Gathering detailed insights and metrics for zod
Gathering detailed insights and metrics for zod
TypeScript-first schema validation with static type inference
Installations
npm install zodDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Node Version
20.19.2
NPM Version
10.8.2
Score
99.8
Supply Chain
100
Quality
95.4
Maintenance
100
Vulnerability
100
License
Releases
157
Languages
4
TypeScript
MDX
JavaScript
CSS
TypeScript (86.13%)
MDX (13.26%)
JavaScript (0.43%)
CSS (0.18%)
Developer
Download Statistics
Total Downloads
1,255,915,537
Last Day
1,907,874
Last Week
29,145,892
Last Month
127,326,835
Last Year
823,912,671
GitHub Statistics
MIT License
38,837 Stars
2,453 Commits
1,518 Forks
70 Watchers
72 Branches
432 Contributors
Updated on Jul 03, 2025
Bundle Size
65.71 kB
Minified
14.19 kB
Minified + Gzipped
Sponsor this package
Maintainers
1
Package Meta Information
Latest Version
3.25.70
Package Id
zod@3.25.70
Unpacked Size
1.78 MB
Size
286.99 kB
File Count
351
NPM Version
10.8.2
Node Version
20.19.2
Published on
Jul 03, 2025
Total Downloads
Cumulative downloads
Total Downloads
1,255,915,537
Last Day
-5.9%
1,907,874
Compared to previous day
Last Week
-6.5%
29,145,892
Compared to previous week
Last Month
14%
127,326,835
Compared to previous month
Last Year
150.3%
823,912,671
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
Zod
TypeScript-first schema validation with static type inference
by @colinhacks
Featured sponsor: Jazz
Read the docs →
What is Zod?
Zod is a TypeScript-first validation library. Define a schema and parse some data with it. You'll get back a strongly typed, validated result.
1import * as z from "zod/v4"; 2 3const User = z.object({ 4 name: z.string(), 5}); 6 7// some untrusted data... 8const input = { 9 /* stuff */ 10}; 11 12// the parsed result is validated and type safe! 13const data = User.parse(input); 14 15// so you can use it with confidence :) 16console.log(data.name);
Features
- Zero external dependencies
- Works in Node.js and all modern browsers
- Tiny:
2kbcore bundle (gzipped) - Immutable API: methods return a new instance
- Concise interface
- Works with TypeScript and plain JS
- Built-in JSON Schema conversion
- Extensive ecosystem
Installation
1npm install zod
Basic usage
Before you can do anything else, you need to define a schema. For the purposes of this guide, we'll use a simple object schema.
1import * as z from "zod/v4"; 2 3const Player = z.object({ 4 username: z.string(), 5 xp: z.number(), 6});
Parsing data
Given any Zod schema, use .parse to validate an input. If it's valid, Zod returns a strongly-typed deep clone of the input.
1Player.parse({ username: "billie", xp: 100 }); 2// => returns { username: "billie", xp: 100 }
Note — If your schema uses certain asynchronous APIs like async refinements or transforms, you'll need to use the .parseAsync() method instead.
1const schema = z.string().refine(async (val) => val.length <= 8); 2 3await schema.parseAsync("hello"); 4// => "hello"
Handling errors
When validation fails, the .parse() method will throw a ZodError instance with granular information about the validation issues.
1try { 2 Player.parse({ username: 42, xp: "100" }); 3} catch (err) { 4 if (err instanceof z.ZodError) { 5 err.issues; 6 /* [ 7 { 8 expected: 'string', 9 code: 'invalid_type', 10 path: [ 'username' ], 11 message: 'Invalid input: expected string' 12 }, 13 { 14 expected: 'number', 15 code: 'invalid_type', 16 path: [ 'xp' ], 17 message: 'Invalid input: expected number' 18 } 19 ] */ 20 } 21}
To avoid a try/catch block, you can use the .safeParse() method to get back a plain result object containing either the successfully parsed data or a ZodError. The result type is a discriminated union, so you can handle both cases conveniently.
1const result = Player.safeParse({ username: 42, xp: "100" }); 2if (!result.success) { 3 result.error; // ZodError instance 4} else { 5 result.data; // { username: string; xp: number } 6}
Note — If your schema uses certain asynchronous APIs like async refinements or transforms, you'll need to use the .safeParseAsync() method instead.
1const schema = z.string().refine(async (val) => val.length <= 8); 2 3await schema.safeParseAsync("hello"); 4// => { success: true; data: "hello" }
Inferring types
Zod infers a static type from your schema definitions. You can extract this type with the z.infer<> utility and use it however you like.
1const Player = z.object({ 2 username: z.string(), 3 xp: z.number(), 4}); 5 6// extract the inferred type 7type Player = z.infer<typeof Player>; 8 9// use it in your code 10const player: Player = { username: "billie", xp: 100 };
In some cases, the input & output types of a schema can diverge. For instance, the .transform() API can convert the input from one type to another. In these cases, you can extract the input and output types independently:
1const mySchema = z.string().transform((val) => val.length); 2 3type MySchemaIn = z.input<typeof mySchema>; 4// => string 5 6type MySchemaOut = z.output<typeof mySchema>; // equivalent to z.infer<typeof mySchema> 7// number
Moderate
5.3/10
Summary
Zod denial of service vulnerability
Affected Versions
<= 3.22.2
Patched Versions
3.22.3
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
6 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-f7f6-9jq7-3rqj
- Warn: Project is vulnerable to: GHSA-m5qc-5hw7-8vg7
- Warn: Project is vulnerable to: GHSA-f82v-jwr5-mffw
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
Reason
Found 9/30 approved changesets -- score normalized to 3
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:17
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/release.yml:18
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/colinhacks/zod/test.yml/main?enable=pin
- Info: 0 out of 7 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 6 third-party GitHubAction dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 10 are checked with a SAST tool
Score
4.5
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More