Description
There is a compatibility issue between @lambdacurry/medusa-product-reviews and Medusa 2.14.x.
Medusa 2.14.2 changed internally from Zod v3 to Zod v4. However, @lambdacurry/medusa-product-reviews versions 1.3.1 and 1.4.0 still use Zod v3.
As a result, the application crashes when Medusa evaluates the plugin middlewares.
This is not a configuration issue. It is a compatibility bug between the plugin and Medusa 2.14.x.
Affected versions
- Medusa:
2.14.2
- Plugin:
@lambdacurry/medusa-product-reviews
- Zod:
- Medusa uses Zod v4
- The plugin uses Zod v3
Root cause
The crash happens when the plugin evaluates middleware validation schemas using code similar to:
createFindParams({ ... }).merge(z.object({ ... }))In this expression:
createFindParams({ ... })returns a Zod v4 schema from Medusa, while:
creates a Zod v3 schema from the plugin dependency.
The problem is that .merge() is being executed on a Zod v4 schema, but the schema passed into .merge() is a Zod v3 object.
Zod v4 expects the merged schema to expose the internal structure:
However, Zod v3 schemas use:
instead of:
Therefore, b._zod is undefined, which leads to a crash when Zod v4 tries to access:
This results in an undefined.def / undefined access error during middleware evaluation.
Why it works in older Medusa versions
The same plugin works correctly with Medusa 2.13.5.
For example, in our environment:
fp51 is running Medusa 2.13.5- Medusa
2.13.5 still uses Zod v3 internally
- The plugin also uses Zod v3
- Therefore, there is no Zod v3/v4 schema conflict
The issue only appears after upgrading to Medusa 2.14.x, where Medusa internally uses Zod v4.
Expected behavior
The plugin should work correctly with Medusa 2.14.x.
Middleware validation schemas should not crash when evaluated.
The plugin should either:
- use the same Zod major version as Medusa,
- avoid mixing Zod schemas from different major versions,
- or update its validation logic to be compatible with Medusa
2.14.x.
Actual behavior
The application crashes during middleware evaluation because a Zod v4 schema returned by Medusa attempts to merge with a Zod v3 schema created by the plugin.
The crash is caused by the internal incompatibility between Zod v3 and Zod v4 schema objects.
Current workaround
We worked around the issue by replacing the affected plugin routes with our own API routes:
/store/product-reviews
/store/product-review-stats
These custom routes use:
and do not perform any Zod .merge() operation.
Because of that, they avoid the Zod v3/v4 incompatibility entirely.
The database tables already exist from a previous migration, so the issue appears to be isolated to the plugin middleware validation layer.
With this workaround in place, we can proceed using:
Steps to reproduce
- Install Medusa
2.14.2.
- Install
@lambdacurry/medusa-product-reviews version 1.3.1 or 1.4.0.
- Configure the plugin normally.
- Start the Medusa application.
- Medusa crashes while evaluating the plugin middlewares.
Suggested fix
The plugin should be updated to be compatible with Medusa 2.14.x.
Possible fixes:
- Upgrade the plugin to use Zod v4.
- Ensure that schemas passed into Medusa helpers such as
createFindParams() are created using the same Zod version as Medusa.
- Avoid merging plugin-created Zod schemas with Medusa-generated schemas when the Zod major versions may differ.
- Replace
.merge() usage with a Medusa/Zod-version-safe validation approach.
Additional context
This bug was confirmed by comparing two environments:
Working environment
- Medusa:
2.13.5
- Plugin:
@lambdacurry/medusa-product-reviews
- Result: works correctly
Failing environment
- Medusa:
2.14.2
- Plugin:
@lambdacurry/medusa-product-reviews 1.3.1 / 1.4.0
- Result: crashes during middleware evaluation
The difference is that Medusa 2.13.5 still uses Zod v3, while Medusa 2.14.2 uses Zod v4 internally.
Description
There is a compatibility issue between
@lambdacurry/medusa-product-reviewsand Medusa2.14.x.Medusa
2.14.2changed internally from Zod v3 to Zod v4. However,@lambdacurry/medusa-product-reviewsversions1.3.1and1.4.0still use Zod v3.As a result, the application crashes when Medusa evaluates the plugin middlewares.
This is not a configuration issue. It is a compatibility bug between the plugin and Medusa
2.14.x.Affected versions
2.14.2@lambdacurry/medusa-product-reviews1.3.11.4.0Root cause
The crash happens when the plugin evaluates middleware validation schemas using code similar to:
In this expression:
returns a Zod v4 schema from Medusa, while:
creates a Zod v3 schema from the plugin dependency.
The problem is that
.merge()is being executed on a Zod v4 schema, but the schema passed into.merge()is a Zod v3 object.Zod v4 expects the merged schema to expose the internal structure:
However, Zod v3 schemas use:
_definstead of:
_zodTherefore,
b._zodisundefined, which leads to a crash when Zod v4 tries to access:This results in an
undefined.def/undefinedaccess error during middleware evaluation.Why it works in older Medusa versions
The same plugin works correctly with Medusa
2.13.5.For example, in our environment:
fp51is running Medusa2.13.52.13.5still uses Zod v3 internallyThe issue only appears after upgrading to Medusa
2.14.x, where Medusa internally uses Zod v4.Expected behavior
The plugin should work correctly with Medusa
2.14.x.Middleware validation schemas should not crash when evaluated.
The plugin should either:
2.14.x.Actual behavior
The application crashes during middleware evaluation because a Zod v4 schema returned by Medusa attempts to merge with a Zod v3 schema created by the plugin.
The crash is caused by the internal incompatibility between Zod v3 and Zod v4 schema objects.
Current workaround
We worked around the issue by replacing the affected plugin routes with our own API routes:
These custom routes use:
and do not perform any Zod
.merge()operation.Because of that, they avoid the Zod v3/v4 incompatibility entirely.
The database tables already exist from a previous migration, so the issue appears to be isolated to the plugin middleware validation layer.
With this workaround in place, we can proceed using:
Steps to reproduce
2.14.2.@lambdacurry/medusa-product-reviewsversion1.3.1or1.4.0.Suggested fix
The plugin should be updated to be compatible with Medusa
2.14.x.Possible fixes:
createFindParams()are created using the same Zod version as Medusa..merge()usage with a Medusa/Zod-version-safe validation approach.Additional context
This bug was confirmed by comparing two environments:
Working environment
2.13.5@lambdacurry/medusa-product-reviewsFailing environment
2.14.2@lambdacurry/medusa-product-reviews1.3.1/1.4.0The difference is that Medusa
2.13.5still uses Zod v3, while Medusa2.14.2uses Zod v4 internally.