Skip to content

chore(deps): update dependency oasdiff/oasdiff to v1.22.0#137

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/oasdiff-oasdiff-1.x
Open

chore(deps): update dependency oasdiff/oasdiff to v1.22.0#137
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/oasdiff-oasdiff-1.x

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change Pending
oasdiff/oasdiff minor 1.20.01.22.0 v1.23.0

Release Notes

oasdiff/oasdiff (oasdiff/oasdiff)

v1.22.0

Compare Source

Exact source locations, an OpenAPI 3.1 allOf fix, and a published output schema

Every change reported by breaking and changelog now carries a precise source location, down to the exact field or value that changed. OpenAPI 3.1 multi-type arrays no longer fail --flatten-allof, and a new oasdiff schema command publishes a JSON Schema for the machine-readable output so CI tooling can validate against it.

CLI changes
  • OpenAPI 3.1 multi-type arrays no longer fail --flatten-allof (#​1079). Any multi-type array such as type: [integer, "null"] (the idiomatic 3.1 way to express nullable) inside a schema touched by allOf merging used to fail with unable to resolve Type conflict: all Type values must be identical, even when there was no conflict at all. The merge now keeps each schema's type array intact and intersects across allOf branches: a multi-type array in a single branch passes through unchanged, identical arrays across branches merge, and integer still resolves as a subset of number. A genuinely empty intersection (e.g. [string, "null"] with [integer]) reports the same conflict error as before. Fixes #​1078 (thanks @​katepol for the report) and #​535.
  • New oasdiff schema command (#​1075, thanks @​fuleinist for the request in #​1074). Prints a JSON Schema describing the --format json/yaml output of breaking and changelog, reflected directly from the output type so it cannot drift. Non-Go CI tooling can pin the schema to an oasdiff version to validate or type results. The diff JSON is intentionally not covered yet, since its from/to values are too loosely typed for a useful reflected schema.

Exact source locations

  • Security changes now report a source location (#​1069). Global security, operation-level security, and component OAuth changes (api-global-security-*, api-security-*, api-security-component-oauth-*) previously appeared with no baseSource/revisionSource. They now anchor to the relevant security field or scheme. Known limitation: the two scope-added cases point at their container rather than the exact scope line, pending an upstream parser origin enhancement.
  • Stability and sunset-parse changes now report a source location (#​1070). The api-stability-*, api-invalid-stability-level, and property stability changes anchor to the exact x-stability-level field, and request-parameter-sunset-parse is located consistently from both checks that emit it. With this, every checker emits a location.
  • Sunset and x-extensible-enum changes point at the exact field or value (#​1073). api-sunset-* and request-parameter-sunset-* now point at the x-sunset field instead of the containing operation or parameter, and the x-extensible-enum-value-removed checks point at the exact removed value, matching how the enum checks already behave.
  • Tag changes point at the tag, not the tags: field (#​1076). api-tag-removed / api-tag-added now source the specific tag entry (so removing tag security points at the - security line) and set only the side the tag exists on.

Changelog verdicts

  • A loosely-typed type swap is no longer called "narrowed" or "widened" (#​1076). A body or property type change such as string to object under a loosely typed media type like application/xml is backward compatible only because everything on the wire is a string, not a genuine narrowing, yet it was reported as response-body-type-specialized ("was narrowed from string to object"). Such swaps are now rerouted to four new INFO verdicts, request-body-type-compatible, request-property-type-compatible, response-body-type-compatible, and response-property-type-compatible, worded "changed from X to Y (backward compatible)". Genuine narrowing or widening, and adding or removing the type constraint entirely, keep their existing verdicts.

Misc

  • Type generalize/specialize messages now read "widened" and "narrowed" (#​1067). "The type was specialized from number to integer" becomes "was narrowed from number to integer", matching the phrasing the list-of-types messages already use, in all four locales. Message text only: the rule ids and their descriptions keep the generalize/specialize terms.
  • changelog - - builds both sides from a single stdin read (#​1082). When base and revision are both -, the revision was previously loaded from the already-exhausted stdin and patched afterwards, leaving its spec version internally inconsistent and relying on the parser accepting empty input. Both sides are now constructed from one read; output is unchanged (no changes reported, exit 0).
Go package changes
  • Breaking: five internal-only checker helpers are unexported (#​1072). OperationFieldSources, ParameterFieldSources, SchemaMapItemSource, IsDecreasedValue, and IsIncreasedValue are now package-private. They were source and value-comparison internals with no known external callers; the public entry points (CheckBackwardCompatibility, NewConfig, GetAllRules, and the individual check functions) are unchanged.

v1.21.0

Compare Source

Sharper response-side detection, a crash fix for schema-less media types, and clearer change messages

This release fixes a panic in oasdiff breaking when a media type gains or loses a schema, fills in the response-side mirrors of several breaking-change checks (response type widening/narrowing, added response headers, media-type schema add/remove), refines when a scalar-to-array query parameter counts as breaking, and rewrites the type/format change messages to read in plain English.

CLI changes

Crash fix

  • No more panic when a media type gains or loses a schema (#​1049, thanks @​JosefKuchar for the clean repro and root-cause analysis, and @​SAY-5 for an independent fix that confirmed it). A response declared as content: { application/json: {} } in the base that adds schema: { type: string } in the revision (or the reverse) used to nil-panic deep inside the per-schema checks. The schema walkers now skip a media type whose schema is present on only one side, so none of the ~70 checks built on them can dereference a missing Base/Revision. The add/remove is still reported (see below).

