chore(deps): bump the production-dependencies group with 3 updates

[dependabot]

Bumps the production-dependencies group with 3 updates: zod, @typescript-eslint/typescript-estree and esbuild.

Updates zod from 4.2.1 to 4.3.5

Release notes

Sourced from zod's releases.

v4.3.5

Commits:

• 21afffdb42ccab554036312e33fed0ea3cb8f982 [Docs] Update migration guide docs for deprecation of message (#5595)
• e36743e513aadb307b29949a80d6eb0dcc8fc278 Improve mini treeshaking
• 0cdc0b8597999fd9ca99767b912c1e82c1ff2d6c 4.3.5

v4.3.4

Commits:

• 1a8bea3b474eada6f219c163d0d3ad09fadabe72 Add integration tests
• e01cd02b2f23d7e9078d3813830b146f8a2258b4 Support patternProperties for looserecord (#5592)
• 089e5fbb0f58ce96d2c4fb34cd91724c78df4af5 Improve looseRecord docs
• decef9c418d9a598c3f1bada06891ba5d922c5cd Fix lint
• 9443aab00d44d5d5f4a7eada65fc0fc851781042 Drop iso time in fromJSONSchema
• 66bda7491a1b9eab83bdeec0c12f4efc7290bd48 Remove .refine() from ZodMiniType
• b4ab94ca608cd5b581bfc12b20dd8d95b35b3009 4.3.4

v4.3.3

Commits:

• f3b2151959d215d405f54dff3c7ab3bf1fd887ca v4.3.3

v4.3.2

Commits:

• bf96635d243118de6e4f260077aa137453790bf6 Loosen strictObjectinside intersection (#5587)
• f71dc0182ab0f0f9a6be6295b07faca269e10179 Remove Juno (#5590)
• 0f41e5a12a43e6913c9dcb501b2b5136ea86500d 4.3.2

v4.3.1

Commits:

• 0fe88407a4149c907929b757dc6618d8afe998fc allow non-overwriting extends with refinements. 4.3.1

v4.3.0

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

z.fromJSONSchema()

Convert JSON Schema to Zod (#5534, #5586)

You can now convert JSON Schema definitions directly into Zod schemas. This function supports JSON Schema "draft-2020-12", "draft-7", "draft-4", and OpenAPI 3.0.

import * as z from "zod";
const schema = z.fromJSONSchema({
type: "object",
properties: {
</tr></table>

... (truncated)

Commits

• 0cdc0b8 4.3.5
• e36743e Improve mini treeshaking
• 21afffd [Docs] Update migration guide docs for deprecation of message (#5595)
• b4ab94c 4.3.4
• 66bda74 Remove .refine() from ZodMiniType
• 9443aab Drop iso time in fromJSONSchema
• decef9c Fix lint
• 089e5fb Improve looseRecord docs
• e01cd02 Support patternProperties for looserecord (#5592)
• 1a8bea3 Add integration tests
• Additional commits viewable in compare view

Updates @typescript-eslint/typescript-estree from 8.50.1 to 8.52.0

Release notes

Sourced from @​typescript-eslint/typescript-estree's releases.

v8.52.0

8.52.0 (2026-01-05)

🚀 Features

• eslint-plugin-internal: [no-multiple-lines-of-errors] add rule (#11899)
• typescript-estree: add tseslint.com redirects for CLI outputs (#11895)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] handle conditional initializer (#11908)
• eslint-plugin: [no-base-to-string] detect @@​toPrimitive and valueOf (#11901)

❤️ Thank You

• Josh Goldberg ✨
• Ulrich Stark

You can read about our versioning strategy and releases on our website.

v8.51.0

8.51.0 (2025-12-29)

🚀 Features

• eslint-plugin: expose rule name via RuleModule interface (#11719)
• eslint-plugin: [no-useless-default-assignment] fix some cases to optional syntax (#11871)
• eslint-plugin: add namespace to plugin meta (#11885)
• tsconfig-utils: more informative error on parsing failures (#11888)

🩹 Fixes

• eslint-plugin: fix crash and false positives in no-useless-default-assignment (#11845)
• eslint-plugin: remove fixable from no-dynamic-delete rule (#11876)
• eslint-plugin: bump ts-api-utils to 2.2.0 (#11881)
• eslint-plugin: [prefer-optional-chain] handle MemberExpression in final chain position (#11835)

❤️ Thank You

• Josh Goldberg ✨
• Kirk Waiblinger @​kirkwaiblinger
• mdm317
• Ulrich Stark
• Yannick Decat @​mho22
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/typescript-estree's changelog.

