Update all non-major dependencies

[cnap-tech-renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
@modelcontextprotocol/sdk (source)	devDependencies	minor	1.27.1 → 1.29.0
hono (source)	devDependencies	patch	4.12.5 → 4.12.16
isolated-vm	devDependencies	minor	6.0.2 → 6.1.2
oxlint (source)	devDependencies	minor	1.51.0 → 1.62.0
zod (source)	devDependencies	minor	4.3.6 → 4.4.1

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.29.0

Compare Source

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #​1577) by @​felixweinberger in #​1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in #​1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in #​1575
• Add typings exports by @​tdraier in #​1623
• v1.x npm audit fix by @​KKonstantinov in #​1780
• v1.x #​1623 follow up -add missing types to package.json by @​KKonstantinov in #​1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in #​1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in #​1640
• chore: bump version to 1.29.0 by @​felixweinberger in #​1820

New Contributors

• @​tdraier made their first contribution in #​1623
• @​jnMetaCode made their first contribution in #​1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

Compare Source

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #​580) by @​antogyn in #​757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in #​1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in #​1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in #​1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in #​1738
• chore: bump version to 1.28.0 by @​felixweinberger in #​1746

New Contributors

• @​antogyn made their first contribution in #​757
• @​tiluckdave made their first contribution in #​1596
• @​poteat made their first contribution in #​1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

honojs/hono (hono)

v4.12.16

Compare Source

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

Compare Source

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in #​4889

New Contributors

• @​hiendv made their first contribution in #​4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Compare Source

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#​4883) fa2c74f

v4.12.13

Compare Source

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in #​4865
• feat(trailing-slash): add skip option by @​yusukebe in #​4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in #​4876

New Contributors

• @​T4ko0522 made their first contribution in #​4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Compare Source

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

v4.12.11

Compare Source

What's Changed

• feat(css): add classNameSlug option to createCssContext by @​flow-pie in #​4834

New Contributors

• @​flow-pie made their first contribution in #​4834

Full Changelog: honojs/hono@v4.12.10...v4.12.11

v4.12.10

Compare Source

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in #​4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in #​4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in #​4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in #​4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in #​4851

New Contributors

• @​Abhi3975 made their first contribution in #​4843
• @​VISHNU7KASIREDDY made their first contribution in #​4851

Full Changelog: honojs/hono@v4.12.9...v4.12.10

v4.12.9

Compare Source

What's Changed

• fix(request): remove parseBody from bodyCache to prevent TypeError by @​yusukebe in #​4807
• feat(client): add PickResponseByStatusCode type by @​yusukebe in #​4791
• fix(ssg): pass SSG_CONTEXT to forGetInfoURLRequest by @​yuintei in #​4810
• fix(service-worker): make fire() fallback behavior consistent with handle() by @​yusukebe in #​4821
• fix(cors): reflect request origin when credentials is true with wildcard by @​ctonneslan in #​4813

New Contributors

• @​yuintei made their first contribution in #​4810
• @​ctonneslan made their first contribution in #​4813

Full Changelog: honojs/hono@v4.12.8...v4.12.9

v4.12.8

Compare Source

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in #​4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in #​4750

New Contributors

• @​TheEssem made their first contribution in #​4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

v4.12.7

Compare Source

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

Compare Source

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in #​4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in #​4792
• chore(builld): tsconfig project references by @​BarryThePenguin in #​4797
• chore: add tsconfig.spec.json by @​yusukebe in #​4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in #​4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in #​4782

New Contributors

• @​t0waxx made their first contribution in #​4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

laverdet/isolated-vm (isolated-vm)

v6.1.2

Compare Source

v6.1.1

Compare Source

v6.1.0

Compare Source

oxc-project/oxc (oxlint)

v1.62.0

Compare Source

🚀 Features

• 348f46c linter: Add respectEslintDisableDirectives option (#​21384) (Christian Vuerings)

