Skip to main content

What’s changed in v18.5.0

Released: 2026-04-16 This release adds line item support to the zapier-platform invoke command and bumps lodash across all packages to address a security vulnerability. Line items are fields with a children property that represent structured, repeating data — like rows in a spreadsheet or items in an order. The invoke command now supports them in both interactive and non-interactive modes: 
**Non-interactive: pass line items as JSON**
zapier-platform invoke create order --non-interactive \
  -i '{"name": "My Order", "line_items": [{"product_name": "Pens", "quantity": "12", "price": "1.50"}]}'

**Interactive: use the line item editing UI**
zapier-platform invoke create order -i '{"name": "My Order"}'
In interactive mode, a sub-menu lets you add, edit, and delete items with per-field editing and required field validation. cli
  • 🎉 Add line item support to invoke command with interactive editing UI (#1272)
  • 🎉 Add line-items project template for zapier-platform init (#1272)
  • 🐛 Fix invoke bugs: auto-detect auth ID for no-auth apps in remote mode, falsy value handling (0, false) causing infinite dropdown re-prompting, and more (#1272)
  • 🔨 Bump lodash from 4.17.23 to 4.18.1 (#1274)
core
  • 🔨 Bump lodash from 4.17.23 to 4.18.1 (#1274)
schema
  • 🔨 Bump lodash from 4.17.23 to 4.18.1 (#1274)

What’s changed in v18.4.0

Released: 2026-04-06 This release introduces the new json input field type, improved zapier versions output, and a schema validation fix. You can now accept structured JSON input from users with the new json field type. Optionally provide a schema to validate and describe the expected shape: 
{
  key: 'product',
  type: 'json',
  label: 'Product',
  helpText: 'Enter a JSON object',
  schema: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      price: { type: 'integer' },
    },
    required: ['name'],
  },
}
We also fixed a bug where pushing code with function-based dynamic dropdowns caused an unexpected validation error on the server. If you want to use function-based dynamic dropdowns, upgrade to 18.4.0 or later: 
{
  key: 'project_id',
  label: 'Project',
  type: 'string',
  required: true,
  choices: {
    perform: async (z, bundle) => {
      const response = await z.request('https://api.example.com/projects');
      return {
        results: response.data.map((project) => ({
          id: project.id,
          label: project.name,
        })),
        paging_token: null,
      };
    },
  },
}
cli
  • 💅 Clarify zapier-platform versions timestamps with separate “Created at” and “Updated at” columns (#1275)
core
  • 🎉 Add JSON field type handling with schema-aware TypeScript inference (#1273)
schema
  • 🎉 Add JSON input field type with optional schema property for structured data (#1265)
  • 🎉 Validate schema property on JSON fields against JSON Schema meta-schema (#1267)
  • 🐛 Fix oneOf ambiguity in FieldChoicesSchema that caused server-side validation errors for function-based dynamic dropdowns (#1268)
  • 📜 Update skipThrowForStatus documentation to note 401 errors are not subject to the flag (#1270)
misc
  • 🔨 Improve publish workflow with path filters and boilerplate build fixes (#1264, #1266)

What’s changed in v18.3.0

Released: 2026-03-12 Add support for function-based dynamic dropdowns cli
  • 🎉 Add support for function-based dynamic dropdown to the invoke command (#1206)
core None! schema
  • 🎉 Add FieldDynamicChoicesSchema for function-based dynamic dropdowns (#1206)

What’s changed in v18.2.3

Released: 2026-03-04 Bug fixes for the CLI build command and pnpm compatibility. cli
  • 🐛 Surface package manager errors in build command (#1254)
core
  • 🐛 Declare zapier-platform-legacy-scripting-runner as an optional peer dep to fix pnpm strict module resolution (#1255)
schema None!

What’s changed in v18.2.2

Released: 2026-02-26 Improved error handling when loading the legacy-scripting-runner module in core. The runtime now logs a warning with the actual error message when the module is installed but fails to load, making it easier to diagnose issues like missing transitive dependencies. cli None! core
  • 🐛 Log a warning when zapier-platform-legacy-scripting-runner is installed but fails to load, instead of silently returning null (#1247)
schema None! misc
  • 🔨 Fix publishing workflow to run on pushes to main (#1243)
  • 🔨 Add non-interactive mode to bump script (#1249)

User migrations must stay within the same major version

Effective: 2026-02-26 Same-major-version migrations only

What’s changed in v18.2.1

Released: 2026-02-23 Resolved a bug in the CLI that caused the build command to fail when using a symlink-based package manager (like pnpm). cli
  • 🐛 zapier-platform build no longer raises EEXIST when using a symlink-based package manager (#1244)
core None! schema None!

