chore: use Zod's safeParse

[tomiir]

Description

• Replace schema.parse with `schema.safeParse'

Type of change

• Chore (non-breaking change that addresses non-functional tasks, maintenance, or code quality improvements)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Associated Issues

Closes APKT-3192

Checklist

• Code in this PR is covered by automated tests (Unit tests, E2E tests)
• My changes generate no new warnings
• I have reviewed my own code
• I have filled out all required sections
• I have tested my changes on the preview link
• Approver of this PR confirms that the changes are tested on the preview link

[linear]

APKT-3159 [COE Action Item] Testing: Add Backwards Compatibility E2E to secure site

[changeset-bot]

⚠️ No Changeset found

Latest commit: 63009d0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
appkit-basic-html	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 10, 2025 1:37pm
appkit-demo	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 10, 2025 1:37pm
appkit-laboratory	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 10, 2025 1:37pm

10 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
appkit-basic-example	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
appkit-basic-sign-client-example	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
appkit-basic-up-example	⬜️ Ignored (Inspect)	Visit Preview		Jul 10, 2025 1:37pm
appkit-ethers5-bera	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
appkit-nansen-demo	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
appkit-vue-solana	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
appkit-wagmi-cdn-example	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
ethereum-provider-wagmi-example	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
next-wagmi-solana-bitcoin-example	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm
vue-wagmi-example	⬜️ Ignored (Inspect)			Jul 10, 2025 1:37pm

[github-actions]

	Warnings
⚠️	🔑 Potential High‑entropy string detected in packages/wallet/src/W3mFrame.ts (line 149): 5eykt4UsFv8P8NJdTREp...
⚠️	🔑 Potential High‑entropy string detected in packages/wallet/src/W3mFrame.ts (line 150): 4uhcVJyU9pJkvQyS88uR...
⚠️	🔑 Potential High‑entropy string detected in packages/wallet/src/W3mFrame.ts (line 151): EtWTRABZaYq6iMfeYKou...

Generated by 🚫 dangerJS against 63009d0

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	77.57%	30777 / 39672
🔵	Statements	77.57%	30777 / 39672
🔵	Functions	68.8%	2530 / 3677
🔵	Branches	84.19%	6417 / 7622

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
packages/wallet/src/W3mFrame.ts	98.93%	85.18%	76.47%	98.93%	102-103

Generated in workflow #13309 for commit 63009d0 by the Vitest Coverage Report Action

[linear]

APKT-3192 [COE Action] Remove Zod check from secure site

[cursor]

Bug: Event Handling Bypasses Validation

The onAppEvent method calls its callback with raw, unvalidated data, even when safeParse fails. Despite logging a warning, it casts and passes the original data to the callback, which expects a valid W3mFrameTypes.AppEvent. This bypasses type safety and can cause runtime errors, unlike other event handlers that correctly use parsed data or skip callbacks on validation failure.

Furthermore, validation was entirely removed from postAppEvent and postFrameEvent methods. They now post events without any schema validation, potentially sending malformed data.

packages/wallet/src/W3mFrame.ts#L216-L235

appkit/packages/wallet/src/W3mFrame.ts

Lines 216 to 235 in 63009d0

	}
	const appEvent = W3mFrameSchema.appEvent.safeParse(data)
	// Frame side, if the event is invalid, we allow it to go through anyways
	if (!appEvent.success) {
	console.warn('W3mFrame: invalid app event', appEvent.error.message)
	}
	callback(data as W3mFrameTypes.AppEvent)
	})
	}
	},
	postAppEvent: (event: W3mFrameTypes.AppEvent) => {
	if (W3mFrameHelpers.isClient) {
	if (!this.iframe?.contentWindow) {
	throw new Error('W3mFrame: iframe is not set')
	}
	this.iframe.contentWindow.postMessage(event, '*')
	}
	},

Fix in Cursor • Fix in Web

---

Bug: Frame Event Validation Bypass

The postFrameEvent function no longer validates outgoing frame events. The W3mFrameSchema.frameEvent.parse(event) call was removed instead of being replaced with safeParse, allowing invalid or malformed events to be posted and potentially breaking the receiving side.

packages/wallet/src/W3mFrame.ts#L236-L244

appkit/packages/wallet/src/W3mFrame.ts

Lines 236 to 244 in 63009d0

	postFrameEvent: (event: W3mFrameTypes.FrameEvent) => {
	if (W3mFrameHelpers.isClient) {
	if (!parent) {
	throw new Error('W3mFrame: parent is not set')
	}
	parent.postMessage(event, '*')
	}
	}

Fix in Cursor • Fix in Web

---

Was this report helpful? Give feedback by reacting with 👍 or 👎