Bump zod from 4.4.2 to 4.4.3

[dependabot]

Bumps zod from 4.4.2 to 4.4.3.

Release notes

Sourced from zod's releases.

v4.4.3

Commits:

• 4c2fa95ce3f3390fbc522324e406b4e9e89b88f9 docs: use Zernio primary wordmark for gold sponsor logo
• 2aeec83eb135e3a83756e973ef44845fc5a455d2 docs: prune lapsed gold sponsors and rebalance logo sizing
• 7391be88ac1ee5cd02057f5ccc012a1f5df4efd0 docs: prune lapsed silver/bronze sponsors and add active ones
• 2c703322a21b4e2b12f33f49ea8430c451a68b4f docs: normalize bronze sponsor logos to github avatar pattern
• 9195250cab0e7950efe39c3926d6c203b4b0a170 docs: remove Mintlify from bronze sponsors (churned)
• b8dffe9e62f17e6571e6249d05cc5102b54d94e4 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 1cab69383fcdeae2a366d5e2a2fc4d8fc765d168 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
• f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
• 1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md

Commits

• 1fb56a5 docs: document release procedure in AGENTS.md
• f3c9ec0 4.4.3
• c2be4f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent...
• 1cab693 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• b8dffe9 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 9195250 docs: remove Mintlify from bronze sponsors (churned)
• 2c70332 docs: normalize bronze sponsor logos to github avatar pattern
• 7391be8 docs: prune lapsed silver/bronze sponsors and add active ones
• 2aeec83 docs: prune lapsed gold sponsors and rebalance logo sizing
• 4c2fa95 docs: use Zernio primary wordmark for gold sponsor logo
• See full diff in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	zod@​4.4.2 ⏵ 4.4.3	+1		+1	+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: npm zod URLs: z.date, 127.0.0.1, gmail.com, lkajsdf.com, domain.com, firstname.lastname@domain.com, subdomain.domain.com, domain-one.com, domain.name, domain.co.jp, very.common@example.com, disposable.style.email.with+symbol@example.com, other.email-with-hyphen@example.com, example.com, user.name+tag+sorting@example.com, asdf.example.com, strange-example.com, example.org, my-example.com, b.cd, mail.com, test.te-st.com, etu.inp-n7.fr, example.com@example.org, test.com, strange.example.com, 123.123.123.123, email.domain.com, -domain.com, Abc.example.com, but_its_not_allowed_in_this_part.example.com, -start.com, http://google.com, https://google.com/asdf?asdf=ljk3lk4&asdf=234#asdf, lkjsdf.com, 122.122.122.122, 254.164.77.1, 114.71.82.94, 0.0.0.0, 37.85.236.115, 192.168.0.1/24, 192.168.0.0/24, 10.0.0.0/8, 203.0.113.0/24, 192.0.2.0/24, 127.0.0.0/8, 172.16.0.0/12, 192.168.1.0/24, 192.168.1.1/33, 10.0.0.1/-1, 192.168.1.1/24/24, 192.168.1.0/abc, https://example.com/path?query=value, https://test.com/api/v1?foo=bar&baz=qux, https://example.com/path, http://example.com/path, http://api.example.com/v1/users, ftp://example.com, https://stackoverflow.com/a/46181/1550155, https://thekevinscott.com/emojis-in-javascript/#writing-a-regular-expression, https://stackoverflow.com/questions/7860392/determine-if-string-is-in-base64-using-javascript, https://base64.guru/standards/base64url, https://stackoverflow.com/a/3143231, https://stackoverflow.com/questions/3966484/why-does-modulus-operator-return-fractional-number-in-javascript/31711034#31711034, https://json-schema.org/draft/2020-12/schema, http://json-schema.org/draft-07/schema#, http://json-schema.org/draft-04/schema#, user.name, https://example.com/schema#/definitions/User, https://example.com/schemas/user, http://example.org/, https://my.local, https://example.com?key=NUXOmHqWNVTapJkJJHw8BfD155AuqhH_qju_5fNmQ4ZHV7u8, https://example.com?foo=bar, http://example.com?test=123, https://sub.example.com?param=value&other=data, https://example.com/, https://example.com/path/, https://example.com/path?query=param, https://example.com, https://example.com?key=value, https://example.com/?key=value, http://example.com/?test=123, https://example.com/../?key=value, https://example.com/./path?key=value, https://example.com/path?key=value, http://example.com?key=value, https://other.com?key=value, http://example.com, https://example.com:8080, http://example.com:8080, https://sub.example.com, http://sub.example.com, https://example.com/path/to/resource, http://example.com/path/to/resource, http://example.com/path?query=param, https://example.com/path#fragment, http://example.com/path#fragment, shttp://example.com, httpz://example.com, http://-asdf.com, http://asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf.com, http://asdf.c, developer.mozilla.org/en-US/docs/Web/API/URL/password, lckj.com, www.google.com, 94.105.123.75, 192.168.0.1, 255.255.255.255, 1.2.3.4, 0.0.0.0/0, 255.255.255.255/32, 192.168.0.0, 192.168.0.0/33, 192.168.0.0/-1, sub.example.com, a-b-c.example.com, 123.example.com, example-123.com, developer.mozilla.org, hello.world.example.com, 192.168.1.1, xn--d1acj3b.com, xn--d1acj3b.org, example-.com, -example.com, example.com:8080, tp://invalid.com, mple.com, e.co, EXAMPLE.COM, z.coerce.date, z.iso.date, z.map, https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/email, https://stackoverflow.com/questions/106179/regular-expression-to-match-dns-hostname-or-ip-address, https://blog.stevenlevithan.com/archives/validate-phone-number#r4-3, z.lt, z.gt, https://github.com/colinhacks/zod/security/advisories/GHSA-r34p-xfmx-58wv, https://github.com/colinhacks/zod/security/advisories/GHSA-84jv-fqfx-wxhr, 213.174.246.205, https://speedtest.net, https://example.org, https://example.net.il, z.email, https://example.com/path?query=123#fragment, http://example.com/, http://example.com//, http://examples.com, http://example.org, z.int, jsonSchema.id, https://example.com/Post.json, https://example.com/User.json, https://github.com/paralleldrive/cuid. Location: Package overview From: package.json → npm/zod@4.4.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report