z-schema 12.0.1 → 12.0.3

package/cjs/index.js

@@ -364,6 +364,7 @@ const get = (obj, path) => {
 const jsonSymbol = Symbol.for('z-schema/json');
 const schemaSymbol = Symbol.for('z-schema/schema');
 
+const ASYNC_TIMEOUT_POLL_MS = 10;
 class Report {
     asyncTasks = [];
     commonErrorMessage;
@@ -438,6 +439,7 @@ class Report {
     }
     processAsyncTasks(timeout, callback) {
         const validationTimeout = Math.min(Math.max(timeout || 2000, 0), MAX_ASYNC_TIMEOUT);
+        const timeoutAt = Date.now() + validationTimeout;
         let tasksCount = this.asyncTasks.length;
         let timedOut = false;
         const finish = () => {
@@ -466,13 +468,19 @@ class Report {
             const respondCallback = respond(processFn);
             fn(...fnArgs, respondCallback);
         }
-        setTimeout(() => {
-            if (tasksCount > 0) {
+        const checkTimeout = () => {
+            if (timedOut || tasksCount <= 0) {
+                return;
+            }
+            if (Date.now() >= timeoutAt) {
                 timedOut = true;
                 this.addError('ASYNC_TIMEOUT', [tasksCount, validationTimeout]);
                 callback(getValidateError({ details: this.errors }), false);
+                return;
             }
-        }, validationTimeout);
+            setTimeout(checkTimeout, ASYNC_TIMEOUT_POLL_MS);
+        };
+        setTimeout(checkTimeout, ASYNC_TIMEOUT_POLL_MS);
     }
     getPath(returnPathAsString) {
         let path = [];
@@ -720,6 +728,17 @@ const normalizeOptions = (options) => {
     return normalized;
 };
 
