Skip to content

chore(deps): update dependency tufin/oasdiff to v1.20.1#168

Open
Workleap IT (Infra-Workleap) wants to merge 1 commit into
mainfrom
renovate/tufin-oasdiff-1.x
Open

chore(deps): update dependency tufin/oasdiff to v1.20.1#168
Workleap IT (Infra-Workleap) wants to merge 1 commit into
mainfrom
renovate/tufin-oasdiff-1.x

Conversation

@Infra-Workleap

@Infra-Workleap Workleap IT (Infra-Workleap) commented May 23, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change Age
Tufin/oasdiff minor 1.12.41.20.1 age

Release Notes

Tufin/oasdiff (Tufin/oasdiff)

v1.20.1

Compare Source

What's changed

Security diff
  • Phantom security-scope diff fixed (#​1043, thanks to @​siem-moneybird for
    the report and a working reference fix): an OR of scopes written by repeating
    a scheme (- petstore_auth: [read] / - petstore_auth: [write]) no longer
    reports a spurious scope add/remove, even diffing a spec against itself.
  • Security diff output restructured (#​1044): in -f json / -f yaml,
    securityRequirements.added / deleted are now objects with index and
    schemes (were strings), and modified is now a list (was a map), so a
    changed alternative is unambiguous when several share a scheme.
    Heads-up: this changes the machine-readable diff shape for security and
    the exported Go type diff.SecurityRequirementsDiff (a breaking change if you
    import the library). The human-readable text report is unchanged in meaning.
Checker
  • Fewer false positives (#​1022, #​702): a oneOf-wrapped request property is
    no longer reported as removed.
Formatters
  • Valid empty output (#​1045, #​1046): validate and the diff formatters emit
    a valid empty document for a clean spec / no changes, in every format.
Internal
  • CI: github-actions Dependabot ecosystem (#​1039) + actions group bump (#​1040);
    checker rule-symmetry test guard (#​1035).

v1.20.0

Compare Source

oasdiff v1.20.0 sharpens breaking-change detection (fewer false positives across type, format, and nullability changes) and adds a --stability-level flag to opt into draft and alpha stability levels.

CLI changes

Stability levels

  • New --stability-level flag (#​845, thanks @​ankita-gd). Set the minimum stability level to include (for example draft or alpha) so changes to lower-stability resources are reported. These levels are excluded by default, so including them is opt-in.

Fewer false-positive breaking changes

  • Type-set widening on requests and narrowing on responses are no longer breaking (#​1016). Broadening what a request accepts, or narrowing what a response returns, is backward compatible and is no longer flagged.
  • Nullable detection via type arrays is now symmetric (#​1015). Adding or removing null from a type array is detected consistently, and the untyped case is ignored rather than misreported.
  • Duplicate "parameter type changed" reports are suppressed for list-of-types (#​1020), and the suppression holds when multiple checks run together (#​1021), so one change no longer produces repeated findings.

Misc

  • --open can upload an authenticated review (#​1025), used by the oasdiff Pro GitHub Action. The default --open (free anonymous side-by-side review) is unchanged.
Go package changes
  • Breaking: the exported stability-level constants in checker were renamed from SCREAMING_SNAKE_CASE to MixedCaps (#​1032), following Go naming conventions. Library callers referencing these constants must update the identifiers; behavior is unchanged.

v1.19.1

Compare Source

Cleaner --open review output and a config-file fix

This release hardens the --open side-by-side review flow: piped --format json/yaml output now stays valid, a failed upload no longer changes your exit code, and composed mode is rejected up front with a clear message. It also fixes a config-file regression where setting match-inline-refs made the whole file fail to load.

CLI changes

--open review flow

  • --open no longer corrupts piped JSON/YAML output (#​1011). oasdiff changelog --format json --open > out.json used to append the human-facing Opening <url> (expires ...) line (and any "could not open browser" notice) to stdout, right after the rendered changelog, producing invalid JSON/YAML. The success-path URL and guidance now go to stderr, so stdout carries only the rendered output. (The earlier non-fatal work already routed --open errors to stderr; this does the same for the success path.)
  • --open failures are now non-fatal (#​1009). The changelog/breaking output is printed before the upload runs, so an upload error, unreachable host, or unsupported spec source used to return exit code 130 and pre-empt --fail-on, changing the command's result. A review that could not be uploaded should never alter the check's outcome: such failures are now warned to stderr and the command continues to its normal --fail-on exit.
  • --open with composed mode (-c) is rejected up front (#​1009). Composed mode diffs a glob of many files, which the two-spec review cannot represent. This static, user-fixable combination now fails at argument validation with exit 100 and a clear message (--open cannot be used with composed mode (-c): the side-by-side review compares exactly two specs), before any diff runs. diff and summary (which share argument parsing but have no --open flag) are unaffected.