Pushing unlabelled semantic versions must be sequential

Effective: 2026-02-23 What changed These rules apply to unlabelled semantic versions only (for example 1.2.3). Labelled versions (such as 1.2.3-beta or 0.0.0-my-feature) are not part of these checks. When you push a new unlabelled version, the platform validates two things in addition to existing format checks. 1. You cannot skip a required predecessor The API must see the right previous unlabelled release before it accepts the new one:
  • Patch bump (1.2.3): the exact unlabelled 1.2.2 must already exist.
  • Minor bump (1.3.0): at least one unlabelled 1.2.x must exist.
  • Major bump (2.0.0 when coming from 1.x): at least one unlabelled 1.x.x must exist.
1.0.0 is unchanged: there is no prior semver to require. If the predecessor is missing, push fails with 403 and guidance like: Version X requires Y to exist. Push version Y, then try again. 2. You cannot insert an “intermediate” version behind a newer line You also cannot push a version if a newer unlabelled version already exists in the segment that would make yours a backward insert:
  • 1.2.3: blocked if any unlabelled 1.2.4 or higher on the same 1.2.* line already exists. Pushing 1.3.0 is still allowed when only 1.3.x or 2.x.x exists—those are not on the 1.2.* patch line.
  • 1.3.0: blocked if any unlabelled 1.4.x or higher on the same major (1.*) already exists. 2.0.0 is still allowed when only 2.x.x exists.
  • 2.0.0: blocked if any unlabelled 3.x.x or higher already exists.
If that applies, push fails with 403 and a message that an existing version would make this an intermediate release, which is not allowed. What this means for you
  • Plan patch → patch → minor → major (or the minimal chain your history needs) using unlabelled semver when you are ready to record real releases; use labelled snapshots while iterating.
  • If you are stuck because old versions were removed, you may still use deprecation and, when appropriate, delete a deprecated version so your remaining unlabelled history matches what you want to push next.

What’s changed in v18.2.0

Released: 2026-02-18 The main change in this release is to support function-based choices in the invoke command, which will allow developers to test perform-based dynamic dropdowns. cli
  • 🎉 zapier-platform invoke now supports function-based choices (#1237)
core
  • 🐛 If we attempt to stash a large response but it’s bigger than the max limit, throw a descriptive error with the actual size and the limit (#1238)
  • 🔨 Add an environment variable to allow suppressing cleaning up env vars (#1242)
schema None! misc
  • 🔨 CI: Use environment to publish (#1239)
  • 🔨 CI: Automate the boilerplate upload (#1240)

What’s changed in v18.1.1

Released: 2026-01-29 Main change introduced here is fixing missing HTTP error logs that were prematurely lost during a Lambda invocation. cli None! core
  • 🐛 Restore missing HTTP error logs (#1227)
schema None! misc

What’s changed in v18.1.0

Released: 2026-01-19 The zapier-platform invoke command now supports a remote mode. By adding a --remote (-r for short) flag to the invoke command, such as: 
zapier-platform invoke -r
… all invocations, including trigger/action invocation itself, input field definitions, and dynamic dropdown choices, will be executed remotely by the Zapier production environment. This means:
  • The integration version you want to test has to be deployed first.
  • The invocation results and the bundle payload passed to your integration code will match what you see in live production, which is great for testing.
  • Remote mode is slower than local mode (without the -r flag).
Read more about the three different modes in the zapier-platform invoke --help documentation. We also fixed an issue where the build and test commands were not correctly detecting package managers (like npm, yarn, pnpm, or bun) when your integration was part of a monorepo. Now, the CLI doesn’t just look in the current directory for package manager indicators (like package-lock.json for npm), but also checks parent directories up to four levels up. cli
  • 🎉 Add --remote flag to invoke command (#1220)
  • 🐛 Fix package manager detection in build and test commands to include parent directories (#1225)
core None! schema None! misc
  • 📜 Improve internal development docs (#1221)

What’s changed in v18.0.7

Released: 2026-01-07 In response to the previous Shai-Hulud incident, we’re changing our package publishing process to improve security. This release also includes a schema extension that allows outputFields to have a sample field. Lastly, we’ve refactored the invoke command to make upcoming enhancements easier. cli
  • 🔨 Refactor invoke command (#1217)
core None! schema
  • 🎉 Allow a sample field to be provided for dynamic outputFields (#1211)
misc

What’s changed in v18.0.6

Released: 2025-12-24 The zapier build command was harcoded to use npm install. As alternate package managers gain adoption, the zapier build command will respect your app’s package manager of choice. It does this by checking the packageManager on the package.json file. If it is not defined, it will look for any relevant lock files. If still, none is defined, then will fallback to npm. If you are familiar with using zapier build with the flag --skip-npm-install, this flag has been renamed to --skip-dep-install, but will continue to still work as an alias. In the future, we will remove the --skip-npm-install flag. cli
  • 💅 CLI build respects the integration’s package manager (#1216)
core None! schema None! misc
  • 🔨 Bump tmp from 0.2.4 to 0.2.5 (#1207)
  • 🔨 Bump form-data from 4.0.4 to 4.0.5 (#1208)

