Skip to content

chore: bump github.com/oasdiff/oasdiff from 1.16.0 to 1.18.1 in /tools/cli#1296

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/tools/cli/github.com/oasdiff/oasdiff-1.18.1
Closed

chore: bump github.com/oasdiff/oasdiff from 1.16.0 to 1.18.1 in /tools/cli#1296
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/tools/cli/github.com/oasdiff/oasdiff-1.18.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/oasdiff/oasdiff from 1.16.0 to 1.18.1.

Release notes

Sourced from github.com/oasdiff/oasdiff's releases.

v1.18.1

What's changed

Patch release focused on --allow-external-refs handling.

  • --allow-external-refs=false is now honored on the git-revision input path (#974). Previously the setting was enforced when loading specs from files and URLs, but a spec loaded via the rev:path git form could still resolve external $refs. The behavior is now consistent across all input forms; intra-repository relative $refs continue to resolve via git show and are unaffected.
  • Dedicated exit code for a refused external $ref (#975). When --allow-external-refs=false blocks an external reference, oasdiff now exits with code 123 (distinct from the generic load-failure code 102), so tooling can detect this specific case by exit code rather than by parsing the error message.

Security

This release fixes GHSA-2jcc-mxv7-p3f9. Before v1.18.1, --allow-external-refs=false was not enforced on the git-revision input path (rev:path), so external $refs could still be resolved there when processing untrusted specs (SSRF / local file read). See the advisory for impact, affected versions, and workarounds.

No changes to diff/breaking/changelog output. The --allow-external-refs default is unchanged (true).

Full Changelog: oasdiff/oasdiff@v1.18.0...v1.18.1

v1.18.0

Annotation-only allOf false-positive fixed, --open mode-aware filtering, and the media-type walker migration completes

The user-visible headline is in breaking: adding an allOf subschema whose body is only annotation keywords no longer flags as a breaking change. Under the hood, the media-type walker migration that started in PRs #940#952 finishes in this release; every checker that operates on request- or response-body schemas now runs through one uniform shape.

CLI changes

Detection rules

  • Annotation-only allOf additions are no longer reported as breaking (#964). Adding an allOf subschema whose body is only annotation keywords (title, description, examples, default, externalDocs, $comment) does not reject any previously-valid instance, so it is not a wire-contract change. Per the "Diff is Schema-Shape, Breaking is Wire-Contract" split, oasdiff diff continues to surface the structural addition unchanged, while oasdiff breaking no longer fails CI gates with --fail-on WARN on what is purely a documentation edit. oasdiff changelog still records the change at INFO under eight new check IDs covering the request × response × body × property × add × remove matrix (e.g. request-body-all-of-added-annotation-only), so audit-trail consumers see the document-level change instead of it silently disappearing. Constraint-bearing allOf additions, and mixed sets that contain at least one constraint-bearing subschema, still fire at their original severities. Motivated by OAS discussion #3793 (handrews).

--open flag

  • oasdiff breaking --open now filters the rendered page to breaking-only (#958). The web view previously showed every change including INFO regardless of which subcommand opened it, which did not match the visitor's terminal output. The CLI now forwards mode=breaking or mode=changelog as a form field on the upload, and the rendered page filters severity to match. Backward compatible in both directions: older CLI against a newer service is treated as changelog (today's behavior), and a newer CLI against an older service has the field silently ignored. Other filtering flags (--fail-on, --level, --include-checks) are still treated as interactive concerns of the web UI and remain ignored by --open.

Localization

  • Spanish, Portuguese, and Russian translations for exclusiveMinimum / exclusiveMaximum (#969). 162 message strings (54 per locale across the exclusive-min and exclusive-max families and their -description and -comment siblings) translated by extending the already-merged min / max patterns. The OpenAPI keywords exclusiveMinimum / exclusiveMaximum stay in their canonical English casing inside the translated sentence, matching the JSON Schema specification terminology and the existing convention for allOf, oneOf, anyOf, $ref. Cuts the English-identical entries per non-English locale from 302 to 248.

