey-api@925

@orpc/interop

npm i https://pkg.pr.new/@orpc/interop@925

@orpc/json-schema

npm i https://pkg.pr.new/@orpc/json-schema@925

@orpc/nest

npm i https://pkg.pr.new/@orpc/nest@925

@orpc/openapi

npm i https://pkg.pr.new/@orpc/openapi@925

@orpc/openapi-client

npm i https://pkg.pr.new/@orpc/openapi-client@925

@orpc/otel

npm i https://pkg.pr.new/@orpc/otel@925

@orpc/react

npm i https://pkg.pr.new/@orpc/react@925

@orpc/react-query

npm i https://pkg.pr.new/@orpc/react-query@925

@orpc/experimental-react-swr

npm i https://pkg.pr.new/@orpc/experimental-react-swr@925

@orpc/server

npm i https://pkg.pr.new/@orpc/server@925

@orpc/shared

npm i https://pkg.pr.new/@orpc/shared@925

@orpc/solid-query

npm i https://pkg.pr.new/@orpc/solid-query@925

@orpc/standard-server

npm i https://pkg.pr.new/@orpc/standard-server@925

@orpc/standard-server-aws-lambda

npm i https://pkg.pr.new/@orpc/standard-server-aws-lambda@925

@orpc/standard-server-fetch

npm i https://pkg.pr.new/@orpc/standard-server-fetch@925

@orpc/standard-server-node

npm i https://pkg.pr.new/@orpc/standard-server-node@925

@orpc/standard-server-peer

npm i https://pkg.pr.new/@orpc/standard-server-peer@925

@orpc/svelte-query

npm i https://pkg.pr.new/@orpc/svelte-query@925

@orpc/tanstack-query

npm i https://pkg.pr.new/@orpc/tanstack-query@925

@orpc/trpc

npm i https://pkg.pr.new/@orpc/trpc@925

@orpc/valibot

npm i https://pkg.pr.new/@orpc/valibot@925

@orpc/vue-colada

npm i https://pkg.pr.new/@orpc/vue-colada@925

@orpc/vue-query

npm i https://pkg.pr.new/@orpc/vue-query@925

@orpc/zod

npm i https://pkg.pr.new/@orpc/zod@925

commit: bcbe583

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (3)

playgrounds/contract-first/package.json (1)

23-23: LGTM; playground aligned to zod ^4.1.1.

No concerns; this keeps the playground in sync with the repo-wide bump.

See the verification script in playgrounds/next/package.json for workspace-wide auditing.

playgrounds/nuxt/package.json (1)

23-23: LGTM; nuxt playground on zod ^4.1.1.

No issues spotted. Keeping playgrounds updated helps catch adapter issues early.

Refer to the verification script posted in playgrounds/next/package.json to ensure all workspaces resolved to 4.1.x in the lockfile.

packages/svelte-query/package.json (1)

50-50: Looks good; same caveat about runtime imports.

If any code in packages/svelte-query/src imports zod at runtime, promote it to dependency/peerDependency. Otherwise, devDependency is appropriate.

🧹 Nitpick comments (4)

packages/openapi/package.json (1)

77-77: LGTM; consider pinning via a workspace override to keep all packages in lockstep.

Optional: add a root-level pnpm override to enforce zod ^4.1.1 across the monorepo and prevent future drift.

Example (root package.json):

{
  "pnpm": {
    "overrides": {
      "zod": "^4.1.1"
    }
  }
}

This complements Renovate/updates and guards transitive pulls.

packages/nest/package.json (1)

74-74: Confirm no published code imports zod; otherwise move it out of devDependencies.

This package is published. If any code in packages/nest/src imports zod (even for runtime validation), list zod as a peerDependency (preferred for libraries) or a dependency. If it’s used only in tests/type-only contexts, devDependency is correct.

Consider adding a lightweight safeguard in CI to fail when a package imports a module that isn’t declared in dependencies/peerDependencies.

apps/content/package.json (1)

52-52: LGTM; optional centralization via pnpm overrides.

Change is straightforward. Optionally, pin zod across the monorepo via a root-level pnpm.overrides to keep all consumers on a single 4.1.x line without touching each package.json.

packages/zod/src/zod4/coercer.ts (1)

341-361: Avoid potential noUnusedLocals warning for _unsupported.

If noUnusedLocals is enabled, this pattern can warn since _unsupported isn’t read. You can mark it as used inline.

