fix(deps): update the pnpm group

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.3.10 → 2.3.11
fumadocs-core (source)	16.4.2 → 16.4.4
fumadocs-twoslash (source)	3.1.11 → 3.1.12
fumadocs-ui (source)	16.4.2 → 16.4.4
npm (source)	11.6.4 → 11.7.0
posthog-js (source)	1.310.2 → 1.313.0
turbo (source)	2.7.2 → 2.7.3
zod (source)	4.2.1 → 4.3.4

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.3.11

Compare Source

Patch Changes

• #​8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidTemplateRoot.

  This rule validates only root-level <template> elements in Vue single-file components. If the <template> has a src attribute, it must be empty. Otherwise, it must contain content.

  Invalid examples:

  <template src="./foo.html">content</template>

  <template></template>

  Valid examples:

  <template>content</template>

  <template src="./foo.html"></template>

• #​8586 df8fe06 Thanks @​dyc3! - Added a new nursery rule useVueConsistentVBindStyle. Enforces consistent v-bind style (:prop shorthand vs v-bind:prop longhand). Default prefers shorthand; configurable via rule options.

• #​8587 9a8c98d Thanks @​dyc3! - Added the rule useVueVForKey, which enforces that any element using v-for also specifies a key.

  Invalid

  <li v-for="item in items">{{ item }}</li>

  Valid

  <li v-for="item in items" :key="item.id">{{ item }}</li>

• #​8586 df8fe06 Thanks @​dyc3! - Added a new nursery rule useVueConsistentVOnStyle. Enforces consistent v-on style (@event shorthand vs v-on:event longhand). Default prefers shorthand; configurable via rule options.

• #​8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidVOnce. Enforces that usages of the v-once directive in Vue.js SFC are valid.

  <!-- Valid -->
  <div v-once />
  
  <!-- Invalid -->
  <div v-once:aaa />
  <div v-once.bbb />
  <div v-once="ccc" />

• #​8498 d80fa41 Thanks @​tt-a1i! - Fixed #​8494. Extended noUndeclaredEnvVars to support bracket notation (process.env["VAR"], import.meta.env["VAR"]), Bun runtime (Bun.env.VAR, Bun.env["VAR"]), and Deno runtime (Deno.env.get("VAR")).

• #​8509 574a909 Thanks @​ematipico! - Added support for parsing and formatting the Svelte {#await} syntax, when html.experimentalFullSupportEnabled is set to true.

  -{#await promise  then name }
  +{#await promise then name}
  
  -{:catch    name}
  +{:catch name}
  
  {/await}

• #​8316 d64e92d Thanks @​washbin! - Added the new nursery rule noMultiAssign. This rule helps to prevent multiple chained assignments.

  For example, the following code triggers because there are two assignment expressions in the same statement.

  const a = (b = 0);

• #​8592 a5f59cd Thanks @​Netail! - Added the nursery rule useUniqueInputFieldNames. Require fields within an input object to be unique.

  Invalid:

  query A($x: Int, $x: Int) {
    field
  }

• #​8524 17a6156 Thanks @​JacquesLeupin! - Fixed #​8488: Relative plugin paths are now resolved from the configuration file directory, including when configurations are merged (e.g. extends: "//").

• #​8655 3260ec9 Thanks @​JacquesLeupin! - Fixed #​8636: Biome's CSS formatter now breaks comma-separated declaration values at top-level commas when wrapping.

• #​8537 cc3e851 Thanks @​dibashthapa! - Fixed #​8491: Resolved false positive errors for safe boolean expressions. There are still pending fixes. Head to #​8491 (comment) for more details

  This new change will check for safe boolean expressions in variable declarations.

