ZenStack Release v2.5.1

Fixed an unintended change that resulted in a "backLink" field change in model metadata for abstract models. Although I haven't observed any adverse behavior related to it, it's good to upgrade if you're already on v2.5.0.

ZenStack Release v2.5.0

New Features

• TRPC v11 support (preview) docs
• Prisma Pulse support (preview) docs
• New zenstack check CLI command for checking ZModel file for errors docs
• The zenstack generate CLI command now allows you to include/exclude specific plugins. You can use it to exclude plugins like tanstack-query hooks generation during CI docs
• Updated Prisma peer dependencies to 5.19.x

Security Fixes

• Fixed the issue that "connect" operation can circumvent "update" policy check for foreign key fields when the operation is initiated from a polymorphic model #1674

  Special thanks to @eqqe for reporting this issue! The background is: when you use the "connect" operator to establish relations between entities, you need to have "update" permission on the entity that gets a foreign key update due to the "connect". However, this permission was not properly checked if the update is initiated from a polymorphic model in previous releases.

Fixes and Improvements

• The @@validate data validation attribute is added with a new "path" parameter to indicate the path of the field that caused the error. Thanks @j0rdanba1n for proposing and implementing this! docs
• Fixed inconsistent filtering/stripping behavior for field-level policies when findMany and count APIs #1644
• Fixed the issue that polymorphic entities returned in a nested read don't contain fields from base #1645
• Fixed the check() attribute function's compatibility with post-update policies #1642
• Fixed post-update policy validation issue with deeply nested field access #1648
• Replaced "decimal.js" dependency with the more lightweight "decimal.js-light" in @zenstackhq/runtime #1571
• Fixed incorrect OpenAPI spec generated for the Meta section #1549
• Fixed the code generation compilation errors when @core/enhance plugin is configured with a custom output directory #1667
• Fixed @zenstackhq/runtime's compatibility issue with CloudFlare Workers. Please make sure you import enhance from @zenstackhq/runtime/edge when using edge runtime #1672.

New Contributors

• Welcome @j0rdanba1n as our new contributor ❤️!

Full Changelog: v2.4.1...v2.5.0

ZenStack Release v2.4.1

Fixes and Improvements

• Prisma 5.18.0 support

ZenStack Release v2.4.0

Security Fixes

• Added more reduction to the generated Prisma queries to workaround a Prisma bug (prisma/prisma#21856) that can potentially breach access control #1627

  The background is ZenStack internally uses { AND: [] } to represent constant true and { OR: [] } for constant false. However, Prisma provides inconsistent query results in certain nesting combinations. The fix introduced more query reduction logic to avoid generating such combinations.

  It's recommended that you upgrade ASAP after thorough testing.

Fixes and Improvements

• RedwoodJS package "@zenstackhq/redwood" now supports Redwood V7 #1553. Special thanks to @ladderschool for identifying the related breaking changes!
• REST-flavor API: support comma-separated multiple filter values #1573
• Fixed false-positive validation errors when using polymorphic models with tRPC #1608
• Fixed Zod schema compilation errors when outputting to a custom directory #1610
• Fixed "@zenstackhq/swr" plugin build issues which can cause typescript typing errors with certain tsconfig settings
• Consistently throw Prisma error types #1596
• Removed createMany from input arg's typing for delegate models to avoid confusion #1577
• Fixed an excessively strict Zod schema causing rejection during update #1563
• Fixed the issue that explicitly providing a "@core/enhancer" plugin in ZModel causes data validation to be muted #1562
• Fixed Prisma schema generation errors when @map is used on a foreign key field #1551
• Fixed Prisma schema generation errors when very long model names are used

Full Changelog: v2.3.3...v2.4.0

Thanks to @irvinzz for helping with this release!

ZenStack Release v2.3.3

What's Changed

• Update Prisma dependencies to 5.17.x

Full Changelog: v2.3.2...v2.3.3

ZenStack Release v2.3.2

What's Changed

• Update superjson dependency

Full Changelog: v2.3.1...v2.3.2

ZenStack Release v2.3.1

What's Changed

• Fixed incorrect prisma query executed when count uses a where filter involving a polymorphic base field #1585
• Fixed over-strict typing generated for auth() access #1589
• Fixed compatibility issue between createManyAndReturn and polymorphism #1576
• Fixed the issue that field-level override rules don't work with non-optional to-one relations #1574

Full Changelog: v2.3.0...v2.3.1

ZenStack Release v2.3.0

New Features

• The new check() policy function that allows you to delegate a models' permission checking to its relations. #276

  model Todo {
      ...
      list List @relation(fields: [listId], references: [id])
  
      // if the parent list is readable, grant full access to this Todo entity
      @@allow('all', check(list, 'read'))
  }

  You can use this feature to remove duplicated policy rules and keep the schema DRY. See a full guide here.

• Prisma 5.16.x is now supported. The new Prisma version introduced a typing breaking change. An adaptation is added in this version of ZenStack.

Documentation

• New guide for integrating with Lucia Auth!

Fixes and Improvements

• Runtime error with disconnecting a self-relation #1530
• Incorrect query result when using Prisma.DbNull to filter JSON fields #1533
• Fixed the issue that using @length on a @password field checks the length of hash password rather than the original value #1502
• Typing conflict with Prisma client extension (with polymorphism or auth() in @default() is used) #1493
• IDE formatting issue when Unsupported type is used #1517
• Runtime error when creating a polymorphic model that inherits from an abstract model #1560
• Set timeout for checking newer versions when running CLI to avoid hangs under unstable network #1529
• Typing issue in generated hooks for vue-query #1564
• Excluded create and upsert for delegate models from generated hooks and trpc routers, as they cannot be directly created.
• When generation @relation for delegate models, user-provided relation name should be used if it exists #1575 by @irvinzz
• SWR is now added as a peer dependency of @zenstackhq/swr plugin.
• The ZenStack monorepo has enabled corepack to enforce a consistent version of pnpm.

New Contributors

Thanks to @jasonmacdonald @benjamintd @irvinzz @mentorkadriu for contributing to this release! ❤️

Full Changelog: v2.2.4...v2.3.0

ZenStack Release v2.2.4

What's Changed

This release contains several fixes related to polymorphic models.

• When a concrete model is created with an explicit id field, make sure the field is pushed down to the base model's payload#1518
• Make sure concrete model's fields are included when its included from a deeply nested context #1522
• Convert polymorphic model's createMany payload into regular create #1520

Full Changelog: v2.2.3...v2.2.4

ZenStack Release v2.2.3

What's Changed

• Fixed an incorrect validation error when checking for cross-model field comprisons.

Full Changelog: v2.2.2...v2.2.3