build(deps): bump @vinejs/vine from 3.0.1 to 4.0.0

[dependabot]

Bumps @vinejs/vine from 3.0.1 to 4.0.0.

Release notes

Sourced from @​vinejs/vine's releases.

Bug fixes, support for standard schema, file validation, optional and nullable unions

Breaking changes

Removed BaseModifiers class

This release refactors parts of VineJS internals and removes the BaseModifiers class. In most cases, this change will not affect your application. However, if you were extending or directly using BaseModifiers for a custom use case, you may need to adjust your implementation. If you run into any issues, please open an issue on GitHub.

---

Report confirmed rule errors on the confirmation field

The confirmed rule is commonly used for fields like password to ensure a matching field (for example, password_confirmation) has the same value. Previously, when the values didn’t match, the validation error was reported on the original field (e.g. password).

This created a poor user experience — you would see an error message like

“The values of password and password_confirmation must be the same” next to the password field, even though the issue was with the confirmation field.

This behavior has now been corrected. Errors from the confirmed rule are now reported on the confirmation field (e.g. password_confirmation). Since this changes the location of validation errors, it is considered a breaking change.

---

Introducing dataTypeValidator

We identified a bug in how Vine handled validations when bail(false) was used. When bail mode is disabled, all validations on a field should run — even if earlier ones fail.

For example:

const schema = vine.object({
  email: vine.string().email().minLength(5).bail(false)
})
const data = { email: 'virk' }

In this case, both email() and minLength() validations should report errors. However, Vine stopped after the first failure because of an internal field.isValid check. We removed this check to ensure all validations run as expected.

This change, however, introduced redundant type checks — for instance, if a field wasn’t a string, each subsequent rule (email(), minLength(), etc.) had to recheck the type manually.

To solve this, we introduced dataTypeValidator.

... (truncated)

Commits

• 70d5d8c chore(release): 4.0.0
• a1624b2 ci: remove pre-release flag from the release script
• 3eca133 docs: update benchmarks
• ab60e9e chore(release): 4.0.0-next.1
• 2e74503 fix: Update logic of converting string values to DayJS instances
• f4278c3 style: update docblock
• bbd01bf feat: add nonNegative and nonPositive number rules
• 2e8f311 refactor: format code as per new eslint rules
• 9136e4f fix: fail positive and negative validations when value is a neutral number
• 910a951 chore: add api docs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @abtion-internal-projects.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[abtion-internal-projects]

@dependabot merge

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

[dependabot]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

[dependabot]

Superseded by #424.