  For example,

  Valid:

  let isOne = 1;
  let isPositiveNumber = number > 0;
  
  return (
    <div>
      {" "}
      {isOne && "One"} {isPositiveNumber && "Is positive"}
    </div>
  );

  Invalid:

  let emptyStr = "";
  let isZero = 0;
  
  return (
    <div>
      {emptyStr && "Empty String"} {isZero && "Number is zero"}{" "}
    </div>
  );

• #​8511 16a9036 Thanks @​ematipico! - Improved the diagnostics of the rules useSortedClasses and noUnnecessaryConditions. The diagnostics now state that these rules are a work in progress and link to the relevant GitHub issue.

• #​8521 a704be9 Thanks @​ToBinio! - Added the nursery rule useVueConsistentDefinePropsDeclaration, which enforces consistent defineProps declaration style.

Invalid

<script setup lang="ts">
const props = defineProps({
  kind: { type: String },
});
</script>

Valid

<script setup lang="ts">
const props = defineProps<{
  kind: string;
}>();
</script>

• #​8595 7c85bf0 Thanks @​dyc3! - Fixed #​8584: The HTML formatter will preserve whitespace after some elements and embedded expressions, which more closely aligns with Prettier's behavior.

  - <h1>Hello, {framework}and Svelte!</h1>
  + <h1>Hello, {framework} and Svelte!</h1>

• #​8598 5e85d43 Thanks @​Netail! - Added the nursery rule useUniqueFieldDefinitionNames. Require all fields of a type to be unique.

  Invalid:

  type SomeObject {
    foo: String
    foo: String
  }

• #​8495 b573d14 Thanks @​taga3s! - Fixed #​8405: noMisusedPromises now emits warnings/errors when a function returns union types such as T | Promise<T> which is used in conditionals.

  const a = (): boolean | Promise<boolean> => Promise.resolve(true);
  if (a()) {
  } // Now correctly flagged

• #​8632 0be7d12 Thanks @​Bertie690! - The documentation & rule sources for lint/complexity/noBannedTypes have been updated to fix a few oversights.

  In addition to some general typo fixes:

  • The rule now recommends Record<keyof any, never> instead of Record<string, never> (the latter of which incorrectly allows symbol-keyed properties).

  • The rule mentions an alternate method to enforce object emptiness involving unique symbol-based guards used by type-fest and many other packages:

    declare const mySym: unique symbol;
    
    // Since this type's only property is an unexported `unique symbol`, nothing that imports it can specify any properties directly
    // (as far as excess property checks go)
    export type EmptyObject = { [mySym]?: never };
    export type IsEmptyObject<T> = T extends EmptyObject ? true : false;

  The rule's listed sources have been updated as well to reflect the original source rule (ban-types) having been split into 3 separate rules circa April 2024.

• #​8580 a3a1ad2 Thanks @​taga3s! - Added the nursery rule noBeforeInteractiveScriptOutsideDocument to the Next.js domain.
  This rule prevents usage of next/script's beforeInteractive strategy outside of pages/_document.js.

• #​8493 5fc24f4 Thanks @​ematipico! - Added support for parsing and formatting the Svelte {#each} syntax, when html.experimentalFullSupportEnabled is set to true.

  - {#each items   as item  }
  + {#each items as item}
  
  {/each}

• #​8546 0196c0e Thanks @​Zaczero! - Hardened union static-member type flattening in edge cases (e.g. unions containing unknown or inferred expression types). This keeps inference conservative and avoids unstable type growth in node = node.parent-style loops.

• #​8569 1022c76 Thanks @​ematipico! - Fixed an issue where the Biome HTML parser would emit a parse error when certain keywords are inside the text of HTML tags.

• #​8606 f50723b Thanks @​dyc3! - Fixed #​8563: fixed a bounds check on bogus regex literals that caused panics when doing type inference

• #​7410 ab9af9a Thanks @​sgarcialaguna! - Added the new nursery rule noJsxPropsBind. This rule disallows .bind(), arrow functions, or function expressions in JSX props.

  Invalid:

  <Foo onClick={() => console.log("Hello!")}></Foo>

• #​8523 5f22f1c Thanks @​ematipico! - Improved the diagnostics of nursery rules. Added a message to diagnostics emitted by nursery rules, so that users are aware of nature of nursery rules.

