Skip to content

Releases: acacode/swagger-typescript-api

v13.12.6

Choose a tag to compare

@github-actions github-actions released this 17 Jul 23:25
Immutable release. Only release title and notes can be modified.
0a511c7

Patch Changes

v13.12.5

Choose a tag to compare

@github-actions github-actions released this 14 Jul 07:08
Immutable release. Only release title and notes can be modified.
b00c1a3

Patch Changes

v13.12.4

Choose a tag to compare

@github-actions github-actions released this 02 Jul 15:11
Immutable release. Only release title and notes can be modified.
b06fb32

Patch Changes

v13.12.3

Choose a tag to compare

@github-actions github-actions released this 24 Jun 21:36
Immutable release. Only release title and notes can be modified.
6108f02

Patch Changes

v13.12.2

Choose a tag to compare

@github-actions github-actions released this 08 Jun 13:00
Immutable release. Only release title and notes can be modified.
cc3e4d1

Patch Changes

  • #1779 306d59a Thanks @js2me! - Fix code injection via unescaped enum string values in generated TypeScript enums

    Malicious OpenAPI specs could embed arbitrary JavaScript in components.schemas.*.enum string values. Ts.StringValue wrapped values in double quotes without escaping, allowing attackers to break out of generated enum declarations and inject code that executes at module load when consumers import the generated client. Enum string values are now properly escaped.

    Reported by @thegr1ffyn: GHSA-5f94-x226-ccpm.

  • #1779 306d59a Thanks @js2me! - Fix code injection via unescaped servers[0].url in generated axios and fetch HTTP clients

    Malicious OpenAPI specs could embed arbitrary JavaScript in servers[0].url. The value was interpolated raw into string literals in generated client constructors, allowing computed-property-key injection and arbitrary code execution when consumers instantiated HttpClient or Api (axios) or imported the generated module (fetch). apiConfig.baseUrl is now escaped once at the source before template rendering.

    Reported by @thegr1ffyn: GHSA-38c3-wv3c-v3xj (axios), GHSA-hqj5-cw9f-rx67 (fetch).

  • #1779 306d59a Thanks @js2me! - Fix code injection via unescaped OpenAPI path strings in generated method bodies

    Malicious OpenAPI specs could embed arbitrary JavaScript in path keys. Values were interpolated raw into template literals in generated API methods, so ${…} expressions ran with full process privileges on every call to the affected method. Route paths are now escaped for template-literal insertion while preserving deliberate ${paramName} interpolations for declared path parameters.

    Reported by @thegr1ffyn: GHSA-w284-33mx-6g9v.

  • #1779 306d59a Thanks @js2me! - Fix authorization-token exfiltration and SSRF via spec $ref during remote schema resolution

    When generating from a remote OpenAPI spec, the generator walked every external $ref and fetched any http(s):// URL without validating the target. A malicious spec could force HTTP requests to loopback, RFC-1918, link-local (including cloud metadata at 169.254.169.254), or internal hostnames reachable from the generator process. Redirect chains were also followed without re-validation.

    Remote schema fetches now enforce a defense-in-depth policy:

    • Block private, link-local, and loopback addresses (IPv4 and IPv6), including localhost
    • Allow cross-origin fetches only to public hosts; same-origin $ref targets remain allowed
    • Allow the explicit --url spec source even on loopback (local development)
    • Follow redirects manually (max 5) and re-validate each hop
    • Forward authorizationToken only to same-origin remote URLs, not cross-origin $ref targets

    Reported by @thegr1ffyn: GHSA-h754-fxp7-88wx, GHSA-x36r-4347-pm5x.

v13.12.1

Choose a tag to compare

@github-actions github-actions released this 04 Jun 19:19
Immutable release. Only release title and notes can be modified.
ee5034b

Patch Changes

  • caa2874 Thanks @js2me! - update all deps to latest (patch + minor deps, no major updates)

v13.12.0

Choose a tag to compare

@github-actions github-actions released this 28 May 18:46
Immutable release. Only release title and notes can be modified.
ddf2943

Minor Changes

  • 691559a Thanks @js2me! - Add enumStyle: "const-enum" to generate TypeScript const enum declarations for schema enums and the built-in ContentType.

v13.11.2

Choose a tag to compare

@github-actions github-actions released this 28 May 14:52
Immutable release. Only release title and notes can be modified.
febb2d8

Patch Changes

  • 691d07d Thanks @js2me! - Fix schema type name resolution when preferExistingSchemaNamesForExternalRefs is false

    When preferExistingSchemaNamesForExternalRefs is disabled, schema components with external refs were not re-parsed with the correct type name formatter, leading to incorrect type names in generated output. Now the formatter is precommitted with existing component names and affected schemas are re-parsed.

v13.11.1

Choose a tag to compare

@github-actions github-actions released this 28 May 09:04
Immutable release. Only release title and notes can be modified.
929b09c

Patch Changes

  • bfad977 Thanks @js2me! - fixed preferExistingSchemaNamesForExternalRefs parameter

v13.11.0

Choose a tag to compare

@github-actions github-actions released this 28 May 07:14
Immutable release. Only release title and notes can be modified.
03e439a

Minor Changes

  • f5cb2da Thanks @js2me! - Fix external file $ref resolution and add cleaner schema naming for split OpenAPI specs.

    Bug fixes

    • Resolve external schema file refs (e.g. ./SidecarConfig.yaml, ./models/sidecar-config.yaml) without producing ghost types such as SidecarConfigYaml that were referenced in generated output but never exported.
    • Treat path segments like models, definitions, and . as schema components instead of misclassifying them as OpenAPI component sections.
    • Normalize type names derived from external filenames by stripping .yaml, .yml, and .json extensions.
    • Unwrap file-only refs to external documents that contain a single entry under components.schemas.
    • Deduplicate externally resolved components that share the same disambiguated type name, preventing repeated export interface declarations (e.g. multiple NovaEntityNovaEntity) and TypeScript merge conflicts.
    • Recognize OpenAPI 3.1 pathItems as a valid components section when resolving JSON pointer segments.

    New option

    • Add preferExistingSchemaNamesForExternalRefs (CLI: --prefer-existing-schema-names-for-external-refs).
      When enabled, if an external schema file name matches an existing local component name (e.g. ./Specification.yamlSpecification), the generator reuses the local schema name instead of emitting redundant names like SpecificationSpecification or NovaEntityNovaEntity.
      Local $ref-only components are eagerly resolved before parsing.

    Tests

    • Add paths-2 regression tests for remote OpenAPI specs with relative cross-file refs (CICD Spec Manager fixture).
    • Add paths-2-prefer-existing-schema-names tests for the new naming option, including strict TypeScript checks of generated snapshot output via tsc.

Patch Changes

  • #1762 6d00192 Thanks @Upgrade220! - Fix ContentType in http-client not respecting enumStyle: "union". It now generates a plain type alias instead of an enum, and all call sites emit string literals instead of ContentType.Json etc.