Apply this minimal change:

         const _unsupported:
           | 'null'
           | 'nan'
           | 'transform'
           | 'void'
           | 'never'
           | 'any'
           | 'unknown'
           | 'file'
           | 'undefined'
           | 'string'
           | 'template_literal'
           | 'int'
           | 'symbol'
           | 'promise'
           | 'function'
           | 'custom'
           = schema._zod.def.type
+        void _unsupported

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7f288fb and bcbe583.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (29)

• apps/content/package.json (1 hunks)
• packages/client/package.json (1 hunks)
• packages/contract/package.json (1 hunks)
• packages/json-schema/package.json (1 hunks)
• packages/nest/package.json (1 hunks)
• packages/openapi/package.json (1 hunks)
• packages/react-query/package.json (1 hunks)
• packages/react/package.json (1 hunks)
• packages/shared/package.json (1 hunks)
• packages/solid-query/package.json (1 hunks)
• packages/svelte-query/package.json (1 hunks)
• packages/tanstack-query/package.json (1 hunks)
• packages/trpc/package.json (1 hunks)
• packages/zod/package.json (1 hunks)
• packages/zod/src/zod4/coercer.ts (1 hunks)
• packages/zod/src/zod4/converter.string.test.ts (1 hunks)
• packages/zod/src/zod4/converter.ts (1 hunks)
• playgrounds/astro/package.json (1 hunks)
• playgrounds/browser-extension/package.json (1 hunks)
• playgrounds/bun-websocket-otel/package.json (1 hunks)
• playgrounds/cloudflare-worker/package.json (1 hunks)
• playgrounds/contract-first/package.json (1 hunks)
• playgrounds/electron/package.json (1 hunks)
• playgrounds/nest/package.json (1 hunks)
• playgrounds/next/package.json (1 hunks)
• playgrounds/nuxt/package.json (1 hunks)
• playgrounds/solid-start/package.json (1 hunks)
• playgrounds/svelte-kit/package.json (1 hunks)
• playgrounds/tanstack-start/package.json (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

packages/zod/src/zod4/converter.ts (1)

packages/zod/src/zod4/coercer.ts (1)

• schema (47-364)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: publish-commit
• GitHub Check: lint

🔇 Additional comments (20)

packages/contract/package.json (1)

45-45: No zod exposure in production; keep as devDependency

I verified that all zod imports (in schema.test-d.ts, schema-utils.test.ts, and event-iterator.test.ts) live solely in test or declaration files and do not surface in the package’s exported API. There are no direct zod imports or Zod… types in any non-test code under packages/contract/src/. Keeping zod as a devDependency is therefore appropriate.

packages/react/package.json (1)

56-56: Confirmed no runtime Zod usage in React package

I scanned packages/react/src/**/*.{ts,tsx} and found Zod imports only in test files (*.test.ts/*.test-d.ts), with no references in the published source. Keeping Zod in devDependencies is appropriate, and no peerDependency is needed.

playgrounds/nest/package.json (1)

37-37: All zod versions are aligned and the lockfile is clean

I’ve verified:

• Every package.json (including playgrounds/nest) specifies zod as ^4.1.1 or a range that includes v4 (packages/zod uses >=3.25.0, which covers 4.1.1).
• No zod@4.0.* entries remain in pnpm-lock.yaml; only zod@4.1.1 is pinned for v4, and the v3.x entries are from downstream packages that still depend on zod 3.x (expected).

No further action needed here—lockfile and dependency ranges are consistent.

playgrounds/svelte-kit/package.json (1)

29-29: Version bump acknowledged.

Dev-only use in playground is appropriate; no peer range needed here.

packages/client/package.json (1)

73-73: DevDependency usage of zod is correct

zod is only imported in packages/client/tests/helpers.ts (a test file), and no production-exported types reference it. Keeping zod as a devDependency is appropriate—no peerDependency needed.

packages/json-schema/package.json (1)

44-44: Consistent zod ^4.1.1 — good.

No other changes; safe as a dev bump. Keep an eye on any generator/output tests that rely on zod internals.

packages/trpc/package.json (1)

47-47: Looks good and consistent with the monorepo.

No peer constraint on zod here, which is fine if not exposed/required at runtime.

playgrounds/tanstack-start/package.json (1)

33-33: LGTM: zod devDependency bumped to ^4.1.1.

Change is scoped to devDependencies; no runtime impact expected.

playgrounds/cloudflare-worker/package.json (1)

33-33: LGTM: zod devDependency bump looks good.

Consistent with the repo-wide upgrade; no other changes in this file.

packages/tanstack-query/package.json (1)

53-53: LGTM: align devDependency zod to ^4.1.1.

