Skip to content

build(deps): bump github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.7.1 in /dev-tools#7401

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/dev-tools/github.com/oapi-codegen/oapi-codegen/v2-2.7.1
Open

build(deps): bump github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.7.1 in /dev-tools#7401
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/dev-tools/github.com/oapi-codegen/oapi-codegen/v2-2.7.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.7.1.

Release notes

Sourced from github.com/oapi-codegen/oapi-codegen/v2's releases.

Security fix for Go code injection

This is a security fix for a code injection vulnerability in v2.7.0, please see:

GHSA-rjwr-m7qx-3fjr

[!NOTE] A vulnerability like this requires that it is missed in code review and that you then call the malicious method.

Using an init() function could be enough to not require a direct call to the code, and instead rely on you importing the package, but either way, code review should be performed before any oapi-codegen generated code is executed.

We strongly recommend all users to be reviewing changes to their generated code before they execute anything within it, to protect against supply chain attacks or malicious injected code.

This is also why we recommend oapi-codegen generated code is committed to source control.

We're more strict about escaping strings passed into the OpenAPI specification, so that people can't inject Go code into generated code.

The problem was that it was possible to craft a description for server URL's which would emit arbitrary Go code, so if an attacker controlled your specification, they could inject Go code into your generated code which could do something malicious.

v2.7.0: Squashing bugs, many bugs (and adding some features)

Many improvements and even more bug fixes

This v2.7.0 release of oapi-codegen contains quite a bit of internal refactoring, focused on our most historically fragile code paths, which relate to the aggregate types (allOf/anyOf/oneOf), $ref to external specs, enums, and the spec traversal logic missing quite a few leaf nodes where models should have been generated, but were skipped.

The biggest changes are explicitly described in the sections below, and the full list of commits is at the bottom.

Thank you to all contributors, we've been going through all past PR's and updating them and merging where we can, and thanks to all our users for reporting issues that you hit.

I've (@​mromaszewicz) used a lot of LLM help here to scrub through old issues and do some deep internal refactoring to address common problem areas. I intend to continue doing this, since the conditional generation logic is getting quite complicated. When I originally released oapi-codegen, the use case was much simpler, all the models were under #/components/schemas, and all the references to them were in the requests, responses, etc. I never imagine how many things would be external references or unions, and how many complex OpenAPI specifications people would be generating code for. The initial design was never flexible enough to handle that, so ongoing bug fixes are getting increasingly complex due to edge cases. This version has a lot of internal changes you won't see as a user, but the way we handle type generation internally is unifying lots of copy/paste re-implementations into reusable code for consistency. Most of these changes can be done transparently, but some can't, so, onto the changes:

Code generation changes which might require some changes on your end

This release contains three changes, all very narrow in scope, which will require some manual adjustment of your own code. We've decided that these are small enough and uncommon enough not to require opt-in, which causes internal complexity. It's always a judgment call with these. If we got it wrong, we're happy to revisit it in a maintenance release.

Strict-server external response refs require strict-server generation in both packages (#2357)

If your strict-server spec uses an external $ref to a components/responses/... defined in another spec, that other spec must also be generated with strict-server: true. Add it to the source spec's config and regenerate:

# config for the spec being $ref'd
generate:
  models: true
  strict-server: true   # now required when imported by a strict-server spec

This restores the v2.0.0 behavior that lets you cast response models across package boundaries — the standard pattern for sharing error models (e.g. a common 400) across services. PR #1387 had silently changed the embedded type from N400JSONResponse to the bare externalRef0.N400, so the local and external response structs no longer had matching types and casts stopped compiling.

Many more anonymous inner schemas are now hoisted into top level schemas

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [github.com/oapi-codegen/oapi-codegen/v2](https://github.com/oapi-codegen/oapi-codegen) from 2.5.0 to 2.7.1.
- [Release notes](https://github.com/oapi-codegen/oapi-codegen/releases)
- [Commits](oapi-codegen/oapi-codegen@v2.5.0...v2.7.1)

---
updated-dependencies:
- dependency-name: github.com/oapi-codegen/oapi-codegen/v2
  dependency-version: 2.7.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 17, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner July 17, 2026 18:52
@dependabot
dependabot Bot requested review from lorienhu and ycombinator July 17, 2026 18:52
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 17, 2026
@mergify

mergify Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This pull request does not have a backport label. Could you fix it @dependabot[bot]? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

check-ci is failing because upgrading oapi-codegen changes committed generated API files, but this PR updates only dev-tools/go.mod and dev-tools/go.sum. This is a deterministic generated-code drift failure, not an infrastructure or flaky-test failure.

Remediation

  • Run go generate ./... with the updated dev-tools/go.mod, review the generated changes, and commit the resulting updates to internal/pkg/api/openapi.gen.go, pkg/api/client.gen.go, and pkg/api/types.gen.go.
  • Re-run .buildkite/scripts/check_ci.sh (or the equivalent mage check:ci) and confirm the generated diff is clean.
Investigation details

Root Cause

The generation directives in main.go:6-8 explicitly run oapi-codegen from dev-tools/go.mod. mage check:ci runs generation (magefile.go:452-460) and then enforces a clean worktree (magefile.go:596-617). With v2.7.1, generation adds enum Valid() methods and security context key types; those changes are not included in the PR.

Evidence

  • Build: https://buildkite.com/elastic/fleet-server/builds/15540
  • Job/step: Run check-ci / .buildkite/scripts/check_ci.sh
  • Key log excerpt:
    internal/pkg/api/openapi.gen.go: needs update
    pkg/api/client.gen.go: needs update
    pkg/api/types.gen.go: needs update
    Error: git update-index failure: running "git update-index --refresh" failed with exit code 1
    
  • The PR diff contains only dev-tools/go.mod and dev-tools/go.sum; it does not contain the three generated files reported by the job.

Verification

  • Not run locally; this diagnosis is based on the failed Buildkite log and PR diff.

Follow-up

  • No open flaky-test issue matched this check-ci failure.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants