Zod-OpenAPI not performing strict validation on response schemas

[Rick-Phoenix]

Which middleware has the bug?

@hono/zod-openapi

What version of the middleware?

0.18.3

What version of Hono are you using?

4.6.14

What runtime/platform is your app running on? (with version if possible)

Node 20.17.0

What steps can reproduce the bug?

1. Create a select schema with drizzle-zod. Add a .omit() option to omit some fields and add .strict() to make sure that extra fields are not accepted.
2. Assign the schema to a response with the createRoute API

What is the expected behavior?

• When passing an object that has fields that are not included in the schema to c.json(), the response should be seen as invalid and throw a type error.

What do you see instead?

• No error is shown, and the response is seen as valid.

Additional information

I have tested the schema and I can clearly see from the openAPI specs that "additionalProperties" is set to false.
Also, I can see from the autocomplete on c.json() that the schema does indeed exclude the extra properties that I am passing.

However, I can still pass extra fields and I get no error.
I only get an error if I am manually parsing the response with zod.

[yusukebe]

Hi @Rick-Phoenix

Thank you for the issue. It is a known issue that the Zod OpenAPI can't validate the value of the response: #181