chore: 🐝 Update SDK - Generate Clients GUSTO-EMBEDDED 0.10.3

[github-actions]

Important

Linting report available at: https://app.speakeasy.com/org/gusto/ruby-sdk/linting-report/f562741c592a8a0b726f0ca2bd5551e9
OpenAPI Change report available at: https://app.speakeasy.com/org/gusto/ruby-sdk/changes-report/4ac8e4390f7b5abce441818d28963161

SDK update

Versioning

Version Bump Type: [patch] - 🤖 (automated)

Typescript SDK Changes Detected:

• gustoembedded.timeOffPolicies.get(): response.employees.[].balance Added
• gustoembedded.timeOffPolicies.update(): response.employees.[].balance Added
• gustoembedded.timeOffPolicies.getAll(): response.[].employees.[].balance Added
• gustoembedded.timeOffPolicies.create(): response.employees.[].balance Added
• gustoembedded.timeOffPolicies.addEmployees(): response.employees.[].balance Added
• gustoembedded.timeOffPolicies.removeEmployees(): response.employees.[].balance Added
• gustoembedded.timeOffPolicies.updateBalance(): response.employees.[].balance Added
• gustoembedded.timeOffPolicies.deactivate(): response.employees.[].balance Added

OpenAPI Change Summary

├─┬Paths
│ └─┬/v1/contractors/{contractor_uuid}/address
│   └─┬PUT
│     ├──[🔀] summary (6582:16)
│     └──[🔀] description (6592:20)
└─┬Components
  └─┬Time-Off-Policy
    └─┬employees
      ├──[🔀] description (21576:24)
      └─┬Schema
        ├──[+] properties (21582:15)
        └─┬uuid
          ├──[+] format (21584:25)❌ 
          └──[+] description (21585:30)

Document Element	Total Changes	Breaking Changes
paths	2	0
components	4	1

TYPESCRIPT CHANGELOG

core: 3.26.9 - 2025-11-20

🐝 New Features

• forwardCompatibleEnumsByDefault is now configurable via gen.yaml. When true, any enum which is used on a response will be automatically open/forward compatible - i.e. unknown values will be tolerated. Single value enums won't be automatically opened. Individual enums can be controlled with x-speakeasy-unknown-values: allow/disallow. (commit by @mfbx9da4)

core: 3.26.8 - 2025-11-18

🐝 New Features

• Support for lax mode deserialization. Configurable via gen.yaml laxMode: lax | strict. Missing required fields will not throw zod response validation errors but instead fallback to a zero value. eg for a string the zero value is "". Lax mode also introduces non-lossy coercion where possible eg a boolean field will tolerate the string "true". (commit by @mfbx9da4)

core: 3.26.6 - 2025-11-12

🐛 Bug Fixes

• regression to date/datetime deserialization (commit by @mfbx9da4)
• handle application/* encoding in multipart forms (commit by @danielkov)

Based on Speakeasy CLI 1.660.0

[dryrunsecurity]

This pull request introduces or maintains a schema that validates the balance field as z.string().optional(), allowing arbitrary strings for a value that should be a float, which may cause backend errors, logic flaws, or injection risks if not strictly converted or sanitized. The finding recommends tightening validation for the balance field (e.g., use a numeric schema or stricter parsing) to prevent potential issues.

Insufficient Input Validation in gusto_embedded/src/models/components/timeoffpolicy.ts

Vulnerability

Insufficient Input Validation

Description

The balance field, intended to represent a float (e.g., "40.0"), is validated using z.string().optional() in both the TimeOffPolicyEmployees schema and the API request body for updating time off policy balances. This validation is insufficient as it allows arbitrary strings to be submitted, which could lead to backend errors, logic flaws, or injection vulnerabilities if the value is used in sensitive contexts (e.g., database queries, mathematical calculations) without further strict type conversion or sanitization.

gusto-typescript-client/gusto_embedded/src/models/components/timeoffpolicy.ts

Lines 110 to 116 in 59e92c6

	unknown
	> = z.object({
	uuid: z.string().optional(),
	balance: z.string().optional(),
	});
	export function timeOffPolicyEmployeesFromJSON(

---

All finding details can be found in the DryRun Security Dashboard.