Security vulnerability in zod@3.22.2

[syukronarie]

Hi maintainers,

I am reporting a security vulnerability in zod.
Vulnerability type: Regular Expression Denial of Service (ReDoS) [High Severity]
Additional information: https://security.snyk.io/vuln/SNYK-JS-ZOD-5925617

Best regards,
Arie

[matjaeck]

This is -- there is no other way to say it -- just another snyk bullshit report.

It's not even involving any code from this package.

Pure bullshit.

[BluDood]

This is -- there is no other way to say it -- just another snyk bullshit report.

It's not even involving any code from this package.

Pure bullshit.

@matjaeck Explain? Looking at the report and the included video shows that it does take significantly longer to process - I'll verify if this is the case tomorrow

[tylerd-canva]

probably a duplicate of #2787

[Phoenix-Alpha]

GHSA-m95q-7qp3-xv42

[BluDood]

I decided to make some tests in StackBlitz - and in my testing, only 3.22.0+ are vulnerable.
3.22.0+: https://stackblitz.com/edit/stackblitz-starters-hmvyja?file=index.js
3.21.4: https://stackblitz.com/edit/stackblitz-starters-d7stxv?file=index.js
Same results as #2787.
Also there are like 5 different issues talking about this now, should we merge them into one?

[colinhacks]

Fixed by #2824

Landed in Zod v3.22.3