• #​8571 03666fd Thanks @​dyc3! - Improved the performance of noRedeclare by eliminating string allocations

• #​8591 9dd9ca7 Thanks @​Netail! - Added the nursery rule useUniqueArgumentNames. Enforce unique arguments for GraphQL fields & directives.

  Invalid:

  query {
    field(arg1: "value", arg1: "value")
  }

• #​8521 a704be9 Thanks @​ToBinio! - Update useVueDefineMacrosOrder to only run on <script setup> blocks.

• #​8344 7b982ba Thanks @​ematipico! - Reduced the system calls when running the CLI. The performances might be noticeable in big projects that have multiple libraries and enable project rules.

• #​8588 958e24b Thanks @​Netail! - Added the nursery rule useUniqueVariableNames. Enforce unique variable names for GraphQL operations.

  Invalid:

  query ($x: Int, $x: Int) {
    field
  }

• #​8529 8794883 Thanks @​mdevils! - Fixed #​8499: useExhaustiveDependencies properly handles aliased destructured object keys when using stableResult configuration.

• #​8557 4df2f4d Thanks @​dyc3! - Fixed an issue with the HTML formatter where it wouldn't add a space before the /> in self closing elements. This brings the HTML formatter more in line with Prettier.

  -<Component/>
  +<Component />

• #​8509 574a909 Thanks @​ematipico! - Added support for parsing and formatting the Svelte {#snippet} syntax, when html.experimentalFullSupportEnabled is set to true.

  -{#snippet    foo() }
  +{#snippet foo()}
  
  {/snippe}

• #​8248 1231a5c Thanks @​emilyinure! - Added new nursery rule noReturnAssign, which disallows assignments inside return statements.

  Invalid:

  function f(a) {
    return (a = 1);
  }

• #​8531 6b09620 Thanks @​taga3s! - Fixed #​8472: The CSS parser can now accept multiple comma separated parameters in :active-view-transition-type.

• #​8615 b9da66d Thanks @​taga3s! - Remove next/script component name check from noBeforeInteractiveScriptOutsideDocument since it is a default export.

• #​8536 efbfbe2 Thanks @​dyc3! - Fixed #​8527: Improved type inference where analyzing code with repeated object property access and assignments (e.g. node = node.parent, a pattern common when traversing trees in a while loop) could hit an internal type limit. Biome now handles these cases without exceeding the type limit.

• #​8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidVCloak. Enforces that usages of the v-cloak directive in Vue.js SFC are valid.

  <!-- Valid -->
  <div v-cloak />
  
  <!-- Invalid -->
  <div v-cloak:aaa />
  <div v-cloak.bbb />
  <div v-cloak="ccc" />

• #​8583 83be210 Thanks @​dyc3! - Added the new nursery rule useVueValidVPre. Enforces that usages of the v-pre directive in Vue.js SFC are valid.

  <!-- Valid -->
  <div v-pre />
  
  <!-- Invalid -->
  <div v-pre:aaa />
  <div v-pre.bbb />
  <div v-pre="ccc" />

• #​8644 a3a27a7 Thanks @​JacquesLeupin! - Added the nursery rule useVueVapor to enforce <script setup vapor> in Vue SFCs. For example <script setup> is invalid.

• #​8508 b86842c Thanks @​tt-a1i! - Fixed #​6783: now, when a path is provided via --stdin-file-path, Biome checks whether the file exists on disk. If the path doesn't exist (virtual path), ignore checks (files.includes and VCS ignore rules) are skipped.

fuma-nama/fumadocs (fumadocs-core)

v16.4.4

Compare Source

Patch Changes

• c804ac6: expose useAutoScroll()
• Updated dependencies [cdc97e0]
  • fumadocs-core@​16.4.4
  • @​fumadocs/ui@​16.4.4

v16.4.3

Compare Source

Patch Changes

• 84ce624: Keep default prefetch behaviours in sidebar
• Updated dependencies [f5dcb7c]
• Updated dependencies [7e08b2f]
  • fumadocs-core@​16.4.3
  • @​fumadocs/ui@​16.4.3

npm/cli (npm)

v11.7.0

Compare Source

Features

• b380d15 #​8697 add deduping to notices unless in verbose+ mode (@​owlstronaut)

