chore(deps): update dependency tufin/oasdiff to v1.20.1#168
Open
Workleap IT (Infra-Workleap) wants to merge 1 commit into
Open
chore(deps): update dependency tufin/oasdiff to v1.20.1#168Workleap IT (Infra-Workleap) wants to merge 1 commit into
Workleap IT (Infra-Workleap) wants to merge 1 commit into
Conversation
Contributor
Author
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
| @@ -7,7 +7,7 @@ internal sealed class OasdiffManager : IOasdiffManager | |||
| { | |||
| // If the line below changes, make sure to update the corresponding regex on the renovate.json file | |||
| // Do not upgrade to v2.x as it is an older version with breaking changes | |||
c12f219 to
6be38cc
Compare
6be38cc to
8517808
Compare
8517808 to
7e4cafc
Compare
7e4cafc to
a5f08e8
Compare
a5f08e8 to
911edba
Compare
911edba to
18e3fa9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.12.4→1.20.1Release Notes
Tufin/oasdiff (Tufin/oasdiff)
v1.20.1Compare Source
What's changed
Security diff
the report and a working reference fix): an OR of scopes written by repeating
a scheme (
- petstore_auth: [read]/- petstore_auth: [write]) no longerreports a spurious scope add/remove, even diffing a spec against itself.
-f json/-f yaml,securityRequirements.added/deletedare now objects withindexandschemes(were strings), andmodifiedis now a list (was a map), so achanged alternative is unambiguous when several share a scheme.
Heads-up: this changes the machine-readable diff shape for security and
the exported Go type
diff.SecurityRequirementsDiff(a breaking change if youimport the library). The human-readable text report is unchanged in meaning.
Checker
no longer reported as removed.
Formatters
validateand the diff formatters emita valid empty document for a clean spec / no changes, in every format.
Internal
github-actionsDependabot ecosystem (#1039) + actions group bump (#1040);checker rule-symmetry test guard (#1035).
v1.20.0Compare Source
oasdiff v1.20.0 sharpens breaking-change detection (fewer false positives across type, format, and nullability changes) and adds a
--stability-levelflag to opt into draft and alpha stability levels.CLI changes
Stability levels
--stability-levelflag (#845, thanks @ankita-gd). Set the minimum stability level to include (for exampledraftoralpha) so changes to lower-stability resources are reported. These levels are excluded by default, so including them is opt-in.Fewer false-positive breaking changes
typearrays is now symmetric (#1015). Adding or removingnullfrom atypearray is detected consistently, and the untyped case is ignored rather than misreported.Misc
--opencan upload an authenticated review (#1025), used by the oasdiff Pro GitHub Action. The default--open(free anonymous side-by-side review) is unchanged.Go package changes
checkerwere renamed fromSCREAMING_SNAKE_CASEtoMixedCaps(#1032), following Go naming conventions. Library callers referencing these constants must update the identifiers; behavior is unchanged.v1.19.1Compare Source
Cleaner
--openreview output and a config-file fixThis release hardens the
--openside-by-side review flow: piped--format json/yamloutput now stays valid, a failed upload no longer changes your exit code, and composed mode is rejected up front with a clear message. It also fixes a config-file regression where settingmatch-inline-refsmade the whole file fail to load.CLI changes
--openreview flow--openno longer corrupts piped JSON/YAML output (#1011).oasdiff changelog --format json --open > out.jsonused to append the human-facingOpening <url> (expires ...)line (and any "could not open browser" notice) to stdout, right after the rendered changelog, producing invalid JSON/YAML. The success-path URL and guidance now go to stderr, so stdout carries only the rendered output. (The earlier non-fatal work already routed--openerrors to stderr; this does the same for the success path.)--openfailures are now non-fatal (#1009). The changelog/breaking output is printed before the upload runs, so an upload error, unreachable host, or unsupported spec source used to return exit code 130 and pre-empt--fail-on, changing the command's result. A review that could not be uploaded should never alter the check's outcome: such failures are now warned to stderr and the command continues to its normal--fail-onexit.--openwith composed mode (-c) is rejected up front (#1009). Composed mode diffs a glob of many files, which the two-spec review cannot represent. This static, user-fixable combination now fails at argument validation with exit 100 and a clear message (--open cannot be used with composed mode (-c): the side-by-side review compares exactly two specs), before any diff runs.diffandsummary(which share argument parsing but have no--openflag) are unaffected.Config files
