chore: change zod to peer dependency

[ymc9]

No description provided.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: Change zod to peer dependency

Todo List:

• Read the package.json changes
• Analyze dependency management implications
• Review for potential breaking changes
• Check version constraints and compatibility
• Provide comprehensive feedback

Summary of Changes

This PR moves zod from dependencies to peerDependencies in packages/runtime/package.json. The version constraint remains "catalog:" (resolving to ^4.0.0), and zod is marked as a required peer dependency (not optional).

Review Feedback

✅ Positive Aspects

1. Logical Dependency Choice: Moving zod to peer dependencies makes sense since:

   • Most applications using ZenStack likely already have zod as a dependency for their own validation needs
   • Prevents version conflicts when consumers use different zod versions
   • Reduces bundle duplication in consumer applications

2. Consistent Version Management: The change maintains the "catalog:" constraint, ensuring version consistency across the monorepo.

3. Proper Implementation: The peer dependency is correctly marked as required (no entry in peerDependenciesMeta), which matches zod's critical role in runtime validation.

⚠️ Concerns & Considerations

1. Breaking Change: This is a significant breaking change that requires careful documentation:

   • Existing projects using @zenstackhq/runtime will need to install zod manually after upgrading
   • Applications without zod will fail at runtime when using any CRUD operations
   • Missing peer dependency warnings will appear during installation

2. Critical Runtime Dependency: Based on packages/runtime/src/client/crud/validator.ts:5, zod is extensively used for:

   • Input validation for all CRUD operations (create, update, delete, find, etc.)
   • Schema generation for complex nested objects and relations
   • Runtime type safety for the entire ORM layer

   Without zod, the runtime package would be completely non-functional.

3. Version Compatibility: The ^4.0.0 constraint is quite new - ensure this doesn't create compatibility issues for projects using older zod versions.

📋 Recommendations

1. Documentation: Update README/migration guide to explicitly mention:

   • Required peer dependency installation: npm install zod@^4.0.0
   • Breaking change nature of this update
   • Version compatibility requirements

2. Consider Gradual Migration: For a major dependency like this, consider:

   • Bumping to a new major version (4.0.0) to signal breaking change
   • Providing clear upgrade instructions
   • Adding installation warnings/errors with helpful messages

3. Testing: Ensure comprehensive testing of:

   • Scenarios where zod is missing (should fail gracefully with clear error messages)
   • Different zod versions within the ^4.0.0 range
   • Integration with existing projects that have zod installed

🔍 Code Quality

The implementation itself is clean and follows best practices for peer dependency management. The change is minimal and focused, which reduces risk of introducing bugs.

🔒 Security & Performance

• Security: No security concerns - peer dependencies actually improve security by ensuring consumers control their own zod versions
• Performance: Positive impact - eliminates potential bundle duplication and version conflicts

Verdict

This is a well-reasoned architectural improvement that aligns with modern Node.js dependency management best practices. However, it's a major breaking change that requires careful rollout and clear communication to users.

Recommendation: ✅ Approve with strong emphasis on proper documentation and version bumping to indicate breaking changes.

---

[Copilot]

Pull Request Overview

This PR moves the zod library from a regular dependency to a peer dependency in the runtime package. This change allows consuming applications to control the exact version of zod used while still declaring it as a required dependency.

• Moved zod from dependencies to peerDependencies section
• Maintained the same version constraint (catalog:) for zod