Bug Fixes

• 4ebb831 #​8839 updates hints to use cli paradigm (@​owlstronaut)
• 7896e51 #​8838 update the token list text (@​owlstronaut)
• 8ab8668 #​8836 query: support package-lock-only in workspaces (@​watilde)
• 35e8d38 #​8322 properly handle newlines with input when using the spinner (#​8322) (@​mbtools)
• 0c0faae #​8780 adduser: improve email prompt (#​8780) (@​mbtools)

Documentation

• 7f2ab9d #​8810 scripts: replace deprecated prepublish and install examples with prepare (Max Black)
• 91ebab7 #​8847 remove note about token create being disabled (@​owlstronaut)
• 2030250 #​8822 scripts: clarify prepare script runs with --production (Max Black)
• 33a50d7 #​8821 scripts: update npm_package_* environment variables documentation (Max Black)
• 50508f9 #​8793 package-json: add documentation for type field (#​8793) (@​MaxBlack-dev, Max Black)
• aa1dd7e #​8823 scripts: document that prepare scripts run concurrently in workspaces (Max Black)
• 3f48487 #​8820 package-spec: fix alias syntax in examples (Max Black)
• dd104da #​8812 version: add note about git version requirements (Max Black)
• 58afdcc #​8792 install: clarify prerelease version range behavior (Max Black)
• 9f818e8 #​8795 npm-view: clarify object property access syntax and provide examples (Max Black)
• 39c2f2e #​8791 add examples for command line flags including --prefix (Max Black)
• 1298530 #​8790 clarify version field can be omitted in package-lock (Max Black)
• 090b6ca #​8794 npx: clarify that arguments are passed to executed command (Max Black)
• a864f80 #​8787 document gypfile field in package.json (Max Black)
• 2fc689d #​8788 add field access patterns to npm view (Max Black)
• 4850639 #​8796 package-json: add examples for replacing dependencies with forks in overrides (Max Black)
• 4864dd4 #​8798 npm-install: document engines field priority when installing packages (Max Black)
• 95d25cd #​8799 package-json: clarify repository field normalization during publish (Max Black)
• a367f9b #​8800 package-lock-json: clarify that version field may be omitted for certain dependencies (Max Black)
• ffc9b71 #​8801 npm-install: clarify --tag does not override package.json (#​8801) (@​MaxBlack-dev, Max Black)
• 73688ca #​8735 clarify npm version behavior with prerelease versions (#​8735) (@​yashwantbezawada)
• 4a32606 #​8785 updates the token create documentation (#​8785) (@​owlstronaut, @​wraithgar)

Chores

• 54929ce #​8836 update baseline-browser-mapping (@​watilde)

Dependencies

• workspace: @npmcli/arborist@9.1.9
• workspace: @npmcli/config@10.4.5
• workspace: libnpmdiff@8.0.12
• workspace: libnpmexec@10.1.11
• workspace: libnpmfund@7.0.12
• workspace: libnpmpack@9.0.12

PostHog/posthog-js (posthog-js)

v1.313.0

Compare Source

1.313.0

Minor Changes

• #​2832 f050f6c Thanks @​rafaeelaudibert! - Introduce custom cookie properties for localStorage+cookie persistence using the new cookie_persisted_properties property. This allows people to opt-in to store properties in cookies even in localstorage+cookies mode
  (2026-01-01)

v1.312.0

Compare Source

1.312.0

Minor Changes

• #​2834 548b466 Thanks @​ordehi! - fix: Clear PageViewManager state on session rotation to prevent cross-session duration pollution

  When a browser tab is backgrounded and the session rotates (30 min idle or 24 hour max), PageViewManager now clears its state. This prevents $prev_pageview_duration from spanning session boundaries, which was causing impossibly large values (94+ hours observed) in web analytics "Average Time on Page" metrics.