match-inline-refsis now accepted in config files (#1010). The config file is validated withUnmarshalExact, so a flag missing from the internalConfigstruct did not just go unread, it made any config file that set it fail to load entirely (exit 107).match-inline-refs(a visible, default-on diff flag) was missing, somatch-inline-refs: falsein.oasdiff.yamlwas rejected. It is now a recognized key. A new drift-guard test walks every persistent flag on the config-loading commands and asserts each is either aConfigfield or deliberately excluded, so a future flag cannot silently break users' configs the same way.CONFIG-FILES.mdis corrected to note that--open(an interactive one-shot action) is the deliberate exception and stays command-line only.Misc
--openhelp text notes client-side encryption (#1006). Thechangelog/breaking--openhelp read "upload the comparison to oasdiff.com", which to a privacy-conscious reader looked like specs being sent in clear. It now reads "encrypt the comparison and upload it to oasdiff.com, then open the side-by-side review in a browser", signaling that encryption happens on the client before upload.--opencomments generalized to "the server" (#1009).--openuploads to the URL fromOASDIFF_URL(defaulting to oasdiff.com), so the internal comments that hardcoded "oasdiff.com" as the destination were reworded to stay accurate for a local dev server or self-hosted target.v1.19.0Compare Source
End-to-end encrypted
--openreviews, sharper request body detectionoasdiff changelog --openandoasdiff breaking --opennow encrypt your specs on your machine before upload, so the side-by-side review you share is readable only by someone holding the link, never by the host. Plus a detection fix that stops flagging request body type removals that widen what the API accepts.CLI changes
Encrypted
--openreview--openis now end-to-end encrypted (#1001). The CLI bundles the two specs, their filenames, and the computed changelog, AES-256-GCM-encrypts the bundle with a fresh random key, and uploads only the ciphertext. The decryption key travels in the review URL's#fragment(oasdiff.com/review/e/<id>#k=<key>), which browsers never send to a server, so the host stores a blob it cannot read and your spec content never leaves your machine in cleartext. The link is shareable for 7 days; treat it like a secret, since anyone with the full link (key included) can read the review. A side effect of carrying nothing attributable to an account: the previous browser sign-in step is gone, so--opennow works with no account. The upload target defaults tooasdiff.comand is overridable with theOASDIFF_URLenvironment variable to point at your own deployment.--openhelp text now signals client-side encryption (#1006). The flag description onchangelog/breaking --helpchanged from "upload the comparison to oasdiff.com" to "encrypt the comparison and upload it to oasdiff.com, then open the side-by-side review in a browser", so a privacy-conscious reader can tell encryption happens before the upload.Detection rules
typeconstraint from a request body widens what the API accepts (the endpoint now takes more payloads, not fewer), so it is no longer reported as a breaking change.Go package changes
Misc
load.WithIdentityis removed (#1000). The exportedWithIdentity()was a no-opOptionthat returned specs unchanged; it is now inlined as an implementation detail insideGetOption. External callers that referenced it should useload.GetOption(opt, false)instead.GetOption(option, enable)is unchanged and remains the way to apply an option conditionally.v1.18.6Compare Source
A small release: the main user-visible change is dropping a redundant field from the machine-readable output, plus Go library additions for working with in-memory specs.