+// Normalize a URI into a cache key, rejecting keys that could pollute Object.prototype.
+function getSafeRemotePath(uri) {
+    const remotePath = getRemotePath(uri);
+    if (!remotePath) {
+        return undefined;
+    }
+    if (remotePath === '__proto__' || remotePath === 'constructor' || remotePath === 'prototype') {
+        return undefined;
+    }
+    return remotePath;
+}
 const getEffectiveId = (schema) => {
     let id = getId(schema);
     if ((!id || !isAbsoluteUri(id)) && typeof schema.id === 'string' && isAbsoluteUri(schema.id)) {
@@ -750,31 +769,31 @@ function prepareRemoteSchema(schema, uri, validationOptions, maxCloneDepth) {
 }
 class SchemaCache {
     validator;
-    static global_cache = {};
-    cache = {};
+    static global_cache = Object.create(null);
+    cache = Object.create(null);
     constructor(validator) {
         this.validator = validator;
     }
     static cacheSchemaByUri(uri, schema) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         if (remotePath) {
             this.global_cache[remotePath] = schema;
         }
     }
     cacheSchemaByUri(uri, schema) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         if (remotePath) {
             this.cache[remotePath] = schema;
         }
     }
     removeFromCacheByUri(uri) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         if (remotePath) {
             delete this.cache[remotePath];
         }
     }
     checkCacheForUri(uri) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         return remotePath ? this.cache[remotePath] != null : false;
     }
     getSchema(report, refOrSchema) {
@@ -789,6 +808,9 @@ class SchemaCache {
         return deepClone(refOrSchema, this.validator.options.maxRecursionDepth);
     }
     fromCache(path) {
+        if (path === '__proto__' || path === 'constructor' || path === 'prototype') {
+            return undefined;
+        }
         let found = this.cache[path];
         if (found) {
             return found;
@@ -820,7 +842,7 @@ class SchemaCache {
                 }
             }
         }
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         const queryPath = getQueryPath(uri);
         let result;
         let resolvedFromAncestor = false;
@@ -4275,7 +4297,9 @@ const durationValidator = (input) => {
     }
     const datePart = parts[0];
     const timePart = parts.length === 2 ? parts[1] : undefined;
-    if (!/^(?:\d+Y)?(?:\d+M)?(?:\d+D)?$/.test(datePart)) {
+    // RFC 3339 Appendix A ABNF: dur-year = 1*DIGIT "Y" [dur-month], dur-month = 1*DIGIT "M" [dur-day]
+    // Y can only be followed by M (not D directly), so P1Y2D is invalid
+    if (datePart.length > 0 && !/^(?:\d+Y(?:\d+M(?:\d+D)?)?|\d+M(?:\d+D)?|\d+D)$/.test(datePart)) {
         return false;
     }
     const hasDateComponent = /\d+[YMD]/.test(datePart);
@@ -4284,7 +4308,9 @@ const durationValidator = (input) => {
         if (timePart.length === 0) {
             return false;
         }
-        if (!/^(?:\d+H)?(?:\d+M)?(?:\d+S)?$/.test(timePart)) {
+        // RFC 3339 Appendix A ABNF: dur-hour = 1*DIGIT "H" [dur-minute], dur-minute = 1*DIGIT "M" [dur-second]
+        // H can only be followed by M (not S directly), so PT1H2S is invalid
+        if (!/^(?:\d+H(?:\d+M(?:\d+S)?)?|\d+M(?:\d+S)?|\d+S)$/.test(timePart)) {
             return false;
         }
         hasTimeComponent = /\d+[HMS]/.test(timePart);
@@ -4301,13 +4327,25 @@ const uuidValidator = (input) => {
     return /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/.test(input);
 };
 const strictUriValidator = (uri) => typeof uri !== 'string' || isURLModule.default(uri);
+const hasValidPercentEncoding = (str) => {
+    for (let i = 0; i < str.length; i++) {
+        if (str[i] === '%') {
+            if (i + 2 >= str.length || !/[0-9a-fA-F]/.test(str[i + 1]) || !/[0-9a-fA-F]/.test(str[i + 2])) {
+                return false;
+            }
+        }
+    }
+    return true;
+};
 const uriValidator = function (uri) {
     if (typeof uri !== 'string')
         return true;
     // eslint-disable-next-line no-control-regex
     if (/[^\x00-\x7F]/.test(uri))
         return false;
-    const match = uri.match(/^([a-zA-Z][a-zA-Z0-9+.-]*):\/\/([^/]*)/);
+    if (!hasValidPercentEncoding(uri))
+        return false;
+    const match = uri.match(/^([a-zA-Z][a-zA-Z0-9+.-]*):\/\/([^/?#]*)/);
     if (match) {
         const authority = match[2];
         const atIndex = authority.indexOf('@');
@@ -4317,6 +4355,21 @@ const uriValidator = function (uri) {
                 return false;
             }
         }
+        // Validate port: must be numeric
+        let hostPort = atIndex >= 0 ? authority.substring(atIndex + 1) : authority;
+        if (hostPort.startsWith('[')) {
+            const bracketEnd = hostPort.indexOf(']');
+            if (bracketEnd >= 0) {
+                hostPort = hostPort.substring(bracketEnd + 1);
+            }
+        }
+        const colonIndex = hostPort.lastIndexOf(':');
+        if (colonIndex >= 0) {
+            const port = hostPort.substring(colonIndex + 1);
+            if (port.length > 0 && !/^\d+$/.test(port)) {
+                return false;
+            }
+        }
     }
     return /^[a-zA-Z][a-zA-Z0-9+.-]*:[^"\\<>^{}^`| ]*$/.test(uri);
 };
@@ -4523,6 +4576,7 @@ function compileSchemaRegex(pattern) {
     if (needsUnicode) {
         // Try compiling with 'u' flag only
         try {
+            // lgtm[js/regex-injection] JSON Schema `pattern` is intentionally regex syntax and constrained by MAX_SCHEMA_REGEX_LENGTH.
             const re = new RegExp(pattern, 'u');
             return { ok: true, value: re };
         }
@@ -4538,6 +4592,7 @@ function compileSchemaRegex(pattern) {
     }
     else {
         try {
+            // lgtm[js/regex-injection] JSON Schema `pattern` is intentionally regex syntax and constrained by MAX_SCHEMA_REGEX_LENGTH.
             const re = new RegExp(pattern);
             return { ok: true, value: re };
         }
@@ -5520,21 +5575,13 @@ function formatValidator(report, schema, json) {
             const result = formatValidatorFn.call(this, json);
             if (result instanceof Promise) {
                 // Promise-based async
-                const timeoutMs = Math.min(Math.max(this.options.asyncTimeout || 2000, 0), MAX_ASYNC_TIMEOUT);
                 const promiseResult = result;
                 report.addAsyncTaskWithPath(async (callback) => {
                     try {
-                        const timeoutPromise = new Promise((_, reject) => {
-                            setTimeout(() => reject(new Error('Async timeout')), timeoutMs);
-                        });
-                        const resolved = await Promise.race([promiseResult, timeoutPromise]);
+                        const resolved = await promiseResult;
                         callback(resolved);
                     }
-                    catch (error) {
-                        if (error.message === 'Async timeout') {
-                            // Don't call callback, let global timeout handle it
-                            return;
-                        }
+                    catch (_error) {
                         callback(false);
                     }
                 }, [], function (resolvedResult) {
@@ -6384,6 +6431,14 @@ function setSchemaReader(schemaReader) {
 