  Users who implemented workarounds for inflated $prev_pageview_duration values (e.g., capping at 30 minutes) may want to review those after upgrading, as the root cause is now fixed. (2025-12-31)

v1.311.0

Compare Source

1.311.0

Minor Changes

• #​2813 4b7443c Thanks @​ordehi! - feat(flags): add updateFlags() method for injecting flags without network request

  Adds posthog.updateFlags(flags, payloads?, options?) to inject feature flag values from an external source (e.g., server-side evaluation, edge middleware) without making a network request. Supports { merge: true } option to merge with existing flags instead of replacing. (2025-12-29)

vercel/turborepo (turbo)

v2.7.3: Turborepo v2.7.3

Compare Source

What's Changed

Examples

• examples: Remove skipLibCheck from nestjs.json in nestJS example by @​leos in #​11323

Changelog

• fix(bun): Add GitHub/git packages by @​Palid in #​11268
• chore: Extract turborepo-boundaries crate from turborepo-lib by @​anthonyshew in #​11312
• chore: Extract turborepo-engine crate from turborepo-lib by @​anthonyshew in #​11315
• chore: Extract turborepo-gitignore crate from turborepo-lib by @​anthonyshew in #​11317
• chore: Extract turborepo-json-rewrite crate from turborepo-lib by @​anthonyshew in #​11318
• chore: Extract turborepo-hash and turborepo-types crates from turborepo-lib by @​anthonyshew in #​11319
• chore: Extract turborepo-shim crate from turborepo-lib by @​anthonyshew in #​11320
• chore: Extract types to turborepo-types and create turborepo-daemon crate by @​anthonyshew in #​11321
• chore: Extract turborepo-daemon crate from turborepo-lib by @​anthonyshew in #​11322
• chore: Extract turborepo-scope crate from turborepo-lib by @​anthonyshew in #​11324
• chore: Extract turborepo-diagnostics crate from turborepo-lib by @​anthonyshew in #​11332
• feat: Extract turborepo-task-hash crate from turborepo-lib by @​anthonyshew in #​11334
• chore: Move TaskDefinition from turborepo-lib to turborepo-types by @​anthonyshew in #​11335
• chore: Move DryRunMode, UIMode, and LogOrder to turborepo-types by @​anthonyshew in #​11337
• chore: Fix loop in build script in package.json by @​anthonyshew in #​11336
• chore: Move ContinueMode and LogPrefix to turborepo-types by @​anthonyshew in #​11338
• chore: Extract run/summary to turborepo-run-summary crate by @​anthonyshew in #​11342
• chore: Extract turbo_json module to turborepo-turbo-json crate by @​anthonyshew in #​11344
• chore: Extract config and engine builder modules from turborepo-lib by @​anthonyshew in #​11346
• chore: Remove duplicate task_inheritance.rs from turborepo-lib by @​anthonyshew in #​11347
• chore: Extract run/cache.rs to turborepo-run-cache crate by @​anthonyshew in #​11348
• chore: remove extra file by @​anthonyshew in #​11351
• chore: Move resolved opts types to turborepo-types by @​anthonyshew in #​11349
• chore: Extract some small items from turborepo-lib by @​anthonyshew in #​11350
• chore: Move engine builder tests from turborepo-lib to turborepo-engine by @​anthonyshew in #​11353
• chore: Move global_hash.rs from turborepo-lib to turborepo-task-hash by @​anthonyshew in #​11355
• chore: Move more shared types to turborepo-types by @​anthonyshew in #​11356
• chore: Add turborepo-task-executor crate by @​anthonyshew in #​11357
• chore: Add generic CommandProvider trait to turborepo-task-executor by @​anthonyshew in #​11358
• chore: Implement MfeConfigProvider and TaskAccessProvider traits by @​anthonyshew in #​11359
• chore: Add From<&RunOpts> for ExecutorConfig conversion by @​anthonyshew in #​11360
• chore: Move TurboJsonReader to turborepo-turbo-json crate by @​anthonyshew in #​11361
• chore: Move TaskExecutor to turborepo-task-executor crate by @​anthonyshew in #​11364
• chore: Move TurboJsonLoader to turborepo-turbo-json crate by @​anthonyshew in #​11365
• chore: Consolidate TurboJson tests into turborepo-turbo-json crate by @​anthonyshew in #​11371
• chore: Extract task executor components to turborepo-task-executor by @​anthonyshew in #​11378
• chore: Move MicroFrontendProxyProvider to turborepo-task-executor by @​anthonyshew in #​11379
• chore: Clean up turborepo-lib wrapper modules and dead code by @​anthonyshew in #​11380
• fix: Show TUI when using --output-logs=errors-only|none by @​anthonyshew in #​11382

New Contributors

• @​Palid made their first contribution in #​11268
• @​leos made their first contribution in #​11323

Full Changelog: vercel/turborepo@v2.7.2...v2.7.3

colinhacks/zod (zod)

v4.3.4

Compare Source

Commits:

• 1a8bea3 Add integration tests
• e01cd02 Support patternProperties for looserecord (#​5592)
• 089e5fb Improve looseRecord docs
• decef9c Fix lint
• 9443aab Drop iso time in fromJSONSchema
• 66bda74 Remove .refine() from ZodMiniType
• b4ab94c 4.3.4

v4.3.3

Compare Source

v4.3.2

Compare Source

v4.3.1

Compare Source

Commits:

• 0fe8840 allow non-overwriting extends with refinements. 4.3.1

v4.3.0

Compare Source

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#​5534, #​5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";

const schema = z.fromJSONSchema({
  type: "object",
  properties: {
    name: { type: "string", minLength: 1 },
    age: { type: "integer", minimum: 0 },
  },
  required: ["name"],
});

schema.parse({ name: "Alice", age: 30 }); // ✅

The API should be considered experimental. There are no guarantees of 1:1 "round-trip soundness": MySchema > z.toJSONSchema() > z.fromJSONSchema(). There are several features of Zod that don't exist in JSON Schema and vice versa, which makes this virtually impossible.

Features supported:

• All primitive types (string, number, integer, boolean, null, object, array)
• String formats (email, uri, uuid, date-time, date, time, ipv4, ipv6, and more)
• Composition (anyOf, oneOf, allOf)
• Object constraints (additionalProperties, patternProperties, propertyNames)
• Array constraints (prefixItems, items, minItems, maxItems)
• $ref for local references and circular schemas
• Custom metadata is preserved

z.xor() — exclusive union (#​5534)

A new exclusive union type that requires exactly one option to match. Unlike z.union() which passes if any option matches, z.xor() fails if zero or more than one option matches.

const schema = z.xor([z.string(), z.number()]);

schema.parse("hello"); // ✅
schema.parse(42);      // ✅
schema.parse(true);    // ❌ zero matches

When converted to JSON Schema, z.xor() produces oneOf instead of anyOf.

z.looseRecord() — partial record validation (#​5534)

A new record variant that only validates keys matching the key schema, passing through non-matching keys unchanged. This is used to represent patternProperties in JSON Schema.

const schema = z.looseRecord(z.string().regex(/^S_/), z.string());

schema.parse({ S_name: "John", other: 123 });
// ✅ { S_name: "John", other: 123 }
// only S_name is validated, "other" passes through

.exactOptional() — strict optional properties (#​5589)

A new wrapper that makes a property key-optional (can be omitted) but does not accept undefined as an explicit value.

const schema = z.object({
  a: z.string().optional(),      // accepts `undefined`
  b: z.string().exactOptional(), // does not accept `undefined`
});

schema.parse({});                  // ✅
schema.parse({ a: undefined });    // ✅
schema.parse({ b: undefined });    // ❌

This makes it possible to accurately represent the full spectrum of optionality expressible using exactOptionalPropertyTypes.