CLI changes
sourcefield from JSON and YAML output. Each change carried a top-levelsourcethat duplicated the origin already reported inbaseSource/revisionSource. Consumers parsingoasdiff breaking/changelogJSON or YAML should readbaseSource/revisionSourceinstead. (#995)Go package changes
load.NewSpecInfoFromData: build aSpecInfofrom OpenAPI bytes already in memory, labeling its source with a name you provide, so source-location reporting uses that name rather than a temp path. (#996)Sourcefield fromformatters.Change. UseBaseSource/RevisionSource. (#995)load.WithIdentity. It was a no-op option; useload.GetOption(opt, false)for the disabled-option case. (#1000)Full Changelog: oasdiff/oasdiff@v1.18.5...v1.18.6
v1.18.5Compare Source
This release fixes a crash in breaking-change detection, widens
notsub-schema coverage, and adds a flag to fetch missing git revisions automatically.CLI changes
items, or a removednot/if/then/else/contentSchema) previously aborted with a nil pointer panic.oasdiff breaking,changelog, anddiffnow handle these diffs cleanly.notsub-schema is now traversed for property changes (#994). Property changes nested inside anotschema (a removed property, a tightened constraint, a newly required field) are now detected bybreakingandchangeloginstead of being silently skipped. Closes #916.--fetchflag (#993). When a<rev>:<path>source points at a commit that is not in your local clone,--fetchtells oasdiff to fetch it from origin before comparing, instead of failing with a missing-object error. Without the flag oasdiff stays read-only and only prints thegit fetchcommand to run.Full Changelog: oasdiff/oasdiff@v1.18.4...v1.18.5
v1.18.4Compare Source
What's changed
load: actionable hint when a git revision's commit isn't in the local clone (#990). When a
<sha>:<path>source references a commit that isn't present locally (a reviewer who hasn't fetched the PR branch, or a shallow clone lacking the base), oasdiff now prints the exact command to run:instead of a terse git error. oasdiff stays read-only: it never fetches or mutates your repository on its own. A missing path within an existing commit, and a "git not installed" failure, are reported unchanged.
Full Changelog: oasdiff/oasdiff@v1.18.3...v1.18.4
v1.18.3Compare Source
Breaking changes
This release reorganizes the
oasdiff checkscategorization to align with the OpenAPI specification's object model.checksjson/yaml output renames thelocationfield toareaand adds a newkindfield.areais the OpenAPI object a rule concerns (schema,parameters,requestBody,responses,paths,headers,security,tags,components);kindis the aspect of the contract that changed (existence,requiredness,mutability,type,constraints,values,structure,lifecycle).--tagsaccepts the newareaandkindvalues; the oldbodyandpropertiestags are removed.checker.Locationand itsLocation*constants are renamed tochecker.Area/Area*, a newchecker.Kind/Kind*is added, andBackwardCompatibilityRule.Locationbecomes.Areaplus.Kind.Why
The previous
locationtaxonomy mixed OpenAPI object names with ad-hoc buckets and left about three quarters of all rules in two catch-alls (body,properties). Splitting "which OpenAPI object" (area) from "what kind of change" (kind) makes every rule classifiable along two clean, independent axes and uses terminology straight from the OpenAPI spec. All rules are explicitly assigned both fields.See
docs/CHECKS.mdfor the full list of areas, kinds, and tags.Full Changelog: oasdiff/oasdiff@v1.18.2...v1.18.3
v1.18.2Compare Source
oasdiff v1.18.2 completes and polishes the rule catalog that powers
oasdiff breakingandoasdiff changelog, across all supported languages.CLI changes
Complete, accurate rule catalog
oasdiff checksnow resolves a real description for every one of the 474 rules. 29 rules previously rendered their internal localization key instead of a description; all are now filled in (#985).anyOfaddition was described as a removal) plus a typo (#985).Upgraded the OpenAPI parser to kin-openapi 0.140.0 (#984).
Misc
oasdiff/homebrew-oasdifftap;brew install oasdiffvia homebrew-core is unchanged.Full Changelog: oasdiff/oasdiff@v1.18.1...v1.18.2
v1.18.1Compare Source
What's changed
Patch release focused on
--allow-external-refshandling.--allow-external-refs=falseis now honored on the git-revision input path (#974). Previously the setting was enforced when loading specs from files and URLs, but a spec loaded via therev:pathgit form could still resolve external$refs. The behavior is now consistent across all input forms; intra-repository relative$refs continue to resolve viagit showand are unaffected.$ref(#975). When--allow-external-refs=falseblocks an external reference, oasdiff now exits with code123(distinct from the generic load-failure code102), so tooling can detect this specific case by exit code rather than by parsing the error message.Security