No peer/runtime use here; safe as a dev-only bump.

packages/shared/package.json (1)

52-52: LGTM: zod devDependency upgraded to ^4.1.1.

Matches the rest of the workspace; no additional actions needed.

playgrounds/bun-websocket-otel/package.json (1)

34-34: LGTM — playground aligned to zod ^4.1.1.

No runtime/public API impact from this change in a playground context.

packages/react-query/package.json (1)

51-51: LGTM — version bump only.

Dev-only upgrade; no peer/runtime dependency changes. Covered by the workspace verification script above.

playgrounds/browser-extension/package.json (1)

32-32: LGTM — browser-extension playground updated to ^4.1.1.

Consistent with the repo-wide bump.

playgrounds/electron/package.json (1)

36-36: LGTM: dev-only version bump.

Electron playground using zod solely in devDependencies is fine.

playgrounds/solid-start/package.json (1)

23-23: Monorepo-wide Zod version & imports are consistent

All package.json files that list zod pin it at ^4.1.1, and there are no remaining bare imports of "zod" in the code (all references resolve to zod/v4). Closing this verification.

packages/zod/src/zod4/coercer.ts (1)

341-359: Add 'function' to unsupported union — LGTM.

Matches zod v4.1’s possible def.type values and keeps runtime unchanged in the default branch.

packages/zod/src/zod4/converter.ts (1)

558-561: Default-branch typing updated to include 'function' — looks correct.

Keeps type-narrowing aligned with zod v4.1 while returning unsupportedJsonSchema at runtime. No behavioral change.

packages/zod/src/zod4/converter.string.test.ts (2)

151-155: Good coverage: md5 hex pattern matches 32 nybbles.

^[0-9a-fA-F]{32}$ is correct for MD5. Test reads clearly.

---

156-160: Good coverage: sha256 base64 length/padding.

^[A-Za-z0-9+/]{43}=$ enforces 44 chars with required single = padding for 32-byte output. Solid addition.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Zod bump to ^4.1.1 looks good; run a quick workspace-wide sanity check.

Change is scoped to devDependencies, which is low risk. To avoid drift and catch any packages that still import zod at runtime without declaring it as a dep/peer, run the script below.

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "1) Report any non-^4.1.1 zod versions across the repo"
fd -a -t f package.json | while read -r pkg; do
  dev=$(jq -r '(.devDependencies.zod // empty)' "$pkg")
  dep=$(jq -r '(.dependencies.zod // empty)' "$pkg")
  peer=$(jq -r '(.peerDependencies.zod // empty)' "$pkg")
  [[ -n "$dev" && "$dev" != "^4.1.1" ]] && echo "dev zod mismatch: $pkg -> $dev"
  [[ -n "$dep" ]]  && echo "has runtime dependency on zod: $pkg -> $dep"
  [[ -n "$peer" ]] && echo "has peer dependency on zod: $pkg -> $peer"
done

echo
echo "2) Flag packages that import zod at runtime but only list it as a devDependency"
fd -t f package.json | while read -r pkg; do
  dir=$(dirname "$pkg")
  # true if zod is declared as dep or peer
  if jq -e '(.dependencies.zod // empty) or (.peerDependencies.zod // empty)' "$pkg" >/dev/null; then
    continue
  fi
  # find non-type-only imports from 'zod' outside tests
  if rg -nP --glob '!**/test/**' --glob '!**/*.test.*' --glob '!**/__tests__/**' '^\s*import\s+(?!type\b).*from\s*[\'"]zod[\'"]' "$dir" >/dev/null 2>&1; then
    echo "Potential runtime import without dep/peer: $pkg"
    rg -nP --glob '!**/test/**' --glob '!**/*.test.*' --glob '!**/__tests__/**' '^\s*import\s+(?!type\b).*from\s*[\'"]zod[\'"]' "$dir" -n
  fi
done

echo
echo "3) Spot old zod entries in pnpm-lock (if present)"
[[ -f pnpm-lock.yaml ]] && rg -n '^  zod@' pnpm-lock.yaml | sed -n '1,30p' || true