Config files

  • match-inline-refs is now accepted in config files (#​1010). The config file is validated with UnmarshalExact, so a flag missing from the internal Config struct did not just go unread, it made any config file that set it fail to load entirely (exit 107). match-inline-refs (a visible, default-on diff flag) was missing, so match-inline-refs: false in .oasdiff.yaml was rejected. It is now a recognized key. A new drift-guard test walks every persistent flag on the config-loading commands and asserts each is either a Config field or deliberately excluded, so a future flag cannot silently break users' configs the same way. CONFIG-FILES.md is corrected to note that --open (an interactive one-shot action) is the deliberate exception and stays command-line only.

Misc

  • --open help text notes client-side encryption (#​1006). The changelog/breaking --open help read "upload the comparison to oasdiff.com", which to a privacy-conscious reader looked like specs being sent in clear. It now reads "encrypt the comparison and upload it to oasdiff.com, then open the side-by-side review in a browser", signaling that encryption happens on the client before upload.
  • --open comments generalized to "the server" (#​1009). --open uploads to the URL from OASDIFF_URL (defaulting to oasdiff.com), so the internal comments that hardcoded "oasdiff.com" as the destination were reworded to stay accurate for a local dev server or self-hosted target.

v1.19.0

Compare Source

End-to-end encrypted --open reviews, sharper request body detection

oasdiff changelog --open and oasdiff breaking --open now encrypt your specs on your machine before upload, so the side-by-side review you share is readable only by someone holding the link, never by the host. Plus a detection fix that stops flagging request body type removals that widen what the API accepts.

CLI changes

Encrypted --open review

  • --open is now end-to-end encrypted (#​1001). The CLI bundles the two specs, their filenames, and the computed changelog, AES-256-GCM-encrypts the bundle with a fresh random key, and uploads only the ciphertext. The decryption key travels in the review URL's #fragment (oasdiff.com/review/e/<id>#k=<key>), which browsers never send to a server, so the host stores a blob it cannot read and your spec content never leaves your machine in cleartext. The link is shareable for 7 days; treat it like a secret, since anyone with the full link (key included) can read the review. A side effect of carrying nothing attributable to an account: the previous browser sign-in step is gone, so --open now works with no account. The upload target defaults to oasdiff.com and is overridable with the OASDIFF_URL environment variable to point at your own deployment.
  • --open help text now signals client-side encryption (#​1006). The flag description on changelog/breaking --help changed from "upload the comparison to oasdiff.com" to "encrypt the comparison and upload it to oasdiff.com, then open the side-by-side review in a browser", so a privacy-conscious reader can tell encryption happens before the upload.

Detection rules

  • Request body type removal is treated as a non-breaking generalization (#​1002, thanks @​pjsny). Removing a type constraint from a request body widens what the API accepts (the endpoint now takes more payloads, not fewer), so it is no longer reported as a breaking change.
Go package changes

Misc

  • Breaking: load.WithIdentity is removed (#​1000). The exported WithIdentity() was a no-op Option that returned specs unchanged; it is now inlined as an implementation detail inside GetOption. External callers that referenced it should use load.GetOption(opt, false) instead. GetOption(option, enable) is unchanged and remains the way to apply an option conditionally.

v1.18.6

Compare Source

A small release: the main user-visible change is dropping a redundant field from the machine-readable output, plus Go library additions for working with in-memory specs.

CLI changes
  • Removed the redundant source field from JSON and YAML output. Each change carried a top-level source that duplicated the origin already reported in baseSource / revisionSource. Consumers parsing oasdiff breaking / changelog JSON or YAML should read baseSource / revisionSource instead. (#​995)
Go package changes
  • Added load.NewSpecInfoFromData: build a SpecInfo from OpenAPI bytes already in memory, labeling its source with a name you provide, so source-location reporting uses that name rather than a temp path. (#​996)
  • Breaking: removed the Source field from formatters.Change. Use BaseSource / RevisionSource. (#​995)
  • Breaking: removed load.WithIdentity. It was a no-op option; use load.GetOption(opt, false) for the disabled-option case. (#​1000)

Full Changelog: oasdiff/oasdiff@v1.18.5...v1.18.6

v1.18.5

Compare Source

This release fixes a crash in breaking-change detection, widens not sub-schema coverage, and adds a flag to fetch missing git revisions automatically.

CLI changes
  • No more crash on one-sided sub-schema changes (#​998). Comparing two specs where a property drops a single-valued sub-schema on one side (for example an array property that removes its items, or a removed not / if / then / else / contentSchema) previously aborted with a nil pointer panic. oasdiff breaking, changelog, and diff now handle these diffs cleanly.
  • not sub-schema is now traversed for property changes (#​994). Property changes nested inside a not schema (a removed property, a tightened constraint, a newly required field) are now detected by breaking and changelog instead of being silently skipped. Closes #​916.
  • New --fetch flag (#​993). When a <rev>:<path> source points at a commit that is not in your local clone, --fetch tells oasdiff to fetch it from origin before comparing, instead of failing with a missing-object error. Without the flag oasdiff stays read-only and only prints the git fetch command to run.

