Releases: acacode/swagger-typescript-api
Release list
v13.12.6
Patch Changes
- #1813
9ac801bThanks @freddie-volant! - Add support for generating tuple types from prefixItems array schemas
v13.12.5
Patch Changes
- #1811
b87b255Thanks @morgan-coded! - Handle boolean JSON schemas without crashing.
v13.12.4
Patch Changes
-
5a327e9Thanks @js2me! - Security: Potential SSRF via URL input in Request.download() -
#1803
7bd2b17Thanks @morgan-coded! - Handle object-shaped not schemas without crashing
v13.12.3
v13.12.2
Patch Changes
-
#1779
306d59aThanks @js2me! - Fix code injection via unescaped enum string values in generated TypeScript enumsMalicious OpenAPI specs could embed arbitrary JavaScript in
components.schemas.*.enumstring values.Ts.StringValuewrapped values in double quotes without escaping, allowing attackers to break out of generated enum declarations and inject code that executes at module load when consumers import the generated client. Enum string values are now properly escaped.Reported by @thegr1ffyn: GHSA-5f94-x226-ccpm.
-
#1779
306d59aThanks @js2me! - Fix code injection via unescapedservers[0].urlin generated axios and fetch HTTP clientsMalicious OpenAPI specs could embed arbitrary JavaScript in
servers[0].url. The value was interpolated raw into string literals in generated client constructors, allowing computed-property-key injection and arbitrary code execution when consumers instantiatedHttpClientorApi(axios) or imported the generated module (fetch).apiConfig.baseUrlis now escaped once at the source before template rendering.Reported by @thegr1ffyn: GHSA-38c3-wv3c-v3xj (axios), GHSA-hqj5-cw9f-rx67 (fetch).
-
#1779
306d59aThanks @js2me! - Fix code injection via unescaped OpenAPI path strings in generated method bodiesMalicious OpenAPI specs could embed arbitrary JavaScript in path keys. Values were interpolated raw into template literals in generated API methods, so
${…}expressions ran with full process privileges on every call to the affected method. Route paths are now escaped for template-literal insertion while preserving deliberate${paramName}interpolations for declared path parameters.Reported by @thegr1ffyn: GHSA-w284-33mx-6g9v.
-
#1779
306d59aThanks @js2me! - Fix authorization-token exfiltration and SSRF via spec$refduring remote schema resolutionWhen generating from a remote OpenAPI spec, the generator walked every external
$refand fetched anyhttp(s)://URL without validating the target. A malicious spec could force HTTP requests to loopback, RFC-1918, link-local (including cloud metadata at 169.254.169.254), or internal hostnames reachable from the generator process. Redirect chains were also followed without re-validation.Remote schema fetches now enforce a defense-in-depth policy:
- Block private, link-local, and loopback addresses (IPv4 and IPv6), including
localhost - Allow cross-origin fetches only to public hosts; same-origin
$reftargets remain allowed - Allow the explicit
--urlspec source even on loopback (local development) - Follow redirects manually (max 5) and re-validate each hop
- Forward
authorizationTokenonly to same-origin remote URLs, not cross-origin$reftargets
Reported by @thegr1ffyn: GHSA-h754-fxp7-88wx, GHSA-x36r-4347-pm5x.
- Block private, link-local, and loopback addresses (IPv4 and IPv6), including
v13.12.1
v13.12.0
v13.11.2
Patch Changes
-
691d07dThanks @js2me! - Fix schema type name resolution when preferExistingSchemaNamesForExternalRefs is falseWhen
preferExistingSchemaNamesForExternalRefsis disabled, schema components with external refs were not re-parsed with the correct type name formatter, leading to incorrect type names in generated output. Now the formatter is precommitted with existing component names and affected schemas are re-parsed.
v13.11.1
v13.11.0
Minor Changes
-
f5cb2daThanks @js2me! - Fix external file$refresolution and add cleaner schema naming for split OpenAPI specs.Bug fixes
- Resolve external schema file refs (e.g.
./SidecarConfig.yaml,./models/sidecar-config.yaml) without producing ghost types such asSidecarConfigYamlthat were referenced in generated output but never exported. - Treat path segments like
models,definitions, and.as schema components instead of misclassifying them as OpenAPI component sections. - Normalize type names derived from external filenames by stripping
.yaml,.yml, and.jsonextensions. - Unwrap file-only refs to external documents that contain a single entry under
components.schemas. - Deduplicate externally resolved components that share the same disambiguated type name, preventing repeated
export interfacedeclarations (e.g. multipleNovaEntityNovaEntity) and TypeScript merge conflicts. - Recognize OpenAPI 3.1
pathItemsas a validcomponentssection when resolving JSON pointer segments.
New option
- Add
preferExistingSchemaNamesForExternalRefs(CLI:--prefer-existing-schema-names-for-external-refs).
When enabled, if an external schema file name matches an existing local component name (e.g../Specification.yaml→Specification), the generator reuses the local schema name instead of emitting redundant names likeSpecificationSpecificationorNovaEntityNovaEntity.
Local$ref-only components are eagerly resolved before parsing.
Tests
- Add
paths-2regression tests for remote OpenAPI specs with relative cross-file refs (CICD Spec Manager fixture). - Add
paths-2-prefer-existing-schema-namestests for the new naming option, including strict TypeScript checks of generated snapshot output viatsc.
- Resolve external schema file refs (e.g.
Patch Changes
- #1762
6d00192Thanks @Upgrade220! - FixContentTypein http-client not respectingenumStyle: "union". It now generates a plain type alias instead of an enum, and all call sites emit string literals instead ofContentType.Jsonetc.