Length of output: 17105

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "== 1) packages/zod/package.json peerDependency on zod =="
jq '.peerDependencies.zod // "none"' packages/zod/package.json || true

echo
echo "== 2) Runtime imports of zod (excluding tests) =="
rg -nP --glob '!**/test/**' --glob '!**/*.test.*' --glob '!**/__tests__/**' \
  '^\s*import\s+(?!type\b).*from\s*[\'"]zod[\'"]' \
  --type-add 'ts:*.ts' --type-add 'tsx:*.tsx' \
  --type-add 'js:*.js' --type-add 'jsx:*.jsx' || echo "No runtime imports found"

echo
echo "== 3) Old zod entries in pnpm-lock.yaml =="
if [[ -f pnpm-lock.yaml ]]; then
  rg -n '^  zod@' pnpm-lock.yaml | head -n 20 || echo "No old zod entries"
else
  echo "pnpm-lock.yaml not present"
fi

Length of output: 453

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "== 1) packages/zod/package.json peerDependency on zod =="
jq '.peerDependencies.zod // "none"' packages/zod/package.json || true

echo
echo "== 2) Runtime imports of zod (excluding tests) =="
rg -nP --glob '!**/test/**' --glob '!**/*.test.*' --glob '!**/__tests__/**' \
  -e "^\s*import\s+(?!type\\b).*from\s*['\"]zod['\"]" -n . || echo "No runtime imports found"

echo
echo "== 3) Old zod entries in pnpm-lock.yaml =="
if [[ -f pnpm-lock.yaml ]]; then
  rg -n '^  zod@' pnpm-lock.yaml | head -n 20 || echo "No old zod entries"
else
  echo "pnpm-lock.yaml not present"
fi

Length of output: 7976

---

Update packages/zod peerDependency and refresh lockfile

• packages/zod/package.json still declares

  "peerDependencies": {
    "zod": ">=3.25.0"
  }

  Please bump this to "^4.1.1" to match the rest of the workspace.
• All other packages’ devDependencies.zod entries are correctly ^4.1.1, and no published package (outside of playgrounds/docs) imports Zod at runtime without declaring it.
• Your pnpm-lock.yaml still contains legacy Zod versions (3.22.3, 3.24.1, 3.25.76); run a lockfile update (e.g. pnpm install) to consolidate to 4.1.1.

🤖 Prompt for AI Agents

In packages/solid-query/package.json around line 50, the workspace uses Zod v4
but packages/zod/package.json still lists a peerDependency of "zod": ">=3.25.0";
update that peerDependency to "zod": "^4.1.1" to match the workspace, then run
pnpm install (or pnpm update --recursive) to refresh pnpm-lock.yaml so legacy
3.x Zod versions are removed and the lockfile consolidates to 4.1.1.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Confirm peer range still supports intended majors (v3 vs v4).

You bumped devDependency to ^4.1.1, while peerDependencies still allow "zod": ">=3.25.0". If @orpc/zod now targets v4 only (especially with zod4-specific code/tests), consider tightening to ">=4 <5" to prevent consumers from accidentally installing zod v3 at runtime. If v3 is still intentionally supported via a separate path, keeping the wide peer range is fine—please confirm.

If v3 is no longer supported, apply:

   "peerDependencies": {
     "@orpc/contract": "workspace:*",
     "@orpc/server": "workspace:*",
-    "zod": ">=3.25.0"
+    "zod": ">=4 <5"
   },

Repo-wide quick check to ensure consistency of zod versions across package.json files:

---

🏁 Script executed:

#!/bin/bash
# Lists all package.json entries that reference zod and their declared ranges
fd -t f package.json | while read -r f; do
  jq -r --arg f "$f" '
    [
      $f,
      (.dependencies.zod // empty),
      (.devDependencies.zod // empty),
      (.peerDependencies.zod // empty)
    ] | @tsv
  ' "$f"
done | awk -F'\t' '$2$3$4!="" { printf "%-60s  dep:%-12s devDep:%-12s peer:%-12s\n", $1, $2, $3, $4 }' | sort

Length of output: 13692

---

🏁 Script executed:

#!/bin/bash
# Display the first 200 lines of the zod package manifest for inspection
sed -n '1,200p' packages/zod/package.json

Length of output: 1286

---

🏁 Script executed:

#!/bin/bash
# List all source files in the zod package to inspect structure
find packages/zod/src -type f

Length of output: 1510

---

🏁 Script executed:

#!/bin/bash
# Show the contents of the main entry point to verify v3 support
sed -n '1,200p' packages/zod/src/index.ts

Length of output: 584

---

Confirm Zod v3 support or tighten peer range to v4-only

Our tests and dev setup are using Zod 4 exclusively (devDependency is "zod": "^4.1.1", and there are no root‐level tests against v3), yet the peerDependency still allows "zod": ">=3.25.0". If you no longer intend to maintain full v3 compatibility, you should narrow the peer range to v4 so downstream consumers won’t accidentally install Zod 3 at runtime.

• In packages/zod/package.json, update the peerDependency for Zod to only v4:

  "peerDependencies": {
    "@orpc/contract": "workspace:*",
    "@orpc/server": "workspace:*",
-   "zod": ">=3.25.0"
+   "zod": ">=4 <5"
  },

• Run a repo-wide check to ensure no other package.json still expects Zod 3.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"zod": "^4.1.1"
	"peerDependencies": {
	"@orpc/contract": "workspace:*",
	"@orpc/server": "workspace:*",
	"zod": ">=4 <5"
	},

🤖 Prompt for AI Agents

In packages/zod/package.json around line 55 the peerDependency for zod is too
permissive (">=3.25.0") while the code and devDependencies use Zod v4; update
the peerDependency to a v4-only range (for example ">=4.0.0 <5") to prevent
consumers from installing Zod 3, then run a repo-wide search (all package.json
files) to ensure no other packages declare or require Zod 3 and update them or
add compatibility notes as needed; after changing the peer range, run tests and
CI to verify nothing breaks.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Zod bump to ^4.1.1 looks good; verify it’s not used at runtime in this package.

Since zod is listed under devDependencies, ensure no code that ships (or example build output) imports zod at runtime. If any runtime import exists, promote it to dependencies or peerDependencies accordingly.

Run this repo-wide check from the root to confirm no runtime/source imports in the touched workspaces:

---

🏁 Script executed:

#!/bin/bash
# Find zod imports across updated packages' source trees
rg -nP -C2 --type=ts --type=tsx --type=js --type=jsx \
  "(from\\s+['\"]zod['\"]|require\\(['\"]zod['\"]\\))" \
  playgrounds/astro packages/nest playgrounds/electron apps/content packages/svelte-query

# If any matches appear under published package src (e.g., packages/*/src),
# zod should be a dependency or peerDependency rather than only a devDependency.

Length of output: 228

---

🏁 Script executed:

#!/bin/bash
# Search for any runtime imports of zod without relying on rg --type flags
rg -n -C2 "import\s+.*from\s+['\"]zod['\"]|require\(['\"]zod['\"]\)" \
  -g '*.js' -g '*.jsx' -g '*.ts' -g '*.tsx' \
  playgrounds/astro packages/nest playgrounds/electron apps/content packages/svelte-query

Length of output: 3505

---

Move Zod into runtime dependencies
The AST search shows that this package ships code importing Zod at runtime (e.g. in playgrounds/astro/src/router/sse.ts, router/planet.ts, and all schemas under playgrounds/astro/src/schemas/*.ts). Because Zod is only in devDependencies, consumers won’t get it when installing the package.

• Affected files:

• playgrounds/astro/src/router/sse.ts
• playgrounds/astro/src/router/planet.ts
• playgrounds/astro/src/schemas/user.ts
• playgrounds/astro/src/schemas/planet.ts
• playgrounds/astro/src/schemas/auth.ts

• Required change: in playgrounds/astro/package.json, remove the Zod entry from devDependencies and add it under dependencies. For example:

--- package.json
@@
-  "devDependencies": {
-    "zod": "^4.1.1"
-    /* …other devDeps… */
-  },
+  "dependencies": {
+    "zod": "^4.1.1"
+    /* …other runtime deps… */
+  },
+  "devDependencies": {
+    /* …other devDeps (without zod)… */
+  },

Please update the package.json accordingly to ensure Zod is installed at runtime.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"zod": "^4.1.1"
	@@ playgrounds/astro/package.json
	- "devDependencies": {
	- "zod": "^4.1.1"
	- /* …other devDeps… */
	"dependencies": {
	"zod": "^4.1.1"
	/* …other runtime deps… */
	},
	"devDependencies": {
	/* …other devDeps (without zod)… */
	},

🤖 Prompt for AI Agents

In playgrounds/astro/package.json around line 29 the "zod" package is currently
listed only in devDependencies but is imported at runtime by files under
playgrounds/astro/src (router/sse.ts, router/planet.ts, and schemas/*), so move
"zod" from devDependencies into dependencies: remove the "zod" entry under
devDependencies and add the same version string under the top-level
"dependencies" object (preserve the version specifier "^4.1.1"), then run a
quick install to verify the package is resolved for consumers.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

LGTM on the zod bump; verify workspace-wide consistency and lockfile.