.apply()

A utility method for applying arbitrary transformations to a schema, enabling cleaner schema composition. (#​5463)

const setCommonChecks = <T extends z.ZodNumber>(schema: T) => {
  return schema.min(0).max(100);
};

const schema = z.number().apply(setCommonChecks).nullable();

.brand() cardinality

The .brand() method now accepts a second argument to control whether the brand applies to input, output, or both. Closes #​4764, #​4836.

// output only (default)
z.string().brand<"UserId">();           // output is branded (default)
z.string().brand<"UserId", "out">();    // output is branded
z.string().brand<"UserId", "in">();     // input is branded
z.string().brand<"UserId", "inout">();  // both are branded

Type predicates on .refine() (#​5575)

The .refine() method now supports type predicates to narrow the output type:

const schema = z.string().refine((s): s is "a" => s === "a");

type Input = z.input<typeof schema>;   // string
type Output = z.output<typeof schema>; // "a"

ZodMap methods: min, max, nonempty, size (#​5316)

ZodMap now has parity with ZodSet and ZodArray:

const schema = z.map(z.string(), z.number())
  .min(1)
  .max(10)
  .nonempty();

schema.size; // access the size constraint

.with() alias for .check() (359c0db)

A new .with() method has been added as a more readable alias for .check(). Over time, more APIs have been added that don't qualify as "checks". The new method provides a readable alternative that doesn't muddy semantics.

z.string().with(
  z.minLength(5),
  z.toLowerCase()
);

// equivalent to:
z.string().check(
  z.minLength(5),
  z.trim(),
  z.toLowerCase()
);

z.slugify() transform

Transform strings into URL-friendly slugs. Works great with .with():

// Zod
z.string().slugify().parse("Hello World");           // "hello-world"

// Zod Mini
// using .with() for explicit check composition
z.string().with(z.slugify()).parse("Hello World");   // "hello-world"

z.meta() and z.describe() in Zod Mini (947b4eb)

Zod Mini now exports z.meta() and z.describe() as top-level functions for adding metadata to schemas:

import * as z from "zod/mini";

// add description
const schema = z.string().with(
  z.describe("A user's name"),
);

// add arbitrary metadata
const schema2 = z.number().with(
  z.meta({ deprecated: true })
);

New locales

• Armenian (am) (#​5531)
• Uzbek (uz) (#​5519)

import * as z from "zod";
import { uz } from "zod/locales";

z.config(uz());

---

Bug fixes

All of these changes fix soundness issues in Zod. As with any bug fix there's some chance of breakage if you were intentionally or unintentionally relying on this unsound behavior.

⚠️ .pick() and .omit() disallowed on object schemas containing refinements (#​5317)

Using .pick() or .omit() on object schemas with refinements now throws an error. Previously, this would silently drop the refinements, leading to unexpected behavior.

const schema = z.object({
  password: z.string(),
  confirmPassword: z.string(),
}).refine(data => data.password === data.confirmPassword);

schema.pick({ password: true });
// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ❌

Migration: The easiest way to migrate is to create a new schema using the shape of the old one.

const newSchema = z.object(schema.shape).pick({ ... })

⚠️ .extend() disallowed on refined schemas (#​5317)

Similarly, .extend() now throws on schemas with refinements. Use .safeExtend() if you need to extend refined schemas.

const schema = z.object({ a: z.string() }).refine(/* ... */);

// 4.2: refinement silently dropped ⚠️
// 4.3: throws error ✅
schema.extend({ b:

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on friday" in timezone Asia/Almaty, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/yamcodes/arkenv).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

[changeset-bot]

⚠️ No Changeset found

Latest commit: 21565ae

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arkenv-bot]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (Asia/Almaty)
arkenv	Ready	Preview, Comment	Jan 9 2026, 1:29 AM (Asia/Almaty)

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.