This release fixes GHSA-2jcc-mxv7-p3f9. Before v1.18.1,
--allow-external-refs=falsewas not enforced on the git-revision input path (rev:path), so external$refs could still be resolved there when processing untrusted specs (SSRF / local file read). See the advisory for impact, affected versions, and workarounds.No changes to diff/breaking/changelog output. The
--allow-external-refsdefault is unchanged (true).Full Changelog: oasdiff/oasdiff@v1.18.0...v1.18.1
v1.18.0Compare Source
Annotation-only
allOffalse-positive fixed,--openmode-aware filtering, and the media-type walker migration completesThe user-visible headline is in
breaking: adding anallOfsubschema whose body is only annotation keywords no longer flags as a breaking change. Under the hood, the media-type walker migration that started in PRs #940–#952 finishes in this release; every checker that operates on request- or response-body schemas now runs through one uniform shape.CLI changes
Detection rules
allOfadditions are no longer reported as breaking (#964). Adding anallOfsubschema whose body is only annotation keywords (title,description,examples,default,externalDocs,$comment) does not reject any previously-valid instance, so it is not a wire-contract change. Per the "Diff is Schema-Shape, Breaking is Wire-Contract" split,oasdiff diffcontinues to surface the structural addition unchanged, whileoasdiff breakingno longer fails CI gates with--fail-on WARNon what is purely a documentation edit.oasdiff changelogstill records the change at INFO under eight new check IDs covering the request × response × body × property × add × remove matrix (e.g.request-body-all-of-added-annotation-only), so audit-trail consumers see the document-level change instead of it silently disappearing. Constraint-bearingallOfadditions, and mixed sets that contain at least one constraint-bearing subschema, still fire at their original severities. Motivated by OAS discussion #3793 (handrews).--openflagoasdiff breaking --opennow filters the rendered page to breaking-only (#958). The web view previously showed every change including INFO regardless of which subcommand opened it, which did not match the visitor's terminal output. The CLI now forwardsmode=breakingormode=changelogas a form field on the upload, and the rendered page filters severity to match. Backward compatible in both directions: older CLI against a newer service is treated aschangelog(today's behavior), and a newer CLI against an older service has the field silently ignored. Other filtering flags (--fail-on,--level,--include-checks) are still treated as interactive concerns of the web UI and remain ignored by--open.Localization
exclusiveMinimum/exclusiveMaximum(#969). 162 message strings (54 per locale across theexclusive-minandexclusive-maxfamilies and their-descriptionand-commentsiblings) translated by extending the already-mergedmin/maxpatterns. The OpenAPI keywordsexclusiveMinimum/exclusiveMaximumstay in their canonical English casing inside the translated sentence, matching the JSON Schema specification terminology and the existing convention forallOf,oneOf,anyOf,$ref. Cuts the English-identical entries per non-English locale from 302 to 248.Docs
docs/GIT-DIFF-DRIVERheading typo fix (#959). One section title said "GET" (autocorrect from "cat"), with no referent in the body. Now reads correctly. Thegit-diff-driversubcommand itself shipped in v1.17.0.Internal cleanup: media-type walker migration completes
The migration introduced by #940 moved per-checker
path → operation → requestBody|response → content → mediaType → schematraversal boilerplate into a single helper. This release lands the final seven batches and removes the last in-scope checkers from the queue:became_required/became_optionalresponse pairwrite-only/read-onlytriplet (request property + response optional + response required)containspairRoughly 1300 lines net removed across the full series. Per-checker function shape is now uniform; new checks added in the future drop into the same shape. No behaviour change for users — checks emit the same change IDs at the same severities. The remaining unmigrated checkers all operate on parameters / headers and would need a separate parameter walker; that work is tracked separately and is not in this release.
Auto-changelog below.
v1.17.0Compare Source
Two new CLI surfaces (
git-diff-driver,--open), header-default flip, walker foundationThis release adds two ways to see OpenAPI changes outside the terminal.
