Deps/zod update

[tk-o]

Lite PR

Tip: Review docs on the ENSNode PR process

Summary

• Updated Zod dependency to the latest version available.
• Aligned code style of Zod dependency imports.
• Applied required security patches.

---

Why

• Improve team's capabilities while working with Zod schemas.
• Fixes OpenAPI spec issue where z.discriminatedUnion Zod schema were mapped into anyOf instead of oneOf.

---

Testing

• I executed:
  • Testing suite with CI=1 pnpm test
  • Typechecks with CI=1 pnpm typecheck
  • I ran ENSApi service locally and went sent requests to all of its HTTP APIs.
  • I ran ENSIndexer service locally and went sent requests to all of its HTTP APIs.

---

Notes for Reviewer (Optional)

• Please review commit-by-commit.
• Even though the previously used zod version was 3.25.7, it already implemented Zod's v4 spec. All Zod dependency imports across ENSNode codebase were linked to zod/v4 which lets us assume that no breaking changes are to be expected.

---

Pre-Review Checklist (Blocking)

• This PR does not introduce significant changes and is low-risk to review quickly.
• Relevant changesets are included (or are not required)

[changeset-bot]

⚠️ No Changeset found

Latest commit: a6340ac

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
admin.ensnode.io	Ready	Preview, Comment	Jan 26, 2026 0:03am

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
ensnode.io	Skipped		Jan 26, 2026 0:03am
ensrainbow.io	Skipped		Jan 26, 2026 0:03am

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades Zod from v3 to v4, removes the @hono/zod-validator dependency, updates pnpm overrides for security patches (tar, lodash), and standardizes all default zod imports to named imports across the codebase for consistency.

Changes

Cohort / File(s)	Summary
Dependency removals apps/ensapi/package.json	Removed @hono/zod-validator v0.7.2 dependency
Zod version upgrade & pnpm overrides pnpm-workspace.yaml, package.json	Updated Zod from ^3.25.7 to ^4.3.6 in catalog; widened tar constraint to <=7.5.3; added lodash/lodash-es overrides to >=4.17.23
Zod import standardization (handlers) apps/ensapi/src/handlers/amirealtime-api.ts, apps/ensapi/src/handlers/name-tokens-api.ts, apps/ensapi/src/handlers/registrar-actions-api.ts	Converted default imports to named imports: import z from "zod/v4" → import { z } from "zod/v4"
Zod import standardization (ensindexer) apps/ensindexer/src/lib/indexing-status/ponder-metadata/zod-schemas.ts, apps/ensindexer/src/lib/ponder-helpers.ts	Converted default imports to named imports
Zod import standardization (referrals) packages/ens-referrals/src/api/zod-schemas.ts	Converted default import to named import
Zod import standardization (ensnode-sdk) packages/ensnode-sdk/src/api/indexing-status/zod-schemas.ts, packages/ensnode-sdk/src/api/name-tokens/zod-schemas.ts, packages/ensnode-sdk/src/api/registrar-actions/zod-schemas.ts, packages/ensnode-sdk/src/api/resolution/zod-schemas.ts, packages/ensnode-sdk/src/api/shared/errors/response.ts, packages/ensnode-sdk/src/api/shared/errors/zod-schemas.ts, packages/ensnode-sdk/src/api/shared/pagination/zod-schemas.ts, packages/ensnode-sdk/src/tokenscope/zod-schemas.ts	Converted default imports to named imports across all schema files

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix(deps): update version overrides #1546: Modifies pnpm overrides in package.json with similar dependency version constraint updates
• Flip dependency relationship between the ens-referrals and ensnode-sdk packages #1542: Updates zod-related imports and dependency entries across overlapping packages

Suggested labels

ensnode-sdk

Poem

🐰 From defaults to names, the imports now align,
Zod v4 ascends in a structured design,
Dependencies patched, the overrides gleam,
A hop through the code—now consistent, supreme!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Deps/zod update' directly summarizes the main change—updating the Zod dependency to a newer version.
Description check	✅ Passed	The PR description comprehensively covers all required template sections: Summary, Why, Testing, Notes for Reviewer, and Pre-Review Checklist with thorough explanations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tk-o]

@greptile review

[tk-o]

Self-review completed.

[tk-o]

This was an unused dependency.

[tk-o]

Addressing security audit issues.

[Copilot]

Pull request overview

Updates Zod to a newer major version and normalizes Zod import style across the repo, alongside applying dependency security overrides.

Changes:

• Bumped zod workspace catalog version to ^4.3.6.
• Standardized Zod imports to import { z } from "zod/v4" across multiple packages/apps.
• Added security-focused overrides for tar, lodash, and lodash-es; removed @hono/zod-validator from ensapi.