🐛 Bug Fixes

• 8c425db linter: Allow string for jest version in config schema (#​21649) (camc314)

v1.61.1

Compare Source

v1.61.0

Compare Source

🚀 Features

• 38d8090 linter/jest: Implemented jest version settings in config file. (#​21522) (Said Atrahouch)

v1.60.0

Compare Source

📚 Documentation

• cfd8a4f linter: Don't rely on old eslint doc for available globals (#​21334) (Nicolas Le Cam)

v1.59.0

Compare Source

🐛 Bug Fixes

• dd2df87 npm: Export package.json for oxlint and oxfmt (#​20784) (kazuya kawaguchi)

v1.58.0

Compare Source

🚀 Features

• 16516de linter: Enhance types for DummyRule (#​20751) (camc314)

📚 Documentation

• be3dcc1 linter: Add note about node version + custom TS plugin (#​19381) (camc314)

v1.57.0

Compare Source

v1.56.0

Compare Source

v1.55.0

Compare Source

🐛 Bug Fixes

• bc20217 oxlint,oxfmt: Omit useless | null for Option<T> field from schema (#​20273) (leaysgur)

📚 Documentation

• f339f10 linter/plugins: Promote JS plugins to alpha status (#​20281) (overlookmotel)

v1.54.0

Compare Source

📚 Documentation

• 0c7da4f linter: Fix extra closing brace in example config. (#​20253) (connorshea)

v1.53.0

Compare Source

v1.52.0

Compare Source

🚀 Features

• 61bf388 linter: Add options.reportUnusedDisableDirectives to config file (#​19799) (Peter Wagenet)
• 2919313 linter: Introduce denyWarnings config options (#​19926) (camc314)
• a607119 linter: Introduce maxWarnings config option (#​19777) (camc314)

📚 Documentation

• 6c0e0b5 linter: Add oxlint.config.ts to the config docs. (#​19941) (connorshea)
• 160e423 linter: Add a note that the typeAware and typeCheck options require oxlint-tsgolint (#​19940) (connorshea)

colinhacks/zod (zod)

v4.4.1

Compare Source

Commits:

• 481f7be ci: gate release publishing on full test workflow
• 95ccab4 test(v3): restore optional undefined expectations
• cede2c6 fix(v4): reject tuple holes before required defaults (#​5900)
• edd0bf0 release: 4.4.1
• 180d83d docs: remove Jazz featured sponsor

v4.4.0

Compare Source

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

Tuple defaults now materialize output values correctly

Fixed in #​5661. Tuple parsing now more accurately reflects defaults, optional tails, explicit undefined, and under-filled inputs. The headline behavior is that defaults in tuple positions now properly appear in parsed output.

const schema = z.tuple([
  z.string(),
  z.string().default("fallback"),
]);

schema.parse(["a"]);
// ["a", "fallback"]

Trailing optional elements that are absent still stay absent; they are not filled with undefined.

const schema = z.tuple([
  z.string(),
  z.string().optional(),
]);

schema.parse(["a"]);
// ["a"]

But explicit undefined values supplied by the caller are preserved.

schema.parse(["a", undefined]);
// ["a", undefined]

When optional elements appear before later defaults, the parsed tuple is now dense so array operations behave predictably.

const schema = z.tuple([
  z.string(),
  z.string().optional(),
  z.string().default("fallback"),
]);

schema.parse(["a"]);
// ["a", undefined, "fallback"]

Tuple length errors are also more consistent now. Since z.function() arguments are tuple-shaped, function input errors may look different.

Required object properties with z.undefined()

Fixed in #​5661, with follow-up coverage in 57d80a82. A property whose schema is z.undefined() is now treated as required. The key must be present, but its value may be undefined.

const schema = z.object({
  value: z.undefined(),
});

schema.safeParse({}).success;
// false

schema.safeParse({ value: undefined }).success;
// true

Use .optional() when the key itself may be absent.

const schema = z.object({
  value: z.undefined().optional(),
});

schema.safeParse({}).success;
// true

This also affects related .catch(), .partial(), .default(), and .prefault() combinations that previously relied on missing z.undefined() keys being treated as optional.

Safer .merge() behavior with refinements

Fixed in #​5856. The .merge() method now throws when the receiver has refinements, rather than silently producing ambiguous refinement behavior. Refinements from the second schema are preserved.

const a = z.object({ a: z.string() }).refine((val) => val.a.length > 0);
const b = z.object({ b: z.string() });

a.merge(b);
// throws

Prefer .extend() or .safeExtend() for object composition. The .merge() method is still supported for compatibility, but it is discouraged for new code because its semantics around overlapping keys and refinements are easier to misread.