oasdiff git-diff-driverturnsgit log --patchandgit diffinto a human-readable changelog, and a new--openflag onchangelogandbreakinguploads the comparison to oasdiff.com and opens a side-by-side review in your browser. Both work against any spec in any git repo, public or private. Also: a default flip for header comparison, plus a foundation refactor (media-type walker) that shipped behind the scenes.CLI changes
New subcommands and flags
git-diff-driversubcommand (#954, inspired by Jamie Tanna's post). Wire oasdiff into git as an external diff driver, andgit log --patch --ext-diffrenders a human-readable OpenAPI changelog inline instead of a raw YAML text diff. Two config lines:abc1234:openapi.yaml) instead of git's tempfile paths. Full setup in docs/GIT-DIFF-DRIVER.md.--openflag onchangelogandbreaking(#955, #956). After printing the changelog, uploads the comparison to oasdiff.com and opens the rendered side-by-side review in your browser. First run signs in with GitHub (minimal scopes, norepoaccess) and stores a token locally; subsequent runs skip. The resulting URL is shareable for 7 days, so reviewers can open it without installing the CLI themselves. Filtering and presentation flags (--fail-on,--format, etc.) apply only to terminal output; semantic flags (--flatten-params,--match-inline-refs, etc.) are forwarded to the web review so it matches what you saw locally.Detection rules
--case-insensitive-headersnow defaults to true (#939). HTTP header names are case-insensitive per RFC 7230; oasdiff has supported the case-insensitive comparison via flag since v1.x, but the default until now was case-sensitive, so a change betweenContent-Typeandcontent-typewas still flagged as breaking. The default flips to case-insensitive in this release. Pass--case-insensitive-headers=falseto opt back into the previous behavior.$ref-equivalent subschemas now match (#938, plus an earlier round in #930, thanks @kesha1225). Refactoring an inline schema to a$refof an equivalent component, or vice versa, no longer produces false "removed subschema" / "added subschema" findings onanyOf/oneOf. The matcher recognizes structurally-equivalent variants regardless of which form they're written in.response-property-became-nullable/-not-nullablechanges had asymmetric source-location attachment between matched-pair directions; both sides now attach to the property location consistently.changelog/breakingoutputoasdiff diff(#946). Whenoasdiff changelogorbreakingfinds no significant differences but the underlying diff has document-level changes (info.contactedits, etc.), the CLI hints to tryoasdiff difffor the full document-level view. JSON / YAML output also surfaces this via a top-leveldiff_emptyfield.Misc
ERRORS.mdis linked from thevalidatecommand's help and error output (#934).Go package changes
Public
validatepackagegithub.com/oasdiff/oasdiff/validatepackage (#944). The spec-validation logic thevalidatesubcommand uses is now an independent package; library callers can import it directly without going through the CLI.validate.Validate(spec, sourcePath)returns aFindingslist (each with a stable rule ID, severity, message, and origin when the loader provides line / column info).Media-type walker foundation
Loader: blob-hash git refs
<ref>:<path>syntax now accepts blob SHAs in addition to commit / tag refs (#954). Required bygit-diff-driverbecause git's external-diff protocol passes blob hashes, not commit refs. Existing commit / tag / branch ref behavior is unchanged.v1.16.0Compare Source
Two new subcommands (
validate,upgrade), cross-version auto-upgrade, and sharper detectionoasdiff validatechecks a single spec against the OpenAPI and JSON Schema rules,oasdiff upgradecanonicalises a 3.0 spec to the latest 3.x,--auto-upgradelets you diff across 3.0 and 3.1 specs directly, and dropping a stringformatconstraint is no longer mis-flagged as breaking.CLI changes
New
validatesubcommandoasdiff validate <spec>flags per-RFC OpenAPI / JSON Schema violations in a single spec (#894). It fills the gap between the parser (which only catches load and parse errors) and style linters: invalid types, missing required fields, bad regex, unresolved$refs, version-mismatched fields, and more, each with a stable kebab-case rule ID and afile:line:columnlocation. Findings are severity-classified (error, warning, info);-o, --fail-on {ERR|WARN|INFO}(defaultERR) controls the exit code, so warnings and info are reported without failing CI unless you lower the threshold. Output is-f text(default),yaml,json, orgithubactions(inline pull-request annotations plus per-severity step outputs). A load failure exits 102.New
upgradesubcommandoasdiff upgrade <spec>canonicalises an OpenAPI 3.0 spec to the latest 3.x (#922). It rewrites schema-level constructs in place (nullableto a type array, booleanexclusiveMinimum/exclusiveMaximumto numeric,exampletoexamples, and similar) and bumps the version string. The transforms are idempotent: an already-canonical spec is unchanged aside from a possible version bump.Cross-version comparison