Reviewed changes

Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pnpm-workspace.yaml	Bumps workspace-catalog Zod version.
packages/ensnode-sdk/src/tokenscope/zod-schemas.ts	Switches Zod import to named z export.
packages/ensnode-sdk/src/api/shared/pagination/zod-schemas.ts	Switches Zod import to named z export.
packages/ensnode-sdk/src/api/shared/errors/zod-schemas.ts	Switches Zod import to named z export.
packages/ensnode-sdk/src/api/shared/errors/response.ts	Updates type-only Zod import form.
packages/ensnode-sdk/src/api/resolution/zod-schemas.ts	Switches Zod import to named z export.
packages/ensnode-sdk/src/api/registrar-actions/zod-schemas.ts	Switches Zod import to named z export.
packages/ensnode-sdk/src/api/name-tokens/zod-schemas.ts	Switches Zod import to named z export.
packages/ensnode-sdk/src/api/indexing-status/zod-schemas.ts	Switches Zod import to named z export.
packages/ens-referrals/src/api/zod-schemas.ts	Switches Zod import to named z export.
package.json	Expands security overrides to include lodash/lodash-es and bumps tar constraint.
apps/ensindexer/src/lib/ponder-helpers.ts	Switches Zod import from namespace to named z export.
apps/ensindexer/src/lib/indexing-status/ponder-metadata/zod-schemas.ts	Switches Zod import to named z export.
apps/ensapi/src/handlers/registrar-actions-api.ts	Switches Zod import to named z export.
apps/ensapi/src/handlers/name-tokens-api.ts	Switches Zod import to named z export.
apps/ensapi/src/handlers/amirealtime-api.ts	Switches Zod import to named z export.
apps/ensapi/package.json	Removes @hono/zod-validator dependency.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Overview

Greptile Summary

Updated Zod dependency from v3.25.7 to v4.3.6 across the monorepo, standardized import styles, removed unused dependencies, and applied security patches.

Key Changes

• Zod Version Upgrade: Updated from ^3.25.7 to ^4.3.6 in the pnpm catalog, which propagates to all workspace packages using the catalog
• Import Style Standardization: Aligned 14 files to use consistent import { z } from "zod/v4" syntax instead of mixed import z from, import * as z from, and import type z from styles
• Dependency Cleanup: Removed unused @hono/zod-validator@^0.7.2 from ensapi package
• Security Patches: Added pnpm overrides for tar@<=7.5.3, lodash-es@>=4.0.0 <=4.17.22, and lodash@>=4.0.0 <=4.17.22 to enforce minimum secure versions

Mixed Version State

The lockfile currently contains both zod@4.3.6 (used by most packages) and zod@3.25.76 (used by docs packages with @namehash/namekit-react and some ponder dependencies). This is expected and should not cause issues since:

• All code imports use zod/v4 path, which was already compatible with the previous v3.25.7
• The PR description notes that v3.25.7 already implemented Zod's v4 spec

Testing Coverage

Author tested with full test suite, typechecks, and manual API testing on both ENSApi and ENSIndexer services.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it contains dependency updates with proper testing and no logic changes
• Score reflects that all changes are low-risk: (1) Zod upgrade from v3 to v4 where v3 already implemented v4 spec, (2) purely cosmetic import style standardization with no logic changes, (3) removal of genuinely unused dependency verified by lockfile check, (4) application of security patches via pnpm overrides, and (5) comprehensive testing including test suite, typechecks, and manual API verification on both services
• No files require special attention - all changes are straightforward and well-tested

Important Files Changed

Filename	Overview
pnpm-workspace.yaml	Updated zod catalog version from ^3.25.7 to ^4.3.6
package.json	Added security overrides for tar, lodash-es, and lodash packages
apps/ensapi/package.json	Removed unused @hono/zod-validator dependency
pnpm-lock.yaml	Updated lockfile with zod 4.3.6 and security patches

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Catalog as pnpm catalog (workspace)
    participant Lock as pnpm-lock.yaml
    participant Packages as App/Package Files
    participant Security as Security Overrides

    Dev->>Catalog: Update zod from ^3.25.7 to ^4.3.6
    Catalog->>Lock: Resolve zod@4.3.6 dependencies
    Lock->>Lock: Update viem, @ensdomains/ensjs, @ponder/utils to use zod@4.3.6
    Lock->>Lock: Keep zod@3.25.76 for docs packages (@namehash/namekit-react, ponder)
    
    Dev->>Security: Add tar, lodash, lodash-es security overrides
    Security->>Lock: Apply security patches to dependencies
    
    Dev->>Packages: Remove unused @hono/zod-validator from ensapi
    Packages->>Lock: Remove @hono/zod-validator dependency chain
    
    Dev->>Packages: Align import style across 14 files
    Note over Packages: Changed "import z from" to "import { z } from"
    Note over Packages: Changed "import * as z from" to "import { z } from"
    
    Lock-->>Dev: Final lockfile with zod 4.3.6 + security patches

Loading

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/ens-referrals/src/api/zod-schemas.ts (1)

180-186: Consider using z.discriminatedUnion() for tagged response schemas.

Both makeReferrerLeaderboardPageResponseSchema and makeReferrerDetailResponseSchema use z.union() for schemas with a clear discriminator field (responseCode). Using z.discriminatedUnion("responseCode", [...]) would provide better performance and clearer error messages, as noted in the PR objectives about fixing OpenAPI mapping (discriminated unions now map to oneOf).

♻️ Suggested refactor

 export const makeReferrerLeaderboardPageResponseSchema = (
   valueLabel: string = "ReferrerLeaderboardPageResponse",
 ) =>
-  z.union([
+  z.discriminatedUnion("responseCode", [
     makeReferrerLeaderboardPageResponseOkSchema(valueLabel),
     makeReferrerLeaderboardPageResponseErrorSchema(valueLabel),
   ]);

Apply similarly to makeReferrerDetailResponseSchema at lines 240-244.

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[lightwalker-eth]

@tk-o Looks nice, thanks!