 /** Safely assign a property on `obj`, refusing prototype-polluting keys. */
 function safeSetProperty(obj, key, value) {
+    const unsafeTargets = [
+        Object.prototype,
+        Function.prototype,
+        Array.prototype,
+    ];
+    if (unsafeTargets.includes(obj)) {
+        return;
+    }
     /** Reject property names that could pollute Object.prototype (CWE-1321). */
     if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
         obj[key] = value;
@@ -6626,8 +6681,14 @@ class SchemaCompiler {
                 this.collectAndCacheIds(schema);
             }
         }
+        const canMutateSchemaObject = schema !== Object.prototype &&
+            schema !== Function.prototype &&
+            schema !== Array.prototype;
         // if we have an id than it should be cached already (if this instance has compiled it)
-        if (schema.__$compiled && schema.id && this.validator.scache.checkCacheForUri(schema.id) === false) {
+        if (canMutateSchemaObject &&
+            schema.__$compiled &&
+            schema.id &&
+            this.validator.scache.checkCacheForUri(schema.id) === false) {
             schema.__$compiled = undefined;
         }
         // do not re-compile schemas
@@ -6635,7 +6696,7 @@ class SchemaCompiler {
             return true;
         }
         // v8 - if $schema is not present, set $schema to default
-        if (!schema.$schema && this.validator.options.version !== 'none') {
+        if (canMutateSchemaObject && !schema.$schema && this.validator.options.version !== 'none') {
             schema.$schema = this.validator.getDefaultSchemaId();
         }
         if (schema.id && typeof schema.id === 'string' && !options?.noCache) {
@@ -6650,7 +6711,9 @@ class SchemaCompiler {
         }
         // delete all __$missingReferences from previous compilation attempts
         const isValidExceptReferences = report.isValid();
-        delete schema.__$missingReferences;
+        if (canMutateSchemaObject) {
+            delete schema.__$missingReferences;
+        }
         // collect all references that need to be resolved - $ref and $schema
         const useRefObjectScope = this.validator.options.version === 'draft2019-09' || this.validator.options.version === 'draft2020-12';
         const refs = collectReferences(schema, undefined, undefined, undefined, { useRefObjectScope }, this.validator.options.maxRecursionDepth);
@@ -6698,7 +6761,7 @@ class SchemaCompiler {
                     report.addError('UNRESOLVABLE_REFERENCE', [refObj.ref]);
                     report.path = report.path.slice(0, -refObj.path.length);
                     // pusblish unresolved references out
-                    if (isValidExceptReferences) {
+                    if (isValidExceptReferences && canMutateSchemaObject) {
                         schema.__$missingReferences = schema.__$missingReferences || [];
                         schema.__$missingReferences.push(refObj);
                     }
@@ -6708,7 +6771,7 @@ class SchemaCompiler {
             safeSetProperty(refObj.obj, `__${refObj.key}Resolved`, response);
         }
         const isValid = report.isValid();
-        if (isValid) {
+        if (isValid && canMutateSchemaObject) {
             schema.__$compiled = true;
         }
         // else {

