chore(deps): update dependency zod-validation-error to v5

[simonknittel]

This PR contains the following updates:

Package	Change	Age	Confidence
zod-validation-error	4.0.2 → 5.0.0

---

Release Notes

causaly/zod-validation-error (zod-validation-error)

v5.0.0

Compare Source

Note: This is a major release due to the change in the error messages. Otherwise, it is 100% compatible with the previous version. If you don't really care about the exact wording of the error messages, you can safely upgrade to v.5.0.0 without any code changes.

Major Changes

• 2c5a3c4: Change error messages to consistently follow the expected <expectation>, received <realization> format (breaking change).

Minor Changes

• 2c5a3c4: Conditionally report value in error message based on reportInput option.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
sam	Ignored	Preview	Apr 10, 2026 6:41am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	form-data@​4.0.2
	openpgp@​5.11.1
	esbuild@​0.27.0 ⏵ 0.25.0	+1			-1
	@​types/​aws-lambda@​8.10.147
	@​types/​node@​22.13.10
	serialize-error@​11.0.3
	@​react-email/​render@​1.0.5
	@​openpgp/​web-stream-tools@​0.1.3
	zod@​3.22.4 ⏵ 3.24.2
	typescript@​5.8.2
	mailgun.js@​12.0.1
	dotenv@​16.4.7
	@​aws-sdk/​client-dynamodb@​3.758.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL) Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4 Patched version: 4.5.4 From: ? → npm/@aws-sdk/client-dynamodb@3.758.0 → npm/fast-xml-parser@4.4.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: bun-packages/packages/email-function/package.json → npm/form-data@4.0.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@react-email/render@1.0.5 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Updates the app’s zod-validation-error dependency to the new major version (v5), aligning both the declared dev dependency and the npm override, and regenerating the lockfile accordingly.

Changes:

• Bump zod-validation-error from 4.0.2 to 5.0.0 in devDependencies.
• Update npm overrides to force zod-validation-error@5.0.0.
• Refresh package-lock.json to reflect the upgraded resolved package and integrity.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
app/package.json	Updates zod-validation-error version in devDependencies and overrides.
app/package-lock.json	Updates the resolved zod-validation-error package metadata to v5.0.0.

Files not reviewed (1)

• app/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

zod-validation-error is being forced to 5.0.0 via overrides, but some transitive deps in package-lock.json declare ranges that do not include v5 (e.g. eslint-plugin-react-hooks depends on ^3.5.0 || ^4.0.0 and eslint-plugin-react-compiler depends on ^3.0.3). This can lead to npm install warnings and potential runtime incompatibilities in those tools. Consider either (a) keeping zod-validation-error on v4 until upstream ranges include v5, or (b) removing the override and letting those packages resolve a compatible version if deduping isn't required.