--auto-upgradeondiff/breaking/changelog/summary(#923). Canonicalises both specs to the latest 3.x before comparing, so a 3.0-vs-3.1 comparison just works instead of reporting spurious dialect-shape differences.Detection rules
formatconstraint is a generalization, not breaking (#928, thanks @igavila). Droppingformatfrom a string schema widens what is accepted, so it is no longer reported as a breaking change.Flags
--fail-on warn,--level info,-f YAML,--severity error, and similar now work in any case and normalize to the canonical value. Applies to every enum flag across the commands.Misc
ref:pathform (for examplemain:openapi.yaml).ERRORS.mddistinguishes load failures from spec violations (#934) and points tooasdiff validatefor a strict per-spec check.Go package changes
Breaking:
formatters.Formatterinterfaceformatters.Formattergained aRenderValidate(findings Findings, opts RenderOpts) ([]byte, error)method (#894). Types that embednotImplementedFormatterare unaffected (they inherit a default), but a type that implements the interface directly must add the method.Misc
formattersvalidate API (#894): theFinding,Findings, andSourcetypes, theOutputValidateoutput kind, andComputeFingerprint(now exported, shared bychangelogandvalidateso a downstream tool can match findings across spec versions).checker.IsColorEnabledis exported (#894), letting packages outsidecheckergate color on the same auto-detect plus override convention the commands use.v1.15.3Compare Source
Sharper breaking-change detection, hardened flatten, configurable config files
Crash fixes in the allOf flattener, an
additionalPropertiestraversal fix that finally catches a long-missed class of breaking changes, scalar-to-array query-parameter generalization that is no longer flagged as breaking, and a richer config-file story (.oasdiff.*,--config,OASDIFF_CONFIG).CLI changes
Detection rules
additionalPropertiesis now walked when properties are added or deleted (#895, thanks @prostomarkeloff). Removing or adding a required property inside adict[str, X]-style response (additionalProperties: $ref, the default shape FastAPI / Pydantic emit for typed maps) was silently invisible tooasdiff breaking. The Modified processor already recursed; Added and Deleted now do too, soresponse-required-property-removed/-addedandrequest-required-property-addedfire on this shape as they always should have. Strictly additive: specs that did not exercise this path see no change.Xto anarrayofXis the OpenAPI 3 default-serialization (style: form, explode: true) generalization:?color=redkeeps working as a one-element array. The change is now reported asrequest-parameter-type-generalizedat INFO level. Reverse direction (array to scalar), items-type mismatch, and path / header parameters (defaultsimple, notform) remain breaking.Config files
.oasdiff.*,--config, andOASDIFF_CONFIG(#899). The preferred default config name is now.oasdiff.{json,yaml,yml,toml,hcl}(legacyoasdiff.*still works as a fallback). A new persistent--config <path>flag andOASDIFF_CONFIGenv var let you point at an explicit file, with--configwinning over the env var. When either override is set the file must exist; the cwd lookup keeps its silent-skip semantics.err-ignore,warn-ignore,severity-levels, andtemplateinside a config file now resolve relative to the config file's directory rather than the process's cwd, so--config examples/.oasdiff.yamlfrom the repo root finds sibling files as you'd expect. Absolute paths and CLI-supplied values are left alone.Flatten allOf hardening
flatten allOf(#909). Self-referential schemas underallOf(a node whose property points back to itself, appearing twice in the merge) used to overflow the stack. The recursion sites inmergeProps,resolveItems,resolveContains, andresolvePropertyNamesare now guarded with pointer-dedup plus an in-flight cycle map, so the cyclic link is preserved in the merged output.multipleOf: 0no longer panics (#891). TwoallOfsiblings withmultipleOf: 0(invalid per spec, but seen in the wild) used to divide by zero inlcm(0, 0); non-positive values are now skipped.OpenAPI 3.1 keywords in flatten/allOf
containsis merged acrossallOfsiblings (#888).contains: X + contains: Yflattens tocontains: Merge(X, Y). Note:containsis existential (at least one item matches), so the merged form requires one item to satisfy both X and Y rather than allowing two distinct items, an over-constraint documented indocs/ALLOF.md. The flattened spec never accepts an array the original rejects.propertyNamesis merged acrossallOfsiblings (#902).propertyNames: X + propertyNames: Yflattens topropertyNames: Merge(X, Y). Unlikecontains,propertyNamesis universal (every name matches), so the merge is semantically faithful with no over-constraint caveat.flattencommandoasdiff flatten /tmp/spec.yamlpreviously printedError: failed to load original spec from "/tmp/spec.yaml": failed to flatten allOf in "/tmp/spec.yaml": ...(file path twice, wrong outer message). The CLI now distinguishes the two via a typed*load.FlattenError, prints the cleanerError: failed to flatten allOf in "/tmp/spec.yaml": ..., and exits with code 122 instead of the load-failure code.Misc