package/dist/format-validators.js

@@ -132,7 +132,9 @@ const durationValidator = (input) => {
     }
     const datePart = parts[0];
     const timePart = parts.length === 2 ? parts[1] : undefined;
-    if (!/^(?:\d+Y)?(?:\d+M)?(?:\d+D)?$/.test(datePart)) {
+    // RFC 3339 Appendix A ABNF: dur-year = 1*DIGIT "Y" [dur-month], dur-month = 1*DIGIT "M" [dur-day]
+    // Y can only be followed by M (not D directly), so P1Y2D is invalid
+    if (datePart.length > 0 && !/^(?:\d+Y(?:\d+M(?:\d+D)?)?|\d+M(?:\d+D)?|\d+D)$/.test(datePart)) {
         return false;
     }
     const hasDateComponent = /\d+[YMD]/.test(datePart);
@@ -141,7 +143,9 @@ const durationValidator = (input) => {
         if (timePart.length === 0) {
             return false;
         }
-        if (!/^(?:\d+H)?(?:\d+M)?(?:\d+S)?$/.test(timePart)) {
+        // RFC 3339 Appendix A ABNF: dur-hour = 1*DIGIT "H" [dur-minute], dur-minute = 1*DIGIT "M" [dur-second]
+        // H can only be followed by M (not S directly), so PT1H2S is invalid
+        if (!/^(?:\d+H(?:\d+M(?:\d+S)?)?|\d+M(?:\d+S)?|\d+S)$/.test(timePart)) {
             return false;
         }
         hasTimeComponent = /\d+[HMS]/.test(timePart);
@@ -158,13 +162,25 @@ const uuidValidator = (input) => {
     return /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/.test(input);
 };
 const strictUriValidator = (uri) => typeof uri !== 'string' || isURLModule.default(uri);
+const hasValidPercentEncoding = (str) => {
+    for (let i = 0; i < str.length; i++) {
+        if (str[i] === '%') {
+            if (i + 2 >= str.length || !/[0-9a-fA-F]/.test(str[i + 1]) || !/[0-9a-fA-F]/.test(str[i + 2])) {
+                return false;
+            }
+        }
+    }
+    return true;
+};
 const uriValidator = function (uri) {
     if (typeof uri !== 'string')
         return true;
     // eslint-disable-next-line no-control-regex
     if (/[^\x00-\x7F]/.test(uri))
         return false;
-    const match = uri.match(/^([a-zA-Z][a-zA-Z0-9+.-]*):\/\/([^/]*)/);
+    if (!hasValidPercentEncoding(uri))
+        return false;
+    const match = uri.match(/^([a-zA-Z][a-zA-Z0-9+.-]*):\/\/([^/?#]*)/);
     if (match) {
         const authority = match[2];
         const atIndex = authority.indexOf('@');
@@ -174,6 +190,21 @@ const uriValidator = function (uri) {
                 return false;
             }
         }
+        // Validate port: must be numeric
+        let hostPort = atIndex >= 0 ? authority.substring(atIndex + 1) : authority;
+        if (hostPort.startsWith('[')) {
+            const bracketEnd = hostPort.indexOf(']');
+            if (bracketEnd >= 0) {
+                hostPort = hostPort.substring(bracketEnd + 1);
+            }
+        }
+        const colonIndex = hostPort.lastIndexOf(':');
+        if (colonIndex >= 0) {
+            const port = hostPort.substring(colonIndex + 1);
+            if (port.length > 0 && !/^\d+$/.test(port)) {
+                return false;
+            }
+        }
     }
     return /^[a-zA-Z][a-zA-Z0-9+.-]*:[^"\\<>^{}^`| ]*$/.test(uri);
 };

package/dist/report.js

@@ -5,6 +5,7 @@ import { get } from './utils/json.js';
 import { jsonSymbol, schemaSymbol } from './utils/symbols.js';
 import { isAbsoluteUri } from './utils/uri.js';
 import { isObject } from './utils/what-is.js';
+const ASYNC_TIMEOUT_POLL_MS = 10;
 export class Report {
     asyncTasks = [];
     commonErrorMessage;
@@ -79,6 +80,7 @@ export class Report {
     }
     processAsyncTasks(timeout, callback) {
         const validationTimeout = Math.min(Math.max(timeout || 2000, 0), MAX_ASYNC_TIMEOUT);
+        const timeoutAt = Date.now() + validationTimeout;
         let tasksCount = this.asyncTasks.length;
         let timedOut = false;
         const finish = () => {
@@ -107,13 +109,19 @@ export class Report {
             const respondCallback = respond(processFn);
             fn(...fnArgs, respondCallback);
         }
-        setTimeout(() => {
-            if (tasksCount > 0) {
+        const checkTimeout = () => {
+            if (timedOut || tasksCount <= 0) {
+                return;
+            }
+            if (Date.now() >= timeoutAt) {
                 timedOut = true;
                 this.addError('ASYNC_TIMEOUT', [tasksCount, validationTimeout]);
                 callback(getValidateError({ details: this.errors }), false);
+                return;
             }
-        }, validationTimeout);
+            setTimeout(checkTimeout, ASYNC_TIMEOUT_POLL_MS);
+        };
+        setTimeout(checkTimeout, ASYNC_TIMEOUT_POLL_MS);
     }
     getPath(returnPathAsString) {
         let path = [];