Full Changelog: oasdiff/oasdiff@v1.18.4...v1.18.5

v1.18.4

Compare Source

What's changed

  • load: actionable hint when a git revision's commit isn't in the local clone (#​990). When a <sha>:<path> source references a commit that isn't present locally (a reviewer who hasn't fetched the PR branch, or a shallow clone lacking the base), oasdiff now prints the exact command to run:

    git fetch origin <sha>
    

    instead of a terse git error. oasdiff stays read-only: it never fetches or mutates your repository on its own. A missing path within an existing commit, and a "git not installed" failure, are reported unchanged.

Full Changelog: oasdiff/oasdiff@v1.18.3...v1.18.4

v1.18.3

Compare Source

Breaking changes

This release reorganizes the oasdiff checks categorization to align with the OpenAPI specification's object model.

  • The checks json/yaml output renames the location field to area and adds a new kind field. area is the OpenAPI object a rule concerns (schema, parameters, requestBody, responses, paths, headers, security, tags, components); kind is the aspect of the contract that changed (existence, requiredness, mutability, type, constraints, values, structure, lifecycle).
  • --tags accepts the new area and kind values; the old body and properties tags are removed.
  • Go library: checker.Location and its Location* constants are renamed to checker.Area / Area*, a new checker.Kind / Kind* is added, and BackwardCompatibilityRule.Location becomes .Area plus .Kind.

Why

The previous location taxonomy mixed OpenAPI object names with ad-hoc buckets and left about three quarters of all rules in two catch-alls (body, properties). Splitting "which OpenAPI object" (area) from "what kind of change" (kind) makes every rule classifiable along two clean, independent axes and uses terminology straight from the OpenAPI spec. All rules are explicitly assigned both fields.

See docs/CHECKS.md for the full list of areas, kinds, and tags.

Full Changelog: oasdiff/oasdiff@v1.18.2...v1.18.3

v1.18.2

Compare Source

oasdiff v1.18.2 completes and polishes the rule catalog that powers oasdiff breaking and oasdiff changelog, across all supported languages.

CLI changes

Complete, accurate rule catalog

  • oasdiff checks now resolves a real description for every one of the 474 rules. 29 rules previously rendered their internal localization key instead of a description; all are now filled in (#​985).
  • Polished the rule mitigation texts for clarity, and fixed an inaccurate description (an anyOf addition was described as a removal) plus a typo (#​985).
  • Completed the descriptions, mitigations, and the 3.1 / JSON Schema 2020-12 message families in Spanish, Brazilian Portuguese, and Russian (#​985, #​978).

Upgraded the OpenAPI parser to kin-openapi 0.140.0 (#​984).

Misc

  • Homebrew: the project tap now publishes a cask instead of the deprecated goreleaser formula (#​979). This affects only the oasdiff/homebrew-oasdiff tap; brew install oasdiff via homebrew-core is unchanged.
  • CI hardening: goreleaser-action pinned to the v2 major, and govulncheck toolchain resolution (#​986, #​983).

Full Changelog: oasdiff/oasdiff@v1.18.1...v1.18.2

v1.18.1

Compare Source

What's changed

Patch release focused on --allow-external-refs handling.

  • --allow-external-refs=false is now honored on the git-revision input path (#​974). Previously the setting was enforced when loading specs from files and URLs, but a spec loaded via the rev:path git form could still resolve external $refs. The behavior is now consistent across all input forms; intra-repository relative $refs continue to resolve via git show and are unaffected.
  • Dedicated exit code for a refused external $ref (#​975). When --allow-external-refs=false blocks an external reference, oasdiff now exits with code 123 (distinct from the generic load-failure code 102), so tooling can detect this specific case by exit code rather than by parsing the error message.

Security

This release fixes GHSA-2jcc-mxv7-p3f9. Before v1.18.1, --allow-external-refs=false was not enforced on the git-revision input path (rev:path), so external $refs could still be resolved there when processing untrusted specs (SSRF / local file read). See the advisory for impact, affected versions, and workarounds.

No changes to diff/breaking/changelog output. The --allow-external-refs default is unchanged (true).

Full Changelog: oasdiff/oasdiff@v1.18.0...v1.18.1

v1.18.0

Compare Source

Annotation-only allOf false-positive fixed, --open mode-aware filtering, and the media-type walker migration completes

The user-visible headline is in breaking: adding an allOf subschema whose body is only annotation keywords no longer flags as a breaking change. Under the hood, the media-type walker migration that started in PRs #​940#​952 finishes in this release; every checker that operates on request- or response-body schemas now runs through one uniform shape.

CLI changes

Detection rules

  • Annotation-only allOf additions are no longer reported as breaking (#​964). Adding an allOf subschema whose body is only annotation keywords (title, description, examples, default, externalDocs, $comment) does not reject any previously-valid instance, so it is not a wire-contract change. Per the "Diff is Schema-Shape, Breaking is Wire-Contract" split, oasdiff diff continues to surface the structural addition unchanged, while oasdiff breaking no longer fails CI gates with --fail-on WARN on what is purely a documentation edit. oasdiff changelog still records the change at INFO under eight new check IDs covering the request × response × body × property × add × remove matrix (e.g. request-body-all-of-added-annotation-only), so audit-trail consumers see the document-level change instead of it silently disappearing. Constraint-bearing allOf additions, and mixed sets that contain at least one constraint-bearing subschema, still fire at their original severities. Motivated by OAS discussion #​3793 (handrews).