8.52.0 (2026-01-05)

🚀 Features

• typescript-estree: add tseslint.com redirects for CLI outputs (#11895)

❤️ Thank You

• Josh Goldberg ✨

You can read about our versioning strategy and releases on our website.

8.51.0 (2025-12-29)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] handle MemberExpression in final chain position (#11835)
• eslint-plugin: bump ts-api-utils to 2.2.0 (#11881)

❤️ Thank You

• Josh Goldberg ✨
• mdm317

You can read about our versioning strategy and releases on our website.

Commits

• 9ddd571 chore(release): publish 8.52.0
• 94c5058 chore(typescript-estree): simplify `Convert#convertTypeArgumentsToTypeParamet...
• 3cb911d chore: extract syntax check (part 3) (#11923)
• 8ba5333 chore: extract syntax check (part 2) (#11905)
• c036392 feat(typescript-estree): add tseslint.com redirects for CLI outputs (#11895)
• 95c7c73 chore: update deps to latest minor/patch (#11921)
• 45a7d2b chore(typescript-estree): use iterateComments() from ts-api-utils v2.3 (#11...
• 6a05a1a chore: extract AST check from convert.ts to ast-checks.ts (#11748)
• e4c57f5 chore(release): publish 8.51.0
• 7379004 fix(eslint-plugin): [prefer-optional-chain] handle MemberExpression in final ...
• Additional commits viewable in compare view

Updates esbuild from 0.25.12 to 0.27.2

Release notes

Sourced from esbuild's releases.

v0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  // New output (with --minify)

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}

... (truncated)

Commits

• cd83297 publish 0.27.2 to npm
• 2759721 additional tests for switch with break
• fd2b4b3 update release notes
• c8d93a7 fix #4357: -webkit- prefix for mask shorthand (#4358)
• 92ff12c compat table: update @types/node
• a35eceb compat table: fix a type error with the new types
• f598984 fix make compat-table to install dependencies
• f7f6df0 release notes for #4361
• 6f8ec15 fix: allow subpath imports that start with #/ (#4361)
• f7ae61f minify some switch statements to if-else statement
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Pull Request Review - Dependency Updates

Overview

This is a Dependabot-generated PR that updates three production dependencies:

• zod: 4.2.1 → 4.3.5 (minor version bump)
• @typescript-eslint/typescript-estree: 8.50.1 → 8.52.0 (patch version bump)
• esbuild: 0.25.12 → 0.27.2 (minor version bump)

Code Quality Assessment ✅

Strengths:

1. Automated dependency management - Dependabot is properly configured and working
2. Grouped updates - Related dependencies are updated together in the production-dependencies group
3. Clean lockfile updates - The pnpm-lock.yaml changes show proper dependency resolution
4. Consistent version constraints - Package.json files maintain proper semver ranges (e.g., ^4.3.5)

Dependency Analysis

1. Zod (4.2.1 → 4.3.5) ✅

Impact: Low risk, backward compatible

• Changes: Multiple patch releases with bug fixes and new features
• Notable additions:
  • z.fromJSONSchema() - Convert JSON Schema to Zod (major new feature in 4.3.0)
  • Support for patternProperties in looseRecord
  • Improved tree-shaking
  • Migration guide updates for deprecated message parameter
• Compatibility: Fully backward compatible with v4.0.0+ API
• Project usage: Core dependency used in @mcp-apps-kit/core, examples, and as peer dependency