JSON Schema $defs entries no longer include redundant id

Fixed in #​5759. JSON Schema conversion through z.toJSONSchema() now strips redundant id fields from $defs entries. This is required for correctness in older JSON Schema dialects from before $id was introduced: in those dialects, id changes the resolution scope, so leaving it inside an extracted definition can make references resolve incorrectly. The removed value was redundant because the schema had already been extracted into $defs, so the definition key itself is the identifier. This may affect consumers that were reading those internal id fields directly.

Other JSON Schema fixes in this release:

• Draft-04/OpenAPI 3.0 min/max intersections: #​5700
• Recursive lazy schemas with .describe(): #​5797
• Falsy prefault values emitted as defaults: #​5893
• CUID pattern output tightened: #​5880

String validators are stricter

Base64 validation now rejects whitespace instead of allowing atob()-style whitespace stripping. Fixed in #​5888.

z.base64().safeParse("Zm9v").success;
// true

z.base64().safeParse("Zm 9v").success;
// false

Other string validator changes:

• CUID validation through z.cuid() has been tightened, and CUID v1 is now deprecated. Fixed in #​5880.
• HTTP URL validation through z.httpUrl() now rejects malformed HTTP(S) URLs with a missing slash after the protocol. The underlying URL constructor normalizes inputs like https:/example.com, but Zod now rejects them instead of accepting the repaired URL. Fixed in #​5672, related to #​5284.

z.httpUrl().safeParse("https://example.com").success;
// true

z.httpUrl().safeParse("https:/example.com").success;
// false

z.httpUrl().safeParse("http:/www.apple.com").success;
// false

Union paths are fixed in formatted errors

Two union-related error fixes landed:

• Nested union paths are now preserved correctly in the output of z.treeifyError() and z.formatError(). Fixed in #​5708 and 60ff3987.
• Invalid discriminated union errors now include discriminator options and improved messages. Fixed in #​5723. This may affect users snapshotting ZodError output.

Other fixes

Record key transforms now run

Fixed in #​5891. Record schemas now run transforms on record keys.

const schema = z.record(
  z.string().transform((key) => key.toUpperCase()),
  z.number()
);

schema.parse({ foo: 1 });
// { FOO: 1 }

Related record fixes:

• Key refinement failures now surface as structured invalid_key issues. Fixed in #​5719.
• Non-enumerable properties are skipped more consistently. Fixed in #​5719.
• The v3-style single-argument z.record(valueType) form works again. Fixed in 0e960108.

Metadata and input handling in fromJSONSchema()

Schema generation from JSON Schema now applies metadata more consistently across enum, const, not, anyOf, and multi-type schemas. Fixed in #​5758. It also rejects or normalizes more non-JSON-like inputs, including cyclic objects and BigInt. Fixed in 87cf0f93.

Codecs

Codec changes:

• Encoding through z.discriminatedUnion().encode() now works when the discriminator uses a codec. Fixed in #​5769.
• Codec inversion was added in #​5770.

const stringToNumber = z.codec(
  z.string(),
  z.number(),
  {
    decode: Number,
    encode: String,
  }
);

const numberToString = stringToNumber.invert();

Transform context

Transform callbacks now support ctx.addIssue(). Fixed in #​5699.

Conditional .superRefine() with when

The when option was added for .superRefine(). Added in #​5741, with related abort behavior fixed in #​5681.

Defaults for Map and Set

Defaults for Map and Set are now cloned instead of shared across parses. Fixed in #​5855.

const schema = z.map(z.string(), z.number()).default(new Map());

const a = schema.parse(undefined);
const b = schema.parse(undefined);

a === b;
// false

Empty unions

Empty z.union([]), z.xor([]), and discriminated unions no longer crash at construction time. They construct and fail at parse time. Fixed in #​5869.

Floating-point multiples

Number multipleOf() / step() validation is more accurate for decimal and exponent edge cases. Fixed in #​5687 and #​5793.

Global config and jitless

Configuration fixes:

• Global configuration is now shared through globalThis, improving behavior across mixed CJS/ESM module instances. Fixed in #​5889.
• Jitless mode now avoids eval probing when set before first access. Fixed in #​5864.

Prototype pollution hardening

Object catchall paths now skip __proto__ keys. Fixed in #​5898.