--open flag

  • oasdiff breaking --open now filters the rendered page to breaking-only (#​958). The web view previously showed every change including INFO regardless of which subcommand opened it, which did not match the visitor's terminal output. The CLI now forwards mode=breaking or mode=changelog as a form field on the upload, and the rendered page filters severity to match. Backward compatible in both directions: older CLI against a newer service is treated as changelog (today's behavior), and a newer CLI against an older service has the field silently ignored. Other filtering flags (--fail-on, --level, --include-checks) are still treated as interactive concerns of the web UI and remain ignored by --open.

Localization

  • Spanish, Portuguese, and Russian translations for exclusiveMinimum / exclusiveMaximum (#​969). 162 message strings (54 per locale across the exclusive-min and exclusive-max families and their -description and -comment siblings) translated by extending the already-merged min / max patterns. The OpenAPI keywords exclusiveMinimum / exclusiveMaximum stay in their canonical English casing inside the translated sentence, matching the JSON Schema specification terminology and the existing convention for allOf, oneOf, anyOf, $ref. Cuts the English-identical entries per non-English locale from 302 to 248.

Docs

  • docs/GIT-DIFF-DRIVER heading typo fix (#​959). One section title said "GET" (autocorrect from "cat"), with no referent in the body. Now reads correctly. The git-diff-driver subcommand itself shipped in v1.17.0.
Internal cleanup: media-type walker migration completes

The migration introduced by #​940 moved per-checker path → operation → requestBody|response → content → mediaType → schema traversal boilerplate into a single helper. This release lands the final seven batches and removes the last in-scope checkers from the queue:

  • #​960 — enum families (request × add/remove, response × add/remove)
  • #​961 — numeric constraints (min / max value, min / max length, set / decreased / increased)
  • #​962became_required / became_optional response pair
  • #​963 — deprecation pair (request + response)
  • #​970write-only / read-only triplet (request property + response optional + response required)
  • #​971contains pair
  • #​972 — generic property-updated pair

Roughly 1300 lines net removed across the full series. Per-checker function shape is now uniform; new checks added in the future drop into the same shape. No behaviour change for users — checks emit the same change IDs at the same severities. The remaining unmigrated checkers all operate on parameters / headers and would need a separate parameter walker; that work is tracked separately and is not in this release.


Auto-changelog below.

v1.17.0

Compare Source

Two new CLI surfaces (git-diff-driver, --open), header-default flip, walker foundation

This release adds two ways to see OpenAPI changes outside the terminal. oasdiff git-diff-driver turns git log --patch and git diff into a human-readable changelog, and a new --open flag on changelog and breaking uploads the comparison to oasdiff.com and opens a side-by-side review in your browser. Both work against any spec in any git repo, public or private. Also: a default flip for header comparison, plus a foundation refactor (media-type walker) that shipped behind the scenes.

CLI changes

New subcommands and flags

  • New git-diff-driver subcommand (#​954, inspired by Jamie Tanna's post). Wire oasdiff into git as an external diff driver, and git log --patch --ext-diff renders a human-readable OpenAPI changelog inline instead of a raw YAML text diff. Two config lines:
    git config diff.oasdiff.command "oasdiff git-diff-driver"
    echo "openapi.yaml diff=oasdiff" >> .gitattributes
    
    Added (root commit) and removed cases are handled inline; source labels use the short blob hash plus path (e.g. abc1234:openapi.yaml) instead of git's tempfile paths. Full setup in docs/GIT-DIFF-DRIVER.md.
  • New --open flag on changelog and breaking (#​955, #​956). After printing the changelog, uploads the comparison to oasdiff.com and opens the rendered side-by-side review in your browser. First run signs in with GitHub (minimal scopes, no repo access) and stores a token locally; subsequent runs skip. The resulting URL is shareable for 7 days, so reviewers can open it without installing the CLI themselves. Filtering and presentation flags (--fail-on, --format, etc.) apply only to terminal output; semantic flags (--flatten-params, --match-inline-refs, etc.) are forwarded to the web review so it matches what you saw locally.

Detection rules

  • --case-insensitive-headers now defaults to true (#​939). HTTP header names are case-insensitive per RFC 7230; oasdiff has supported the case-insensitive comparison via flag since v1.x, but the default until now was case-sensitive, so a change between Content-Type and content-type was still flagged as breaking. The default flips to case-insensitive in this release. Pass --case-insensitive-headers=false to opt back into the previous behavior.
  • Inline-equivalent and $ref-equivalent subschemas now match (#​938, plus an earlier round in #​930, thanks @​kesha1225). Refactoring an inline schema to a $ref of an equivalent component, or vice versa, no longer produces false "removed subschema" / "added subschema" findings on anyOf / oneOf. The matcher recognizes structurally-equivalent variants regardless of which form they're written in.
  • Nullable source-attachment fixed for response-property pairs (#​945). The response-property-became-nullable / -not-nullable changes had asymmetric source-location attachment between matched-pair directions; both sides now attach to the property location consistently.

changelog / breaking output

  • Empty-changelog output suggests oasdiff diff (#​946). When oasdiff changelog or breaking finds no significant differences but the underlying diff has document-level changes (info.contact edits, etc.), the CLI hints to try oasdiff diff for the full document-level view. JSON / YAML output also surfaces this via a top-level diff_empty field.

Misc

  • ERRORS.md is linked from the validate command's help and error output (#​934).
  • Docs reference oasdiff-action v0.0.48 in workflow examples (#​935).
Go package changes

Public validate package

  • New github.com/oasdiff/oasdiff/validate package (#​944). The spec-validation logic the validate subcommand uses is now an independent package; library callers can import it directly without going through the CLI. validate.Validate(spec, sourcePath) returns a Findings list (each with a stable rule ID, severity, message, and origin when the loader provides line / column info).

Media-type walker foundation

  • New media-type walker reusable across checkers (#​940, with batched checker migrations in #​941, #​942, #​943, #​945, #​947, #​948, #​949, #​951, #​952). Replaces the prior per-checker traversal idioms with a single shared walker over OpenAPI media types and properties. No user-visible behavior change in the common case; the refactor exposed and fixed a handful of latent asymmetries (e.g. the nullable-source attachment in #​945). Callers extending oasdiff with their own checks can now reuse the same walker shape.

Loader: blob-hash git refs

  • <ref>:<path> syntax now accepts blob SHAs in addition to commit / tag refs (#​954). Required by git-diff-driver because git's external-diff protocol passes blob hashes, not commit refs. Existing commit / tag / branch ref behavior is unchanged.

v1.16.0

Compare Source

Two new subcommands (validate, upgrade), cross-version auto-upgrade, and sharper detection

oasdiff validate checks a single spec against the OpenAPI and JSON Schema rules, oasdiff upgrade canonicalises a 3.0 spec to the latest 3.x, --auto-upgrade lets you diff across 3.0 and 3.1 specs directly, and dropping a string format constraint is no longer mis-flagged as breaking.

CLI changes

New validate subcommand

  • oasdiff validate <spec> flags per-RFC OpenAPI / JSON Schema violations in a single spec (#​894). It fills the gap between the parser (which only catches load and parse errors) and style linters: invalid types, missing required fields, bad regex, unresolved $refs, version-mismatched fields, and more, each with a stable kebab-case rule ID and a file:line:column location. Findings are severity-classified (error, warning, info); -o, --fail-on {ERR|WARN|INFO} (default ERR) controls the exit code, so warnings and info are reported without failing CI unless you lower the threshold. Output is -f text (default), yaml, json, or githubactions (inline pull-request annotations plus per-severity step outputs). A load failure exits 102.

New upgrade subcommand

  • oasdiff upgrade <spec> canonicalises an OpenAPI 3.0 spec to the latest 3.x (#​922). It rewrites schema-level constructs in place (nullable to a type array, boolean exclusiveMinimum / exclusiveMaximum to numeric, example to examples, and similar) and bumps the version string. The transforms are idempotent: an already-canonical spec is unchanged aside from a possible version bump.

Cross-version comparison

  • --auto-upgrade on diff / breaking / changelog / summary (#​923). Canonicalises both specs to the latest 3.x before comparing, so a 3.0-vs-3.1 comparison just works instead of reporting spurious dialect-shape differences.

Detection rules

  • Removing a string format constraint is a generalization, not breaking (#​928, thanks @​igavila). Dropping format from a string schema widens what is accepted, so it is no longer reported as a breaking change.

Flags

  • Enum flag values are accepted case-insensitively (#​932). --fail-on warn, --level info, -f YAML, --severity error, and similar now work in any case and normalize to the canonical value. Applies to every enum flag across the commands.

Misc

  • Git refs documented as a spec input (#​931). The help text for the spec arguments now mentions the ref:path form (for example main:openapi.yaml).
  • ERRORS.md distinguishes load failures from spec violations (#​934) and points to oasdiff validate for a strict per-spec check.
Go package changes

Breaking: formatters.Formatter interface

  • Breaking: formatters.Formatter gained a RenderValidate(findings Findings, opts RenderOpts) ([]byte, error) method (#​894). Types that embed notImplementedFormatter are unaffected (they inherit a default), but a type that implements the interface directly must add the method.

Misc

  • New formatters validate API (#​894): the Finding, Findings, and Source types, the OutputValidate output kind, and ComputeFingerprint (now exported, shared by changelog and validate so a downstream tool can match findings across spec versions).
  • checker.IsColorEnabled is exported (#​894), letting packages outside checker gate color on the same auto-detect plus override convention the commands use.

v1.15.3

Compare Source

Sharper breaking-change detection, hardened flatten, configurable config files

Crash fixes in the allOf flattener, an additionalProperties traversal fix that finally catches a long-missed class of breaking changes, scalar-to-array query-parameter generalization that is no longer flagged as breaking, and a richer config-file story (.oasdiff.*, --config, OASDIFF_CONFIG).

CLI changes

Detection rules

  • additionalProperties is now walked when properties are added or deleted (#​895, thanks @​prostomarkeloff). Removing or adding a required property inside a dict[str, X]-style response (additionalProperties: $ref, the default shape FastAPI / Pydantic emit for typed maps) was silently invisible to oasdiff breaking. The Modified processor already recursed; Added and Deleted now do too, so response-required-property-removed / -added and request-required-property-added fire on this shape as they always should have. Strictly additive: specs that did not exercise this path see no change.
  • Scalar to form/explode array on a query parameter is no longer breaking (#​915). Changing a query parameter's schema from a scalar X to an array of X is the OpenAPI 3 default-serialization (style: form, explode: true) generalization: ?color=red keeps working as a one-element array. The change is now reported as request-parameter-type-generalized at INFO level. Reverse direction (array to scalar), items-type mismatch, and path / header parameters (default simple, not form) remain breaking.

Config files

  • .oasdiff.*, --config, and OASDIFF_CONFIG (#​899). The preferred default config name is now .oasdiff.{json,yaml,yml,toml,hcl} (legacy oasdiff.* still works as a fallback). A new persistent --config <path> flag and OASDIFF_CONFIG env var let you point at an explicit file, with --config winning over the env var. When either override is set the file must exist; the cwd lookup keeps its silent-skip semantics.
  • Path-valued config keys resolve relative to the config file (#​901). err-ignore, warn-ignore, severity-levels, and template inside a config file now resolve relative to the config file's directory rather than the process's cwd, so --config examples/.oasdiff.yaml from the repo root finds sibling files as you'd expect. Absolute paths and CLI-supplied values are left alone.

Flatten allOf hardening

  • Cyclic schemas no longer crash flatten allOf (#​909). Self-referential schemas under allOf (a node whose property points back to itself, appearing twice in the merge) used to overflow the stack. The recursion sites in mergeProps, resolveItems, resolveContains, and resolvePropertyNames are now guarded with pointer-dedup plus an in-flight cycle map, so the cyclic link is preserved in the merged output.
  • multipleOf: 0 no longer panics (#​891). Two allOf siblings with multipleOf: 0 (invalid per spec, but seen in the wild) used to divide by zero in lcm(0, 0); non-positive values are now skipped.

OpenAPI 3.1 keywords in flatten/allOf

  • contains is merged across allOf siblings (#​888). contains: X + contains: Y flattens to contains: Merge(X, Y). Note: contains is existential (at least one item matches), so the merged form requires one item to satisfy both X and Y rather than allowing two distinct items, an over-constraint documented in docs/ALLOF.md. The flattened spec never accepts an array the original rejects.
  • propertyNames is merged across allOf siblings (#​902). propertyNames: X + propertyNames: Y flattens to propertyNames: Merge(X, Y). Unlike contains, propertyNames is universal (every name matches), so the merge is semantically faithful with no over-constraint caveat.

flatten command

  • Flatten failures are no longer mis-wrapped as load failures (#​908). oasdiff flatten /tmp/spec.yaml previously printed Error: failed to load original spec from "/tmp/spec.yaml": failed to flatten allOf in "/tmp/spec.yaml": ... (file path twice, wrong outer message). The CLI now distinguishes the two via a typed *load.FlattenError, prints the cleaner Error: failed to flatten allOf in "/tmp/spec.yaml": ..., and exits with code 122 instead of the load-failure code.

Misc

  • Friendlier flag-parse errors (#​919). pflag's raw strconv.ParseBool: parsing "x": invalid syntax style messages are rewritten to the flag's actual type: must be true or false for bool, must be an integer for int, must be a non-negative integer for uint, must be a number for float, must be a duration like 30s or 5m for duration. Wired once on the root command, so it propagates to every subcommand. Unrelated flag types fall through unchanged.
Go package changes

Breaking: functional options on Config types

  • Breaking: checker.Config migrates to functional options (#​911). The fluent WithOptionalCheck / WithOptionalChecks / WithSeverityLevels / WithDeprecation / WithSingleCheck / WithChecks / WithAttributes chain is removed; checker.NewConfig now takes ...Option arguments. Migration is mechanical (NewConfig(...).WithX(v) becomes NewConfig(..., WithX(v))), but every caller of the package needs the rewrite. Options are now first-class values: storable, composable, and passable independently of a receiver.
  • Breaking: diff.Config migrates to functional options (#​912). Same shape as checker.Config: WithExcludeElements and WithExcludeExtensions are now Option values passed to diff.NewConfig, and the chained methods are removed. Both packages now use the same idiom, so contributors don't have to remember which one uses which style.

Misc

  • checker.CheckBackwardCompatibilityUntilLevel no longer mutates the caller's *diff.Diff (#​913). The pipeline used to truncate PathsDiff.Deleted / per-path OperationsDiff.Deleted, delete keys from OperationsDiff.Modified for draft / alpha operations, and insert WebhooksDiff.Modified entries into PathsDiff.Modified under "webhook:..." keys, all in-place on the input. The function now clones PathsDiff and the nested fields the pipeline writes to before running checks. Callers that read the diff after running checks now see their original input intact.
  • New typed *load.FlattenError (#​908). Exposes Url and Err fields plus Unwrap(), reachable via errors.As. Lets library callers distinguish a flatten-stage failure from a load-stage failure when both can come out of load.NewSpecInfo.
  • Change.Fingerprint is stable across copy edits and locale changes (#​892). The 12-char fingerprint is now computed from the structured args rather than the rendered message text, so editing a message template or switching locales no longer invalidates every previously-stored fingerprint. One-way migration: fingerprints stored under the old algorithm will not match recomputed values.

v1.15.2

Compare Source

A patch release with one downstream-impacting behavior change to Change.Fingerprint, several OpenAPI 3.1 improvements to the allOf flattener, and a small refactor.

Highlights
  • Change.Fingerprint is now stable across copy edits and locale switches (#​892). The fingerprint that downstream tools use to identify the same logical change across spec versions was being computed from the rendered text of the message, which made it sensitive to anything that altered rendering: a message-template tweak, a locale switch, or the '%s' to `%s` rendering change in #​836. It now hashes the structured rule arguments instead of the rendered text, giving the same disambiguation power without the fragility.

    This is a one-way migration. Any external system that has stored fingerprints from a previous oasdiff version will see them no longer match recomputed values and should plan a one-shot cleanup of those records. Future copy edits will not have the same effect.

  • allOf flattener handles more OpenAPI 3.1 keywords (#​879, #​880, #​881, #​882). The flattener now merges const, minContains / maxContains, contentMediaType / contentEncoding, and dependentRequired from allOf subschemas into the parent schema, instead of silently dropping them. Subsequent diff and breaking-change checks see the full intent of the schema.

  • allOf flattener no longer silently drops fields documented as "not merged" (#​884). Several keywords that the documentation describes as intentionally not merged were nevertheless being dropped from the parent schema's existing values when an allOf subschema was processed. They are now preserved. The PR also removes a duplicate Type copy that was producing identical work twice.

  • allOf flattener handles 3.1 numeric exclusive bounds correctly (#​873). In OpenAPI 3.1 exclusiveMinimum / exclusiveMaximum are numeric (not booleans paired with minimum / maximum). The flattener now merges them with the right semantics.

Documentation
  • $defs is intentionally dropped during allOf flatten (#​883). The doc now states this explicitly so readers don't try to track down the omission as a bug.
Refactors
  • refactor(flatten/allof): rename findMaxValue to findMaxValueScalar for clarity (#​887).
How to use it
  • CLI: go install github.com/oasdiff/oasdiff@latest or curl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | sh
  • Docker: docker pull tufin/oasdiff:v1.15.2
  • GitHub Action: pin to oasdiff/oasdiff-action/<command>@&#8203;v0.0.46 (the action release that ships oasdiff v1.15.2)

If your workflow YAML pins a fixed action version (e.g. @v0.0.44), bump the pin to @v0.0.46 so the new fingerprint algorithm runs in CI. Workflows pinned to @main or moving tags pick up the change automatically on their next run.


Changelog

  • a543522 Merge pull request #​892 from oasdiff/fix/fingerprint-stable-args
  • b8c4fe0 fix(formatters): make Change.Fingerprint stable across copy edits
  • 0b722c4 Merge pull request #​887 from oasdiff/fix/issue-885-find-max-value-scalar
  • 9b87905 refactor(flatten/allof): rename findMaxValue -> findMaxValueScalar (#​885)
  • 8f37521 Merge pull request #​882 from oasdiff/feat/flatten-allof-dependent-required
  • 8ef9da0 feat(flatten/allof): handle OpenAPI 3.1 dependentRequired
  • 6d31e06 Merge pull request #​881 from oasdiff/feat/flatten-allof-content-keywords
  • 35701ef feat(flatten/allof): handle OpenAPI 3.1 contentMediaType / contentEncoding
  • 10261e0 Merge pull request #​880 from oasdiff/feat/flatten-allof-min-max-contains
  • 9466ea3 feat(flatten/allof): handle OpenAPI 3.1 minContains / maxContains
  • 3af44a2 Merge pull request #​879 from oasdiff/feat/flatten-allof-const
  • 794bb5d Merge pull request #​884 from oasdiff/fix/flatten-allof-silent-drops
  • 1d33e58 Merge pull request #​883 from oasdiff/docs/allof-defs-dropped
  • 7854349 fix(flatten/allof): preserve fields documented as "not merged"; drop dup Type copy
  • b999656 docs(allof): document that $defs is intentionally dropped during flatten
  • bd362bd feat(flatten/allof): handle OpenAPI 3.1 const keyword
  • a63539b Merge pull request #​873 from oasdiff/fix/issue-868-allof-31-exclusive-bounds
  • b1f8552 docs: drop the now-fixed flatten/allOf 3.1 exclusive-bounds caveat
  • 84cf3bb test: pin "no source-location after flatten-allof" behavior
  • 6b32761 test: clarify allOf bound-merge comments
  • 7f47de5 fix: gofmt alignment in const block
  • 168b6dc fix(flatten/allof): handle OpenAPI 3.1 numeric exclusive bounds
  • a35f0c1 Merge pull request #​877 from oasdiff/bump/oasdiff-action-v0.0.45
  • 7d3689e bump: oasdiff-action v0.0.45

v1.15.1

Compare Source

A patch release with one user-facing behavior change, one new check, a privacy-friendly cleanup of the HTML report, and a substantial documentation overhaul.