strconv.ParseBool: parsing "x": invalid syntaxstyle messages are rewritten to the flag's actual type:must be true or falsefor bool,must be an integerfor int,must be a non-negative integerfor uint,must be a numberfor float,must be a duration like 30s or 5mfor duration. Wired once on the root command, so it propagates to every subcommand. Unrelated flag types fall through unchanged.Go package changes
Breaking: functional options on Config types
checker.Configmigrates to functional options (#911). The fluentWithOptionalCheck/WithOptionalChecks/WithSeverityLevels/WithDeprecation/WithSingleCheck/WithChecks/WithAttributeschain is removed;checker.NewConfignow takes...Optionarguments. Migration is mechanical (NewConfig(...).WithX(v)becomesNewConfig(..., WithX(v))), but every caller of the package needs the rewrite. Options are now first-class values: storable, composable, and passable independently of a receiver.diff.Configmigrates to functional options (#912). Same shape aschecker.Config:WithExcludeElementsandWithExcludeExtensionsare nowOptionvalues passed todiff.NewConfig, and the chained methods are removed. Both packages now use the same idiom, so contributors don't have to remember which one uses which style.Misc
checker.CheckBackwardCompatibilityUntilLevelno longer mutates the caller's*diff.Diff(#913). The pipeline used to truncatePathsDiff.Deleted/ per-pathOperationsDiff.Deleted, delete keys fromOperationsDiff.Modifiedfor draft / alpha operations, and insertWebhooksDiff.Modifiedentries intoPathsDiff.Modifiedunder"webhook:..."keys, all in-place on the input. The function now clonesPathsDiffand the nested fields the pipeline writes to before running checks. Callers that read the diff after running checks now see their original input intact.*load.FlattenError(#908). ExposesUrlandErrfields plusUnwrap(), reachable viaerrors.As. Lets library callers distinguish a flatten-stage failure from a load-stage failure when both can come out ofload.NewSpecInfo.Change.Fingerprintis stable across copy edits and locale changes (#892). The 12-char fingerprint is now computed from the structured args rather than the rendered message text, so editing a message template or switching locales no longer invalidates every previously-stored fingerprint. One-way migration: fingerprints stored under the old algorithm will not match recomputed values.v1.15.2Compare Source
A patch release with one downstream-impacting behavior change to
Change.Fingerprint, several OpenAPI 3.1 improvements to the allOf flattener, and a small refactor.Highlights
Change.Fingerprintis now stable across copy edits and locale switches (#892). The fingerprint that downstream tools use to identify the same logical change across spec versions was being computed from the rendered text of the message, which made it sensitive to anything that altered rendering: a message-template tweak, a locale switch, or the'%s'to`%s`rendering change in #836. It now hashes the structured rule arguments instead of the rendered text, giving the same disambiguation power without the fragility.This is a one-way migration. Any external system that has stored fingerprints from a previous oasdiff version will see them no longer match recomputed values and should plan a one-shot cleanup of those records. Future copy edits will not have the same effect.
allOf flattener handles more OpenAPI 3.1 keywords (#879, #880, #881, #882). The flattener now merges
const,minContains/maxContains,contentMediaType/contentEncoding, anddependentRequiredfromallOfsubschemas into the parent schema, instead of silently dropping them. Subsequent diff and breaking-change checks see the full intent of the schema.allOf flattener no longer silently drops fields documented as "not merged" (#884). Several keywords that the documentation describes as intentionally not merged were nevertheless being dropped from the parent schema's existing values when an
allOfsubschema was processed. They are now preserved. The PR also removes a duplicateTypecopy that was producing identical work twice.allOf flattener handles 3.1 numeric exclusive bounds correctly (#873). In OpenAPI 3.1
exclusiveMinimum/exclusiveMaximumare numeric (not booleans paired withminimum/maximum). The flattener now merges them with the right semantics.Documentation
$defsis intentionally dropped during allOf flatten (#883). The doc now states this explicitly so readers don't try to track down the omission as a bug.Refactors
refactor(flatten/allof): renamefindMaxValuetofindMaxValueScalarfor clarity (#887).How to use it
go install github.com/oasdiff/oasdiff@latestorcurl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | shdocker pull tufin/oasdiff:v1.15.2oasdiff/oasdiff-action/<command>@​v0.0.46(the action release that ships oasdiffv1.15.2)If your workflow YAML pins a fixed action version (e.g.
