v0.3.2

Security & correctness patch

Recommended upgrade for all users.

What's new

• Fixed: Python codegen bugs

  • Schemas with control characters (\n, \t, \r, etc.) no longer generate invalid Python syntax.
  • Top-level z.union() and z.discriminatedUnion() now emit valid Pydantic output (previously generated references to undefined classes).

• Hardened: schema loading

  • loadZodSchema() and scanFolderForSchemas() now require trustedInput: true since they execute module code via dynamic import().
  • The CLI handles this automatically — no change needed for CLI users.

• Slimmed down: npm install

  • Removed vitepress-plugin-group-icons and zod from production dependencies. zod is now peer-only.
  • Install size is significantly smaller and the core package has zero audit vulnerabilities.

• Hardened: docs playground

  • The /api/convert endpoint now uses AST-based input validation, rate limiting, timeouts, and a production opt-in guard.

Upgrading

• CLI users: No changes needed.
• Library users: Add trustedInput: true to any loadZodSchema() or scanFolderForSchemas() calls:

// Before
const { schema } = await loadZodSchema({ file, exportName });

// After
const { schema } = await loadZodSchema({ file, exportName, trustedInput: true });