Highlights
  • oasdiff breaking now distinguishes "no breaking changes" from "no changes" (#​875). When oasdiff breaking finds no breaking changes but the specs do differ in non-breaking ways, the message is now "No breaking changes to report, but the specs are different" instead of the misleading "No changes to report" used in earlier versions. The changelog command's wording is unchanged.
  • Detect enum value changes in deepObject parameter properties (#​862, thanks @​ampeco). Properties of deepObject-style query parameters now go through the standard enum-change checks.
  • Changelog HTML report no longer pulls Google Fonts (#​876). Removes a @import of fonts.googleapis.com/css?family=Nunito from the report's <style> block. Every viewer of every report previously sent their IP to Google; the report now uses the existing system-font fallbacks (Helvetica / Arial). Useful for sites that embed the report under a strict CSP, and a privacy improvement everywhere.
Documentation
  • README index reorganized by reader intent (#​874). The flat 25+ bullet feature list is replaced with a grouped Documentation section: Commands → Inputs → Comparison → Normalization → API lifecycle → Filtering changes → Output → How to run → Reference. Adds a 30-second Docker quickstart, surfaces previously-unlinked docs, and adds the missing summary subcommand.
  • DIFF.md and BREAKING-CHANGES.md cross-referenced. summary, breaking, and changelog are built on the diff engine; the docs now say so. Duplicate "Additional Options" lists removed in favor of the README index.
  • HEADER-DIFF.md now explains the OpenAPI / HTTP-standards tension behind oasdiff's case-sensitive header default.
  • Many small content fixes: corrected diff format list, fixed a wrong Docker image name, removed dead --max-circular-dep advice, fixed an invalid -filter flag reference in usage examples, made the Go embed snippet runnable, clarified STABILITY.md, dropped a misleading "Documentation" stub from CUSTOMIZING-CHECKS.md, and more.
Dependencies
  • github.com/getkin/kin-openapi bumped from v0.136.0 to v0.137.0 (#​872).
How to use it
  • CLI: go install github.com/oasdiff/oasdiff@latest or curl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | sh
  • Docker: docker pull tufin/oasdiff:v1.15.1
  • GitHub Action: pin to oasdiff/oasdiff-action/<command>@&#8203;v0.0.45

Changelog

  • [876a7bb

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@Infra-Workleap Workleap IT (Infra-Workleap) requested a review from a team as a code owner May 23, 2026 06:51
Copilot AI review requested due to automatic review settings May 23, 2026 06:51
@Infra-Workleap

Copy link
Copy Markdown
Contributor Author

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.


  • Branch has one or more failed status checks

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps the bundled OasDiff CLI version used by the MSBuild task to keep OpenAPI diffing behavior up to date.

Changes:

  • Update the pinned Tufin/oasdiff version from 1.12.4 to 1.15.3 for the downloaded CLI binary.

@@ -7,7 +7,7 @@ internal sealed class OasdiffManager : IOasdiffManager
{
// If the line below changes, make sure to update the corresponding regex on the renovate.json file
// Do not upgrade to v2.x as it is an older version with breaking changes
@Infra-Workleap Workleap IT (Infra-Workleap) changed the title chore(deps): update dependency tufin/oasdiff to v1.15.3 chore(deps): update dependency tufin/oasdiff to v1.17.0 Jun 6, 2026
@Infra-Workleap Workleap IT (Infra-Workleap) changed the title chore(deps): update dependency tufin/oasdiff to v1.17.0 chore(deps): update dependency tufin/oasdiff to v1.18.1 Jun 7, 2026
@Infra-Workleap Workleap IT (Infra-Workleap) changed the title chore(deps): update dependency tufin/oasdiff to v1.18.1 chore(deps): update dependency tufin/oasdiff to v1.18.4 Jun 13, 2026
@Infra-Workleap Workleap IT (Infra-Workleap) changed the title chore(deps): update dependency tufin/oasdiff to v1.18.4 chore(deps): update dependency tufin/oasdiff to v1.19.0 Jun 20, 2026
@Infra-Workleap Workleap IT (Infra-Workleap) changed the title chore(deps): update dependency tufin/oasdiff to v1.19.0 chore(deps): update dependency tufin/oasdiff to v1.19.1 Jun 27, 2026
@Infra-Workleap Workleap IT (Infra-Workleap) changed the title chore(deps): update dependency tufin/oasdiff to v1.19.1 chore(deps): update dependency tufin/oasdiff to v1.20.1 Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants