chore(deps): [DO NOT MERGE] Bump zod from 3.25.76 to 4.0.5

[dependabot]

Bumps zod from 3.25.76 to 4.0.5.

Release notes

Sourced from zod's releases.

v4.0.5

Commits:

• f91a73ec23f9ec28d908af2caa643a54088516c5 Support pipes in discriminated unions. Closes #4856 (#4861)
• 45afab0f846dffd591362b6f770017507eb185b5 4.0.5

v4.0.4

Commits:

• 9335f0543d6359f9236e3e33b78cc5b2788dbe0f Adds ZodFirstPartyTypeKind stub to fix module resolution failure inside zod-to-json-schema

v4.0.3

Commits:

• 5905a8d810eff6f4677e6aa9e557f92a676805cf Improve check-versions script
• f3e749b1b057a2cf0a0bce7e07abec4e0520e0f8 Remove global File interface
• 44a936cb77961e57a0988d8a3c63d9c71fce69ac 4.0.2
• 74006edd49e3fe8d74010090462859593c2bd1e2 Fix JSR provenance
• ff4af5e889d4ad7136a9cde7202b16261db5c83c 4.0.3
• ce573e8799f86e2f68307eba95c2d40fc92617b7 Update test badge
• 9a7161a976d6349f738c00cb6d6528c0407a65e8 Fix versions

v4.0.0

With this release, [email protected] has been published to npm. There were no code changes between 3.25.76 and 4.0.0!

Zod 4 has been stable for the past 6 weeks, but it was published inside [email protected] on npm. this transitionary window gave the ecosystem time to incrementally support for Zod 4 (without dropping support for Zod 3). As there is now near-universal support for Zod 4 in the ecosystem, ths time feels right to finally put a bow on things 🎀

To upgrade to Zod 4:

npm upgrade zod@^4.0.0

If you’ve already migrated to Zod 4 using the subpaths, there are no changes required. however you can optionally simplify your imports (recommended)

// after upgrading to [email protected]:
import * as z from "zod"; // Zod 4 (regular)
import * as z from "zod/mini" // Zod 4 Mini
// these still work, but are no longer needed
import * as z from "zod/v4";
import * as z from "zod/v4-mini":
// if you still need Zod 3
import * as z from "zod/v3"; // Zod 3

... (truncated)

Commits

• 45afab0 4.0.5
• f91a73e Support pipes in discriminated unions. Closes #4856 (#4861)
• 9335f05 4.0.4
• 4d6e266 improve changelog (#4860)
• 878775e Improve docs
• 9a7161a Fix versions
• ce573e8 Update test badge
• ff4af5e 4.0.3
• 74006ed Fix JSR provenance
• 44a936c 4.0.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[ZhongpinWang]

I have to downgrade zod to v3 wherever ts-to-zod is used. No clear plan when it will support zod v4. fabien0102/ts-to-zod#307

[deekshas8]

[q] I am confused, so we now use a mix of v4 and v3?

[ZhongpinWang]

We kind like have to. Let me explain this complex story:

In #837 , zod-to-json-schema failed the pipeline with minor updates from zod v3. We could either stop updating zod and wait for zod-to-json-schema, or adopt zod/v4 (by importing from zod/v4 in zod v3) as it has native support for zod to json. But since zod v4 has native support for this zod to json feature, I don't think zod-to-json-schema will be actively continued anymore.

Thus, the decision was to use zod/v4 (in zod v3).

Recently, zod officially released v4 (we can import directly from zod instead of zod/v4 from v3), we have this dependabot PR. But ts-to-zod again doesn't work with zod v4. At this point, we can either mix zod versions as they are used independently for different purposes in our overall project, or remove ts-to-zod in favour of supporting zod v4 fully, but I am not sure if we find a good alternative for ts-to-zod.

WDY think? I would hope eventually ts-to-zod will support zod v4, but no clear evidence that this will actually happen. In a worst case scenario, we eventually need to drop ts-to-zod.

[ZhongpinWang]

A potential good replacement could be https://orval.dev/guides/zod

[deekshas8]

So even with the latest version we still have access to zod/v3 and updating imports like below works.
import { z } from 'zod/v3';
In the end, I don't have a strong opinion on if we use zod/v3 or the old dependency. However if we're pinning major versions for certain packages, then we'll probably need to ignore the updates in dependabot?

[ZhongpinWang]

Good to know that we can use zod/v3! Maybe I go with this option for now and in the BLI we look for alternatives.

[deekshas8]

Might be worth looking into alternative to ts-to-zod or just testing the schema differently maybe. Its annoying the level of complexity it has added.

[ZhongpinWang]

Might be worth looking into alternative to ts-to-zod or just testing the schema differently maybe. Its annoying the level of complexity it has added.

I agree, I will create a BLI to track this and leave this open for now.

[ZhongpinWang]

For now, LangChain still uses Zod v4 from v3 package. https://github.com/langchain-ai/langchainjs/blob/6e349ee960fe15b8a726e305164a1244d070616f/langchain-core/package.json#L46

We cannot update to the REAL Zod v4 as LangChain's toJSONSchema() will then not work correctly. In Zod v4, describe() is not recommended, instead we should use meta(). https://zod.dev/json-schema?id=metadata

But only the REAL Zod v4's z.toJsonSchema() can preserve description etc. LangChain's toJSONSchema() which uses Zod v3's v4 z.toJsonSchema() cannot handle those properties.

Anyway, we wait for LangChain to update to the REAL Zod v4 version.

🙃🙃🙃🙃🙃🙃🙃🙃
REAL Zod v4 means Zod package version v4, e.g., v4.0.5
Otherwise, it means import * as z from 'zod/v4 from the Zod package version v3, e.g., v3.25.76.

[dependabot]

A newer version of zod exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.