What’s changed in v18.0.5

Released: 2025-12-10
We’re releasing v18.0.5, skipping comprimised versions v18.0.2, v18.0.3, and v18.0.4, due to the prior security incident.
This release fixes a potential security vulnerability in the build command related to zip file decompression. cli
  • 🐛 Remove problematic decompress-tar dependency (#1202)
core None! schema None! misc
  • 🔨 Switch to pnpm as package manager and task runner (#1204)

Incident: Unauthorized Access to Zapier NPM Packages

Released: 2025-11-24 Unauthorized Access to Zapier npm Packages Note: No action is needed from Zapier users, only from Zapier developers using one of the NPM package versions listed on this page. See that link for detailed mitigation recommendations. All Zapier products are operating as expected and there is no indication of data loss or leak. Please see this link for the most up-to-date information.

What’s changed in v18.0.1

Released: 2025-11-05 This release addresses an npx resolution issue introduced in v18.0.0 and fixes TypeScript typing for nested input fields when working with line items. cli
  • 🐛 Fix npx resolution issue with dual binary entries (#1191)
core
  • 🐛 Fix children input types when line items are present (#1188)
schema None! misc None!

What’s changed in v18.0.0

Released: 2025-10-30 Version 18.0.0 is a BREAKING CHANGE release that contains several important upgrades and changes. Here is a brief breakdown of the main changes (❗ denotes a breaking change): ❗ Node.js 22 Support Zapier Platform v18 runs on Node.js 22 runtime. This is a breaking change as it may affect compatibility with older Node.js versions and dependencies. ❗ Schema Changes The skipCleanArrayInputData experimental flag has been replaced with cleanInputData. This provides more consistent data cleaning behavior across the platform. This change is breaking only if you’re using skipCleanArrayInputData. See cleanInputData flag documentation for more details on how to configure this behavior. ❗ New Throttling Middleware A new throwForThrottling middleware has been added to prevent afterResponse middleware from suppressing 429 (throttling) responses. This ensures proper handling of rate limiting scenarios. This change is breaking if you want to handle 429 responses in your afterResponse. See v18.x and above: the built-in throwForThrottling middleware for how to handle 429s yourself. New Executable Name zapier-platform The CLI now includes a new executable name zapier-platform while deprecating the old zapier command. Both will work for now, but zapier-platform is the recommended command going forward.
Apart from these major changes, here are the detailed release notes for this release (note that ❗ denotes a breaking change): cli
  • 🎉 Add executable name zapier-platform and deprecate zapier (#1181)
  • 🔨 Update outdated dependencies with security vulnerabilities (#1111)
  • 🔨 Apply prettier formatting to generated auth files since gen.fs.write bypasses transform streams
  • 🔨 Add ESM wrapper improvements for better module support
core
  • ❗ Add Node.js 22 support (#1078)
  • 🎉 Add throwForThrottling middleware with backward-compatible default behavior (#1151)
  • 🐛 Add better error message for 413 responses (#1110)
schema
  • ❗ Replace skipCleanArrayInputData with cleanInputData (#1183)
  • 🔨 Add global cleanInputData flag for consistent data cleaning behavior
misc
  • ❗ Major dependency updates across all packages (#1079)
  • 🔨 Update CI configuration for Node.js 22 support
  • 🔨 Pin exact xmldom version for security

What’s changed in v17.9.1

Released: 2025-10-28 This release addresses a bug in the zapier push command and includes dependency updates. cli
  • 🐛 Fix issue where zapier push fail if the app wasn’t built already (may have affected ESM builds) (#1187)
core None! schema None! misc
  • 🔨 Bump vite from 6.3.6 to 6.4.1 (#1185)

Self-serve static IP for private integrations

Released: 2025-10-21 Self-serve static IP for private integrations
  • 🎉 Static IP can now be enabled by team members for private integrations:
    • Platform UI toggle: Navigate to the Settings tab on the Advanced page to enable static IP addresses for your private integration without contacting support.
    • Published integrations: Continue to contact Zapier Support to enable static IP for published integrations.

Labeled Versions now available in CLI and Platform UI

Released: 2025-10-21 Labeled Versions
  • 🎉 Labeled Versions are now publicly available!
    • Versions like 2.0.0-beta can be used for testing and avoiding version collisions during parallel development
    • More flexible “snapshot” versions like 0.0.0-my-feature can be used to push integration updates without committing to a semantic version number
Looking for older news? 2026, 2025, and old changelogs prior to v17