@v0.0.44), bump the pin to@v0.0.46so the new fingerprint algorithm runs in CI. Workflows pinned to@mainor moving tags pick up the change automatically on their next run.Changelog
a543522Merge pull request #892 from oasdiff/fix/fingerprint-stable-argsb8c4fe0fix(formatters): make Change.Fingerprint stable across copy edits0b722c4Merge pull request #887 from oasdiff/fix/issue-885-find-max-value-scalar9b87905refactor(flatten/allof): rename findMaxValue -> findMaxValueScalar (#885)8f37521Merge pull request #882 from oasdiff/feat/flatten-allof-dependent-required8ef9da0feat(flatten/allof): handle OpenAPI 3.1 dependentRequired6d31e06Merge pull request #881 from oasdiff/feat/flatten-allof-content-keywords35701effeat(flatten/allof): handle OpenAPI 3.1 contentMediaType / contentEncoding10261e0Merge pull request #880 from oasdiff/feat/flatten-allof-min-max-contains9466ea3feat(flatten/allof): handle OpenAPI 3.1 minContains / maxContains3af44a2Merge pull request #879 from oasdiff/feat/flatten-allof-const794bb5dMerge pull request #884 from oasdiff/fix/flatten-allof-silent-drops1d33e58Merge pull request #883 from oasdiff/docs/allof-defs-dropped7854349fix(flatten/allof): preserve fields documented as "not merged"; drop dup Type copyb999656docs(allof): document that $defs is intentionally dropped during flattenbd362bdfeat(flatten/allof): handle OpenAPI 3.1 const keyworda63539bMerge pull request #873 from oasdiff/fix/issue-868-allof-31-exclusive-boundsb1f8552docs: drop the now-fixed flatten/allOf 3.1 exclusive-bounds caveat84cf3bbtest: pin "no source-location after flatten-allof" behavior6b32761test: clarify allOf bound-merge comments7f47de5fix: gofmt alignment in const block168b6dcfix(flatten/allof): handle OpenAPI 3.1 numeric exclusive boundsa35f0c1Merge pull request #877 from oasdiff/bump/oasdiff-action-v0.0.457d3689ebump: oasdiff-action v0.0.45v1.15.1Compare Source
A patch release with one user-facing behavior change, one new check, a privacy-friendly cleanup of the HTML report, and a substantial documentation overhaul.
Highlights
oasdiff breakingnow distinguishes "no breaking changes" from "no changes" (#875). Whenoasdiff breakingfinds no breaking changes but the specs do differ in non-breaking ways, the message is now "No breaking changes to report, but the specs are different" instead of the misleading "No changes to report" used in earlier versions. Thechangelogcommand's wording is unchanged.deepObjectparameter properties (#862, thanks @ampeco). Properties ofdeepObject-style query parameters now go through the standard enum-change checks.@importoffonts.googleapis.com/css?family=Nunitofrom the report's<style>block. Every viewer of every report previously sent their IP to Google; the report now uses the existing system-font fallbacks (Helvetica / Arial). Useful for sites that embed the report under a strict CSP, and a privacy improvement everywhere.Documentation
summarysubcommand.DIFF.mdandBREAKING-CHANGES.mdcross-referenced.summary,breaking, andchangelogare built on the diff engine; the docs now say so. Duplicate "Additional Options" lists removed in favor of the README index.HEADER-DIFF.mdnow explains the OpenAPI / HTTP-standards tension behind oasdiff's case-sensitive header default.--max-circular-depadvice, fixed an invalid-filterflag reference in usage examples, made the Go embed snippet runnable, clarifiedSTABILITY.md, dropped a misleading "Documentation" stub fromCUSTOMIZING-CHECKS.md, and more.Dependencies
github.com/getkin/kin-openapibumped fromv0.136.0tov0.137.0(#872).How to use it
go install github.com/oasdiff/oasdiff@latestorcurl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | shdocker pull tufin/oasdiff:v1.15.1oasdiff/oasdiff-action/<command>@​v0.0.45Changelog
876a7bbConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.