2. @typescript-eslint/typescript-estree (8.50.1 → 8.52.0) ✅

Impact: Low risk, tooling dependency

• Changes: 2 minor versions
• Notable improvements:
  • Better error messages with tseslint.com redirects for CLI outputs
  • Internal refactoring for AST checks
  • Dependency updates (ts-api-utils 2.1.0 → 2.4.0)
• Project usage: Only in ui-react-builder package for TypeScript AST parsing
• Risk assessment: Low - tooling dependency, not runtime code

3. esbuild (0.25.12 → 0.27.2) ⚠️

Impact: Medium - minor version jump with new features

• Changes: 2 minor versions (0.25 → 0.26 → 0.27)
• Notable changes:
  • Allow import path specifiers starting with #/ (spec compliance)
  • Automatic -webkit-mask CSS prefix
  • Additional minification patterns for switch statements
• Project usage: Used in ui-react-builder for bundling
• Compatibility: Should be backward compatible, but bundler changes can occasionally affect output

Potential Concerns

1. Test Coverage ⚠️

   • No visible test changes in the diff
   • Recommendation: Ensure CI passes with full test suite, especially for ui-react-builder package which uses both updated tools

2. Bundle Size Impact ℹ️

   • esbuild minification improvements may affect output bundle sizes
   • Recommendation: Compare bundle sizes before/after (likely positive impact)

3. Breaking Changes Risk ⚠️

   • esbuild minor version jumps occasionally introduce subtle bundling changes
   • Recommendation: Test example applications (minimal, restaurant-finder) to ensure UIs still build and run correctly

4. ts-api-utils Transitive Update ℹ️

   • ts-api-utils upgraded from 2.1.0 → 2.4.0 as transitive dependency
   • This is used internally by typescript-estree for TypeScript API interactions
   • Should be transparent but worth noting

Security Assessment ✅

• All three packages are well-maintained, popular open-source projects
• No known security vulnerabilities in the updated versions
• Zod and esbuild have active communities and regular releases
• typescript-eslint is the official TypeScript ESLint tooling

Performance Considerations ℹ️

• Zod 4.3.x: Includes tree-shaking improvements (positive)
• esbuild 0.27.x: Additional minification patterns (positive)
• Overall performance impact should be neutral to slightly positive

Recommendations

Before Merge:

1. ✅ Run full test suite: pnpm test
2. ✅ Run type checking: pnpm typecheck
3. ✅ Run linting: pnpm lint
4. ✅ Build all packages: pnpm build
5. ⚠️ Manual testing: Test example applications

   pnpm -C examples/minimal dev
   pnpm -C examples/restaurant-finder dev

6. ℹ️ Optional: Compare bundle sizes for UI packages

Post-Merge:

1. Monitor for any bundling-related issues in UI builds
2. Watch for community reports of issues with esbuild 0.27.x

Compliance with CLAUDE.md Guidelines ✅

• ✅ Uses pnpm workspace protocol correctly
• ✅ Maintains peer dependency compatibility
• ✅ Follows semver constraints properly
• ✅ No manual code changes (pure dependency update)

Final Verdict: APPROVE with CI Verification ✅

This is a straightforward dependency update with low risk. The changes are backward compatible and include useful improvements. Approve and merge once CI passes.

Priority: Normal
Risk Level: Low
Blocking Issues: None (assuming CI passes)

---

Review conducted following repository guidelines in CLAUDE.md

[claude]

Pull Request Review: Dependency Updates

Overview

This PR updates three production dependencies in the production-dependencies group:

• zod: 4.2.1 → 4.3.5
• @typescript-eslint/typescript-estree: 8.50.1 → 8.52.0
• esbuild: 0.25.12 → 0.27.2

---

✅ Code Quality & Best Practices

Positive:

• ✅ All updates are minor/patch versions (semver-compliant), reducing risk of breaking changes
• ✅ Changes are limited to dependency version bumps in package.json and pnpm-lock.yaml
• ✅ No source code changes required
• ✅ Follows project's dependency management conventions using pnpm workspace

Recommendations:

• ⚠️ Update CLAUDE.md: The project documentation (CLAUDE.md:45) lists zod ^4.0.0 as a key dependency. Consider updating this to ^4.3.5 to reflect the new minimum version after this PR is merged.
• ⚠️ Update Compatibility Section: CLAUDE.md:183 states "Zod: ^4.0.0 required" - this should be updated to match the new version.

---

🐛 Potential Issues & Bugs

Zod 4.2.1 → 4.3.5:

• ✅ Low risk - Mostly bug fixes and new features:
  • Added z.fromJSONSchema() for JSON Schema conversion (4.3.0)
  • Improved tree-shaking (4.3.5)
  • Better looseRecord support with patternProperties (4.3.4)
  • Fixed intersection behavior (4.3.2)
• ⚠️ Deprecation: The message parameter was deprecated in favor of other error handling patterns - verify no usage in codebase
• ✅ Compatibility: Fully backward compatible with existing code

@typescript-eslint/typescript-estree 8.50.1 → 8.52.0:

• ✅ Low risk - Two minor version bumps with mainly fixes:
  • Improved error messages with tseslint.com redirects
  • Bug fixes for no-useless-default-assignment, no-base-to-string, prefer-optional-chain
  • Bumped ts-api-utils to 2.2.0 (now 2.4.0 in lock file)
• ✅ TypeScript compatibility: Still supports TypeScript 4.8.4 - 6.0.0 (project uses 5.9.3)

esbuild 0.25.12 → 0.27.2:

• ⚠️ Medium risk - Two minor versions jumped (0.25 → 0.27):
  • New feature: Import path specifiers starting with #/ now allowed (Node.js spec change)
  • CSS change: Auto-adds -webkit-mask prefix for mask property
  • Minification improvement: Better switch statement optimization
• ⚠️ Action required: Verify build outputs, especially if using:
  • CSS mask properties (may see new prefixed output)
  • Package.json subpath imports with #/ patterns
  • Minified code (output may differ slightly)

---

🚀 Performance Considerations

Positive improvements:

• ✅ Zod: Improved tree-shaking in 4.3.5 → smaller bundle sizes
• ✅ esbuild: Enhanced minification → potentially smaller production bundles
• ✅ TypeScript ESLint: Internal optimizations for parsing performance

No regressions expected - all changes are optimizations or additions.

---

🔒 Security Concerns

• ✅ No known security vulnerabilities in the updated versions
• ✅ All dependencies come from trusted sources (official repositories)
• ✅ Dependabot automated update reduces human error
• ℹ️ Recommendation: Run pnpm audit to verify no other vulnerabilities exist

---

🧪 Test Coverage

Required before merge:

1. ✅ Verify CI passes (build, test, lint, typecheck)
2. ⚠️ Recommended: Run full test suite locally: pnpm install && pnpm build && pnpm test && pnpm lint && pnpm typecheck
3. ⚠️ Recommended: Test example applications (minimal and restaurant-finder)
4. ⚠️ Critical for esbuild: Inspect built artifacts to ensure CSS and bundling changes are acceptable

---

📋 Summary & Recommendations

Overall Assessment: ✅ APPROVE with minor recommendations

This is a well-structured dependency update that follows best practices. The changes are low-risk with backward compatibility maintained.

Action Items:

1. Before merge:

   • ✅ Ensure all CI checks pass
   • ⚠️ Verify build outputs (especially from esbuild changes)
   • ⚠️ Test examples to confirm no runtime regressions

2. After merge:

   • 📝 Update CLAUDE.md to reflect new Zod version (lines 45, 183)
   • 📝 Consider adding a CHANGELOG entry for visibility
   • 📝 Update any internal documentation referencing these dependency versions

Risk Level: 🟢 LOW

All updates are minor/patch versions with good backward compatibility. The primary risk is in esbuild's CSS prefixing and minification changes, which should be validated through testing.

---

Recommendation: ✅ Merge after CI passes and build outputs are verified.