Performance improvements

Reduced memory usage from lazy-bound methods

Fixed in #​5897. Classic builder methods are now lazy-bound through a shared internal prototype instead of eagerly attached per schema instance. This significantly reduces per-schema method allocation overhead, especially in codebases that construct many schemas. Detached methods continue to work:

const schema = z.string();
const optional = schema.optional;

optional.call(schema);
// still works

Improved tree-shaking

Implemented in 195e8696 and #​5689. Top-level factory calls are annotated as pure, and generated stub package manifests now include sideEffects: false. This gives bundlers more room to remove unused Zod code.

This is intended as the conclusive fix for a long-standing class of tree-shaking and bundle-size issues, especially in Next.js and Turbopack projects. The most visible symptom was that unused validators and locales could survive bundling even when importing from zod/mini or from a narrow subpath.

Related reports include:

• Next.js and Turbopack tree-shaking reports: #​4433, #​5641, #​5095, #​4810
• Locale and zod/mini bundle-size reports: #​5561, #​5665, #​4369, #​4572
• Broader v4 bundle-size reports: #​2596, #​4637, #​4798, #​5206

{
  "sideEffects": false
}

Locales

Added or updated locale support:

• Croatian: #​5610
• Greek: #​5840
• Romanian: #​5657
• Uzbek map support: #​5599
• Georgian translation fix: #​5655
• French issue origin translations: #​5845
• Italian validation message updates: #​5852

Locale message text changed in some cases, which may affect snapshots.

Closed issues

The following issues were closed by PRs included in this release:

• Closed #​5466 via #​5632: preserve context immutability in parse functions.
• Closed #​5617 via #​5655: correct Georgian translation for string.
• Closed #​5619 via #​5657: add Romanian locale.
• Closed #​5229 via #​5661: align object and tuple optionality handling.
• Closed #​5680 via #​5681: respect abort: true in .refine() checks with when.
• Closed #​5678 via #​5699: add missing addIssue to transform context.
• Closed #​5717 via #​5718: avoid delete in finalizeIssue.
• Closed #​5714 via #​5719: skip non-enumerable properties in record validation.
• Closed #​5670 via #​5723: add discriminator options to invalid discriminator errors.
• Closed #​5743 via #​5744: increase timeout for the datetime ReDoS checker test.
• Closed #​5732 via #​5758: apply description and default metadata in fromJSONSchema().
• Closed #​5731 via #​5759: strip redundant id from $defs entries in JSON Schema output.
• Closed #​5605 via #​5763: update z.custom() docs for v4 compatibility.
• Closed #​5593 via #​5769: support discriminatedUnion().encode() with codec discriminators.
• Closed #​5625 via #​5770: add codec inversion.
• Closed #​5778 via #​5779: add custom docs 404 page.
• Closed #​5792 via #​5793: correct floating-point multipleOf() validation.
• Closed #​5777 via #​5797: resolve recursive lazy JSON Schema stack overflow.
• Closed #​5805 via #​5812: fix self-referencing schema docs.
• Closed #​5826 via #​5855: clone Map and Set defaults.
• Closed #​5842 via #​5856: align .merge() refinement semantics with .extend().
• Closed #​4461 and #​5414 via #​5864: honor jitless config in the eval probe.
• Closed #​5868 via #​5869: handle empty z.union([]) and z.xor([]).
• Closed #​5296 via #​5891: apply key schema transforms in z.record().
• Closed #​5824 via #​5893: emit falsy prefault values in JSON Schema output.