Docs

  • docs/GIT-DIFF-DRIVER heading typo fix (#959). One section title said "GET" (autocorrect from "cat"), with no referent in the body. Now reads correctly. The git-diff-driver subcommand itself shipped in v1.17.0.

Internal cleanup: media-type walker migration completes

The migration introduced by #940 moved per-checker path → operation → requestBody|response → content → mediaType → schema traversal boilerplate into a single helper. This release lands the final seven batches and removes the last in-scope checkers from the queue:

  • #960 — enum families (request × add/remove, response × add/remove)
  • #961 — numeric constraints (min / max value, min / max length, set / decreased / increased)
  • #962became_required / became_optional response pair
  • #963 — deprecation pair (request + response)
  • #970write-only / read-only triplet (request property + response optional + response required)
  • #971contains pair
  • #972 — generic property-updated pair

... (truncated)

Commits
  • e84c5ad load: typed ExternalRefError + dedicated exit code 123 (#975)
  • c01d48d fix: honor --allow-external-refs on the git-revision load path (#974)
  • 6eb6614 Merge pull request #973 from oasdiff/docs/bump-action-v0.0.50
  • 18229aa docs: bump oasdiff-action references to v0.0.50
  • 4717d44 Merge pull request #972 from oasdiff/checker/walker-migration-property-update...
  • 30dce29 checker: migrate property-updated pair to the media-type walker (PR-16 of #936)
  • 1ffdcf9 Merge pull request #971 from oasdiff/checker/walker-migration-contains-pair
  • 21a803f Merge pull request #970 from oasdiff/checker/walker-migration-readonly-writeonly
  • 16e711c checker: migrate contains pair to the media-type walker (PR-15 of #936)
  • 94a405d checker: migrate write-only / read-only triplet to the media-type walker (PR-...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 4, 2026 00:49
@dependabot dependabot Bot requested a review from wtrocki June 4, 2026 00:49
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 4, 2026
@dependabot dependabot Bot added the go Pull requests that update Go code label Jun 4, 2026
@dependabot
chore: bump github.com/oasdiff/oasdiff in /tools/cli
a9872f7 
Bumps [github.com/oasdiff/oasdiff](https://github.com/oasdiff/oasdiff) from 1.16.0 to 1.18.1.
- [Release notes](https://github.com/oasdiff/oasdiff/releases)
- [Changelog](https://github.com/oasdiff/oasdiff/blob/main/docs/CHANGELOG-TEMPLATE.md)
- [Commits](oasdiff/oasdiff@v1.16.0...v1.18.1)

---
updated-dependencies:
- dependency-name: github.com/oasdiff/oasdiff
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/tools/cli/github.com/oasdiff/oasdiff-1.18.1 branch from 7fe7a46 to a9872f7 Compare June 4, 2026 08:57
maks-m-mongo-leaf

This comment was marked as duplicate.

Sign in to view

@dependabot @github

dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #1303.

@dependabot dependabot Bot closed this Jun 9, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/tools/cli/github.com/oasdiff/oasdiff-1.18.1 branch June 9, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maks-m-mongo-leaf maks-m-mongo-leaf maks-m-mongo-leaf left review comments

@wtrocki wtrocki Awaiting requested review from wtrocki wtrocki is a code owner automatically assigned from mongodb/apix-platform

@drinkbird drinkbird Awaiting requested review from drinkbird drinkbird is a code owner automatically assigned from mongodb/apix-platform

@andreaangiolillo andreaangiolillo Awaiting requested review from andreaangiolillo andreaangiolillo is a code owner automatically assigned from mongodb/apix-platform

@saisundar saisundar Awaiting requested review from saisundar saisundar is a code owner automatically assigned from mongodb/apix-platform

@matt-condon matt-condon Awaiting requested review from matt-condon matt-condon is a code owner automatically assigned from mongodb/apix-platform

@andmatei andmatei Awaiting requested review from andmatei andmatei is a code owner automatically assigned from mongodb/apix-platform

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maks-m-mongo-leaf