The upgrade to ^4.1.1 looks good for this playground. To avoid drift across the monorepo, please confirm all packages pin zod consistently and that the lockfile resolves to a single 4.1.x.

Run the script to audit all package.json files and the lockfile:

Optionally enforce a single version via a root override (pnpm):

 {
   "name": "orpc-monorepo",
   // ...
+  "pnpm": {
+    "overrides": {
+      "zod": "^4.1.1"
+    }
+  }
 }

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "==> Enumerating zod versions across the repo"
fd -a package.json | while read -r f; do
  for scope in dependencies devDependencies peerDependencies; do
    v=$(jq -r --arg s "$scope" '.[$s].zod // empty' "$f")
    if [ -n "$v" ]; then
      printf "%s\t%s\t%s\n" "$f" "$scope" "$v"
    fi
  done
done | sort | tee /tmp/zod-versions.txt

echo
echo "==> Any non-^4.1.x constraints?"
rg -nP -v '^\S+\t\S+\t\^4\.1\.' /tmp/zod-versions.txt || echo "All zod entries are ^4.1.x"

echo
if [ -f pnpm-lock.yaml ]; then
  echo "==> Lockfile zod entries (first 10 matches)"
  rg -n '(^\s*name:\s*zod$|zod@)' -n pnpm-lock.yaml -C2 | head -n 100 || true
else
  echo "No pnpm-lock.yaml found."
fi

echo
echo "==> Where is zod imported?"
rg -nP --glob '!**/dist/**' --glob '!**/.*/**' --type ts --type tsx --type js --type jsx '\bfrom\s+[\"\']zod[\"\']|\brequire\([\"\']zod[\"\']\)' -C2 || echo "No zod imports found."

Length of output: 28168

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "==> Enumerating zod version constraints across the repo"
fd -a package.json | while IFS= read -r f; do
  for scope in dependencies devDependencies peerDependencies; do
    v=$(jq -r --arg s "$scope" '.[$s].zod // empty' "$f")
    if [[ -n "$v" ]]; then
      printf "%s\t%s\t%s\n" "$f" "$scope" "$v"
    fi
  done
done | sort > /tmp/zod_versions.txt

echo
echo "==> All zod version constraints:"
cat /tmp/zod_versions.txt

echo
echo "==> Non-^4.1.x constraints:"
grep -nP -v '^\S+\t\S+\t\^4\.1\.' /tmp/zod_versions.txt || echo "None"

echo
if [[ -f pnpm-lock.yaml ]]; then
  echo "==> Zod entries in pnpm-lock.yaml (first 20 matches):"
  grep -n 'zod@' pnpm-lock.yaml | head -n20 || true
else
  echo "No pnpm-lock.yaml found."
fi

echo
echo "==> Zod import occurrences in code:"
rg -nP --glob '!**/dist/**' --glob '!**/.*/**' --type ts --type tsx --type js --type jsx '\bfrom\s+[\"\']zod[\"\']|\brequire\([\"\']zod[\"\']\)' -C2 || echo "No zod imports found."

Length of output: 31663

---

Action Required: Align zod peerDependency & prune lockfile entries

The audit shows that all consumer packages pin zod at ^4.1.1 in their dependencies, except the monorepo’s own packages/zod/package.json still allows any v3.x via its peerDependency, and the lockfile retains legacy v3 entries.

• In packages/zod/package.json, update the peerDependency constraint:

 "peerDependencies": {
-  "zod": ">=3.25.0"
+  "zod": "^4.1.1"
 }

• Regenerate/clean the lockfile so only zod@4.1.x remains (e.g. delete pnpm-lock.yaml and run pnpm install, or pnpm install --lockfile-only).
• (Optional) Enforce workspace-wide consistency via a root override in package.json:

 {
   "name": "orpc-monorepo",
   // …
+  "pnpm": {
+    "overrides": {
+      "zod": "^4.1.1"
+    }
+  }
 }

These changes will ensure a single zod version across the monorepo and remove outdated v3.x entries.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In playgrounds/next/package.json (line 29) and the monorepo, update
packages/zod/package.json peerDependency to pin Zod v4 (e.g. "^4.1.1" or a caret
range that matches consumer deps) so it no longer allows v3.x; then remove the
stale lockfile (pnpm-lock.yaml) and regenerate it with pnpm install or pnpm
install --lockfile-only to prune v3 entries and ensure only zod@4.1.x remains;
optionally add a root-level package.json override/peerDependencyResolution to
enforce workspace-wide zod@4 consistency.