package/dist/schema-cache.js

@@ -4,6 +4,17 @@ import { deepClone } from './utils/clone.js';
 import { decodeJSONPointer } from './utils/json.js';
 import { getQueryPath, getRemotePath, isAbsoluteUri } from './utils/uri.js';
 import { normalizeOptions } from './z-schema-options.js';
+// Normalize a URI into a cache key, rejecting keys that could pollute Object.prototype.
+function getSafeRemotePath(uri) {
+    const remotePath = getRemotePath(uri);
+    if (!remotePath) {
+        return undefined;
+    }
+    if (remotePath === '__proto__' || remotePath === 'constructor' || remotePath === 'prototype') {
+        return undefined;
+    }
+    return remotePath;
+}
 const getEffectiveId = (schema) => {
     let id = getId(schema);
     if ((!id || !isAbsoluteUri(id)) && typeof schema.id === 'string' && isAbsoluteUri(schema.id)) {
@@ -34,31 +45,31 @@ export function prepareRemoteSchema(schema, uri, validationOptions, maxCloneDept
 }
 export class SchemaCache {
     validator;
-    static global_cache = {};
-    cache = {};
+    static global_cache = Object.create(null);
+    cache = Object.create(null);
     constructor(validator) {
         this.validator = validator;
     }
     static cacheSchemaByUri(uri, schema) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         if (remotePath) {
             this.global_cache[remotePath] = schema;
         }
     }
     cacheSchemaByUri(uri, schema) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         if (remotePath) {
             this.cache[remotePath] = schema;
         }
     }
     removeFromCacheByUri(uri) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         if (remotePath) {
             delete this.cache[remotePath];
         }
     }
     checkCacheForUri(uri) {
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         return remotePath ? this.cache[remotePath] != null : false;
     }
     getSchema(report, refOrSchema) {
@@ -73,6 +84,9 @@ export class SchemaCache {
         return deepClone(refOrSchema, this.validator.options.maxRecursionDepth);
     }
     fromCache(path) {
+        if (path === '__proto__' || path === 'constructor' || path === 'prototype') {
+            return undefined;
+        }
         let found = this.cache[path];
         if (found) {
             return found;
@@ -104,7 +118,7 @@ export class SchemaCache {
                 }
             }
         }
-        const remotePath = getRemotePath(uri);
+        const remotePath = getSafeRemotePath(uri);
         const queryPath = getQueryPath(uri);
         let result;
         let resolvedFromAncestor = false;

package/dist/schema-compiler.js

@@ -5,6 +5,14 @@ import { getRemotePath, isAbsoluteUri } from './utils/uri.js';
 import { getSchemaReader } from './z-schema-reader.js';
 /** Safely assign a property on `obj`, refusing prototype-polluting keys. */
 function safeSetProperty(obj, key, value) {
+    const unsafeTargets = [
+        Object.prototype,
+        Function.prototype,
+        Array.prototype,
+    ];
+    if (unsafeTargets.includes(obj)) {
+        return;
+    }
     /** Reject property names that could pollute Object.prototype (CWE-1321). */
     if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
         obj[key] = value;
@@ -247,8 +255,14 @@ export class SchemaCompiler {
                 this.collectAndCacheIds(schema);
             }
         }
+        const canMutateSchemaObject = schema !== Object.prototype &&
+            schema !== Function.prototype &&
+            schema !== Array.prototype;
         // if we have an id than it should be cached already (if this instance has compiled it)
-        if (schema.__$compiled && schema.id && this.validator.scache.checkCacheForUri(schema.id) === false) {
+        if (canMutateSchemaObject &&
+            schema.__$compiled &&
+            schema.id &&
+            this.validator.scache.checkCacheForUri(schema.id) === false) {
             schema.__$compiled = undefined;
         }
         // do not re-compile schemas
@@ -256,7 +270,7 @@ export class SchemaCompiler {
             return true;
         }
         // v8 - if $schema is not present, set $schema to default
-        if (!schema.$schema && this.validator.options.version !== 'none') {
+        if (canMutateSchemaObject && !schema.$schema && this.validator.options.version !== 'none') {
             schema.$schema = this.validator.getDefaultSchemaId();
         }
         if (schema.id && typeof schema.id === 'string' && !options?.noCache) {
@@ -271,7 +285,9 @@ export class SchemaCompiler {
         }
         // delete all __$missingReferences from previous compilation attempts
         const isValidExceptReferences = report.isValid();
-        delete schema.__$missingReferences;
+        if (canMutateSchemaObject) {
+            delete schema.__$missingReferences;
+        }
         // collect all references that need to be resolved - $ref and $schema
         const useRefObjectScope = this.validator.options.version === 'draft2019-09' || this.validator.options.version === 'draft2020-12';
         const refs = collectReferences(schema, undefined, undefined, undefined, { useRefObjectScope }, this.validator.options.maxRecursionDepth);
@@ -325,7 +341,7 @@ export class SchemaCompiler {
                     report.addError('UNRESOLVABLE_REFERENCE', [refObj.ref]);
                     report.path = report.path.slice(0, -refObj.path.length);
                     // pusblish unresolved references out
-                    if (isValidExceptReferences) {
+                    if (isValidExceptReferences && canMutateSchemaObject) {
                         schema.__$missingReferences = schema.__$missingReferences || [];
                         schema.__$missingReferences.push(refObj);
                     }
@@ -335,7 +351,7 @@ export class SchemaCompiler {
             safeSetProperty(refObj.obj, `__${refObj.key}Resolved`, response);
         }
         const isValid = report.isValid();
-        if (isValid) {
+        if (isValid && canMutateSchemaObject) {
             schema.__$compiled = true;
         }
         // else {

package/dist/utils/schema-regex.js

@@ -19,6 +19,7 @@ export function compileSchemaRegex(pattern) {
     if (needsUnicode) {
         // Try compiling with 'u' flag only
         try {
+            // lgtm[js/regex-injection] JSON Schema `pattern` is intentionally regex syntax and constrained by MAX_SCHEMA_REGEX_LENGTH.
             const re = new RegExp(pattern, 'u');
             return { ok: true, value: re };
         }
@@ -34,6 +35,7 @@ export function compileSchemaRegex(pattern) {
     }
     else {
         try {
+            // lgtm[js/regex-injection] JSON Schema `pattern` is intentionally regex syntax and constrained by MAX_SCHEMA_REGEX_LENGTH.
             const re = new RegExp(pattern);
             return { ok: true, value: re };
         }

package/dist/validation/string.js

@@ -1,6 +1,5 @@
 import { getFormatValidators } from '../format-validators.js';
 import { decodeBase64, isValidBase64 } from '../utils/base64.js';
-import { MAX_ASYNC_TIMEOUT } from '../utils/constants.js';
 import { compileSchemaRegex } from '../utils/schema-regex.js';
 import { unicodeLength } from '../utils/unicode.js';
 import { whatIs } from '../utils/what-is.js';
@@ -94,21 +93,13 @@ export function formatValidator(report, schema, json) {
             const result = formatValidatorFn.call(this, json);
             if (result instanceof Promise) {
                 // Promise-based async
-                const timeoutMs = Math.min(Math.max(this.options.asyncTimeout || 2000, 0), MAX_ASYNC_TIMEOUT);
                 const promiseResult = result;
                 report.addAsyncTaskWithPath(async (callback) => {
                     try {
-                        const timeoutPromise = new Promise((_, reject) => {
-                            setTimeout(() => reject(new Error('Async timeout')), timeoutMs);
-                        });
-                        const resolved = await Promise.race([promiseResult, timeoutPromise]);
+                        const resolved = await promiseResult;
                         callback(resolved);
                     }
-                    catch (error) {
-                        if (error.message === 'Async timeout') {
-                            // Don't call callback, let global timeout handle it
-                            return;
-                        }
+                    catch (_error) {
                         callback(false);
                     }
                 }, [], function (resolvedResult) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "z-schema",
-  "version": "12.0.1",
+  "version": "12.0.3",
   "engines": {
     "node": ">=22.0.0"
   },
@@ -97,7 +97,7 @@
     "@rollup/plugin-commonjs": "^29.0.0",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
-    "@rollup/plugin-terser": "^0.4.4",
+    "@rollup/plugin-terser": "^1.0.0",
     "@rollup/plugin-typescript": "^12.3.0",
     "@types/lodash.isequal": "^4.5.8",
     "@types/node": "^25.2.0",
@@ -115,7 +115,7 @@
     "lodash.isequal": "^4.5.0",
     "prettier": "^3.8.1",
     "rimraf": "^6.1.2",
-    "rollup": "^4.57.1",
+    "rollup": "^4.59.0",
     "rollup-plugin-dts": "^6.3.0",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",