Commits

• Commit 44f6a03e fix(locales): correct Georgian translation for 'string' to 'ველი' (#​5655) by @​tushargr0ver
• Commit 7b43bc64 docs(ecosystem): add Hono Takibi (#​5651) by @​nakita628
• Commit 119376b9 feat: add map support to Uzbek locale (#​5599) by @​uchkunr
• Commit 8fbf701e test: add edge case tests for boundary values (#​5601) by @​uchkunr
• Commit f1f93c2b Fix order of brand method examples in api.mdx (#​5604) by @​onurtemiz
• Commit 10105ee4 docs: Fix typos in json-schema documentation (#​5608) by @​SaKaNa-Y
• Commit 2d367139 feat: add hr translation (#​5610) by @​vuki656
• Commit 54902cb7 chore: update pullfrog.yml workflow
• Commit 89ba70f2 chore: add sideEffects false to stub package.json for tree-shaking (#​5689) by @​jesse-holden
• Commit eaa3c2c3 Update positive checks to use alias .gt(0) in the docs (#​5671) by @​Fredkiss3
• Commit 65f1f404 fix typo (#​5676) by @​Nikita0x
• Commit 5b574501 fix: respect abort: true in .refine() for checks with when function (#​5681)
• Commit 539de140 docs: fix README links for async refinements/transforms (#​5682) by @​pavan-sh
• Commit 46cd10e7 docs: fix README anchor links for async APIs (#​5683) by @​pavan-sh
• Commit 55747b3c Remove deprecated downlevelIteration option (#​5684) by @​RyanCavanaugh
• Commit 3a818de1 fix(v4): handle multi-digit exponents in floatSafeRemainder (#​5687) by @​shakecodeslikecray
• Commit 3cd45ebc fix(v4): add strict validation to httpUrl() (#​5672) by @​LuckySilver0021
• Commit 7d98c909 add Sanity as silver sponsor and Mintlify as bronze sponsor
• Commit c7805073 move Sanity and Mintlify to top of sponsor lists
• Commit bee2dc8d docs: move z.iso.time() from format to pattern section (#​5696)
• Commit 2f8414bc fix: add missing addIssue to transform context (#​5699) by @​F-A-N-D-E
• Commit d3c0ec87 docs: add note about removed .errors alias in v4 changelog (#​5705) by @​togami2864
• Commit fa338a3b fix(v4): JSON schema min/max intersection for draft-04 and openapi-3.0 (#​5700) by @​ebroder
• Commit 3473b288 chore: bump zshy to ^0.7.1
• Commit cc8f9b7c docs: improve README wording and fix typos (#​5736) by @​vedanshshetti
• Commit f5336717 feat: add json-up to ecosystem (#​5740) by @​mrspence
• Commit 60ff3987 fix(v4): preserve parent path when treeifying nested union/key/element issues
• Commit 08b14b51 perf: avoid delete in finalizeIssue to keep V8 fast mode (#​5718)
• Commit 9cf868d2 fix(v4): treeify error nested union bug (#​5708) by @​dstashevskyi
• Commit 28f39a6d Add JSONType export (#​5709) by @​RobinVdBroeck
• Commit 65fab33e feat: allow when parameter in .superRefine() (#​5741) by @​vilvai
• Commit 7f87df1e refactor(v4): remove unnecessary type assertions (#​5720) by @​chisaki66
• Commit 518f15dd Preprocess is not deprecated (#​5721) by @​mxdvl
• Commit 2e5b23dc fix: add options to invalid discriminator errors (#​5723) by @​Danielchinasa
• Commit 7f789def fix: skip non-enumerable properties in record validation (#​5719) by @​veeceey
• Commit ee15fa19 docs: add AGENTS notes for JSDoc, PR comments, and PR worktree workflow
• Commit f52b4d28 Revert "docs: improve README wording and fix typos (#​5736)"
• Commit ddb41391 test: increase timeout for redos checker in datetime.test.ts (#​5744) by @​rishadaufa
• Commit bc07e459 docs: fix doc (#​5745) by @​xgaia
• Commit e06af5de Update Hey API description (#​5748) by @​mrlubos
• Commit 28c156e2 fix: apply description and default metadata to enum, const, and not schemas in fromJSONSchema (#​5758) by @​mibragimov
• Commit f457edf1 Fix grammar in CONTRIBUTING.md (#​5765) by @​siekmang
• Commit 411f6c64 fix(v4): resolve stack overflow in toJSONSchema for recursive lazy with describe (#​5797) by @​Hassad674
• Commit 45dd421e docs: add tone guidelines for issue and PR comments to AGENTS.md
• Commit ddd20a30 test: align optional property assertions with actual inferred types
• Commit a1cf8a93 docs: update z.custom example for v4 compatibility (#​5763) by @​andrewdamelio
• Commit b6a3b336 fix: strip redundant id from $defs entries in toJSONSchema (#​5759) by [@​mibragimov](https://redirect.github.com/mibragimov

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.