Response-side detection (filling in the contravariant mirrors)

  • Response body/property type changes now report widening vs narrowing, not a generic change (#​1065). A response type that narrows (number to integer) produced no finding at all, and a widening was reported with the generic response-*-type-changed. The verdict is now split three ways, the mirror of the request side: a narrowed return type is response-*-type-specialized (INFO), a widened one is response-*-type-generalized (ERR), and a genuinely incompatible change stays response-*-type-changed (ERR).
  • A media type schema added or removed where there was none is now classified (#​1051). Building on the crash fix, this case is reported as the change it is: request-body-media-type-schema-added (ERR, input that accepted anything now requires a shape) and response-body-media-type-schema-removed (WARN, a typed response is no longer guaranteed) are the breaking directions, with request-body-media-type-schema-removed and response-body-media-type-schema-added as their INFO duals.
  • Adding a response header is now reported (#​1057). Only header removal had a rule; the mirror response-header-added now fires at INFO as a non-breaking changelog entry.

Query parameter widening

  • Scalar to form/explode array widening is now correct in the cases #​915 got wrong (#​1024, fixes #​918). A query parameter widening from a scalar to a form/explode array of the same scalar is safe exactly when the array's item still accepts every value the base accepted. Two refinements follow: OpenAPI 3.1 nullable shapes (["string"] to ["array","null"]) and weakly-typed multi-type bases ([string,integer] to array<string>) are now correctly reported as generalizations, while an item that narrows the value contract (string to array<string> with an added pattern that would reject ?token=5) is now correctly reported as breaking. The generalization verdict carries a comment explaining the form/explode reasoning, since a scalar-to-array change reads like a breaking one. Deliberate trade-off: widening to an array while simultaneously loosening the item is genuinely safe but now reported as breaking, the correct side to err on.

oneOf wrapping

  • Wrapping a body in a oneOf now emits a single finding (#​1060, #​1038, follow-up to #​702). Wrapping a concrete object body into a oneOf of alternatives used to produce overlapping findings: *-body-wrapped-in-one-of plus *-body-one-of-added plus a top-level *-body-type-changed/-generalized (the wrapper has no type, so it read as any). On the response side, contravariance made all three ERR, so a single wrapping produced three breaking findings. The redundant one-of-added and body type change are now suppressed when an OneOfWrappingDiff is present, so each wrapped body emits exactly one accurate finding on each side.

Misc

  • Type/format change messages are now readable (#​1056). The old the type/format was generalized from string/`` to array, null/``` is replaced by the type was generalized from string to array<string>, null``: an empty format is folded away, arrays show their item type, an unset type renders as any, and the message names the dimension that actually changed (type, format, or type/format`). Check ids and levels are unchanged; only the human-facing text and its arguments change. The RU translations for these messages were also rewritten for consistency.
  • Type generalize/specialize messages now say "was widened" / "was narrowed" (#​1067). Plainer English than "was specialized from number to integer", matching the wording the list-of-types messages already use, across all four locales. The rule ids keep the generalize/specialize terms.
Go package changes

Breaking: structured security requirement diff

  • Breaking: security requirement diff alternatives are now structured, index-keyed values (#​1044). The diff output schema for security requirements changed: Added/Deleted go from []string to SecurityAlternatives ([]SecurityAlternative, each { Index, Schemes map[string][]string }), and Modified goes from map[string]SecurityScopesDiff to ModifiedSecurityRequirements ([]*ModifiedSecurityRequirement). This models a security: list as the unordered set of OR-alternatives it is, so a removed alternative that shares a scheme with others is now unambiguous in both the structured diff output and the changelog message (the endpoint scheme security petstore_auth: [admin:pets] was removed). Consumers of the structured oasdiff diff output for security requirements need to update.

Misc

  • Breaking: the property-walk primitives are no longer exported (#​1063, closes #​953). checker.CheckModifiedPropertiesDiff / CheckAddedPropertiesDiff / CheckDeletedPropertiesDiff had zero external callers (verified across this repo and oasdiff-service) and were internal primitives consumed by the media-type walker. They are now unexported. No CLI or output impact; a library-only API-surface reduction.

v1.20.1

Compare Source

What's changed

Security diff
  • Phantom security-scope diff fixed (#​1043, thanks to @​siem-moneybird for
    the report and a working reference fix): an OR of scopes written by repeating
    a scheme (- petstore_auth: [read] / - petstore_auth: [write]) no longer
    reports a spurious scope add/remove, even diffing a spec against itself.
  • Security diff output restructured (#​1044): in -f json / -f yaml,
    securityRequirements.added / deleted are now objects with index and
    schemes (were strings), and modified is now a list (was a map), so a
    changed alternative is unambiguous when several share a scheme.
    Heads-up: this changes the machine-readable diff shape for security and
    the exported Go type diff.SecurityRequirementsDiff (a breaking change if you
    import the library). The human-readable text report is unchanged in meaning.
Checker
  • Fewer false positives (#​1022, #​702): a oneOf-wrapped request property is
    no longer reported as removed.
Formatters
  • Valid empty output (#​1045, #​1046): validate and the diff formatters emit
    a valid empty document for a clean spec / no changes, in every format.
Internal
  • CI: github-actions Dependabot ecosystem (#​1039) + actions group bump (#​1040);
    checker rule-symmetry test guard (#​1035).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

09a88e1:

Upstream OpenAPI spec

No API changes detected.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

No breaking changes from 09a88e1

No API changes detected after overlay.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

09a88e1:

No API changes detected after overlay.

@renovate renovate Bot force-pushed the renovate/oasdiff-oasdiff-1.x branch from 1b6733c to 09a88e1 Compare July 8, 2026 20:59
@renovate renovate Bot changed the title chore(deps): update dependency oasdiff/oasdiff to v1.21.0 chore(deps): update dependency oasdiff/oasdiff to v1.22.0 Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants