chore(deps): update dependency oasdiff/oasdiff to v1.18.1

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
oasdiff/oasdiff	minor	1.16.0 → 1.18.1	v1.18.3 (+1)

---

Release Notes

oasdiff/oasdiff (oasdiff/oasdiff)

v1.18.1

Compare Source

What's changed

Patch release focused on --allow-external-refs handling.

• --allow-external-refs=false is now honored on the git-revision input path (#​974). Previously the setting was enforced when loading specs from files and URLs, but a spec loaded via the rev:path git form could still resolve external $refs. The behavior is now consistent across all input forms; intra-repository relative $refs continue to resolve via git show and are unaffected.
• Dedicated exit code for a refused external $ref (#​975). When --allow-external-refs=false blocks an external reference, oasdiff now exits with code 123 (distinct from the generic load-failure code 102), so tooling can detect this specific case by exit code rather than by parsing the error message.

Security

This release fixes GHSA-2jcc-mxv7-p3f9. Before v1.18.1, --allow-external-refs=false was not enforced on the git-revision input path (rev:path), so external $refs could still be resolved there when processing untrusted specs (SSRF / local file read). See the advisory for impact, affected versions, and workarounds.

No changes to diff/breaking/changelog output. The --allow-external-refs default is unchanged (true).

Full Changelog: oasdiff/oasdiff@v1.18.0...v1.18.1

v1.18.0

Compare Source

Annotation-only allOf false-positive fixed, --open mode-aware filtering, and the media-type walker migration completes

The user-visible headline is in breaking: adding an allOf subschema whose body is only annotation keywords no longer flags as a breaking change. Under the hood, the media-type walker migration that started in PRs #​940–#​952 finishes in this release; every checker that operates on request- or response-body schemas now runs through one uniform shape.

CLI changes

Detection rules

• Annotation-only allOf additions are no longer reported as breaking (#​964). Adding an allOf subschema whose body is only annotation keywords (title, description, examples, default, externalDocs, $comment) does not reject any previously-valid instance, so it is not a wire-contract change. Per the "Diff is Schema-Shape, Breaking is Wire-Contract" split, oasdiff diff continues to surface the structural addition unchanged, while oasdiff breaking no longer fails CI gates with --fail-on WARN on what is purely a documentation edit. oasdiff changelog still records the change at INFO under eight new check IDs covering the request × response × body × property × add × remove matrix (e.g. request-body-all-of-added-annotation-only), so audit-trail consumers see the document-level change instead of it silently disappearing. Constraint-bearing allOf additions, and mixed sets that contain at least one constraint-bearing subschema, still fire at their original severities. Motivated by OAS discussion #​3793 (handrews).

--open flag

• oasdiff breaking --open now filters the rendered page to breaking-only (#​958). The web view previously showed every change including INFO regardless of which subcommand opened it, which did not match the visitor's terminal output. The CLI now forwards mode=breaking or mode=changelog as a form field on the upload, and the rendered page filters severity to match. Backward compatible in both directions: older CLI against a newer service is treated as changelog (today's behavior), and a newer CLI against an older service has the field silently ignored. Other filtering flags (--fail-on, --level, --include-checks) are still treated as interactive concerns of the web UI and remain ignored by --open.

Localization

• Spanish, Portuguese, and Russian translations for exclusiveMinimum / exclusiveMaximum (#​969). 162 message strings (54 per locale across the exclusive-min and exclusive-max families and their -description and -comment siblings) translated by extending the already-merged min / max patterns. The OpenAPI keywords exclusiveMinimum / exclusiveMaximum stay in their canonical English casing inside the translated sentence, matching the JSON Schema specification terminology and the existing convention for allOf, oneOf, anyOf, $ref. Cuts the English-identical entries per non-English locale from 302 to 248.

Docs

• docs/GIT-DIFF-DRIVER heading typo fix (#​959). One section title said "GET" (autocorrect from "cat"), with no referent in the body. Now reads correctly. The git-diff-driver subcommand itself shipped in v1.17.0.

Internal cleanup: media-type walker migration completes

The migration introduced by #​940 moved per-checker path → operation → requestBody|response → content → mediaType → schema traversal boilerplate into a single helper. This release lands the final seven batches and removes the last in-scope checkers from the queue:

• #​960 — enum families (request × add/remove, response × add/remove)
• #​961 — numeric constraints (min / max value, min / max length, set / decreased / increased)
• #​962 — became_required / became_optional response pair
• #​963 — deprecation pair (request + response)
• #​970 — write-only / read-only triplet (request property + response optional + response required)
• #​971 — contains pair
• #​972 — generic property-updated pair

Roughly 1300 lines net removed across the full series. Per-checker function shape is now uniform; new checks added in the future drop into the same shape. No behaviour change for users — checks emit the same change IDs at the same severities. The remaining unmigrated checkers all operate on parameters / headers and would need a separate parameter walker; that work is tracked separately and is not in this release.

---

Auto-changelog below.

v1.17.0

Compare Source

Two new CLI surfaces (git-diff-driver, --open), header-default flip, walker foundation

This release adds two ways to see OpenAPI changes outside the terminal. oasdiff git-diff-driver turns git log --patch and git diff into a human-readable changelog, and a new --open flag on changelog and breaking uploads the comparison to oasdiff.com and opens a side-by-side review in your browser. Both work against any spec in any git repo, public or private. Also: a default flip for header comparison, plus a foundation refactor (media-type walker) that shipped behind the scenes.

CLI changes

New subcommands and flags

• New git-diff-driver subcommand (#​954, inspired by Jamie Tanna's post). Wire oasdiff into git as an external diff driver, and git log --patch --ext-diff renders a human-readable OpenAPI changelog inline instead of a raw YAML text diff. Two config lines:

  git config diff.oasdiff.command "oasdiff git-diff-driver"
  echo "openapi.yaml diff=oasdiff" >> .gitattributes
  

  Added (root commit) and removed cases are handled inline; source labels use the short blob hash plus path (e.g. abc1234:openapi.yaml) instead of git's tempfile paths. Full setup in docs/GIT-DIFF-DRIVER.md.
• New --open flag on changelog and breaking (#​955, #​956). After printing the changelog, uploads the comparison to oasdiff.com and opens the rendered side-by-side review in your browser. First run signs in with GitHub (minimal scopes, no repo access) and stores a token locally; subsequent runs skip. The resulting URL is shareable for 7 days, so reviewers can open it without installing the CLI themselves. Filtering and presentation flags (--fail-on, --format, etc.) apply only to terminal output; semantic flags (--flatten-params, --match-inline-refs, etc.) are forwarded to the web review so it matches what you saw locally.

Detection rules

• --case-insensitive-headers now defaults to true (#​939). HTTP header names are case-insensitive per RFC 7230; oasdiff has supported the case-insensitive comparison via flag since v1.x, but the default until now was case-sensitive, so a change between Content-Type and content-type was still flagged as breaking. The default flips to case-insensitive in this release. Pass --case-insensitive-headers=false to opt back into the previous behavior.
• Inline-equivalent and $ref-equivalent subschemas now match (#​938, plus an earlier round in #​930, thanks @​kesha1225). Refactoring an inline schema to a $ref of an equivalent component, or vice versa, no longer produces false "removed subschema" / "added subschema" findings on anyOf / oneOf. The matcher recognizes structurally-equivalent variants regardless of which form they're written in.
• Nullable source-attachment fixed for response-property pairs (#​945). The response-property-became-nullable / -not-nullable changes had asymmetric source-location attachment between matched-pair directions; both sides now attach to the property location consistently.

changelog / breaking output

• Empty-changelog output suggests oasdiff diff (#​946). When oasdiff changelog or breaking finds no significant differences but the underlying diff has document-level changes (info.contact edits, etc.), the CLI hints to try oasdiff diff for the full document-level view. JSON / YAML output also surfaces this via a top-level diff_empty field.

Misc

• ERRORS.md is linked from the validate command's help and error output (#​934).
• Docs reference oasdiff-action v0.0.48 in workflow examples (#​935).

Go package changes

Public validate package

• New github.com/oasdiff/oasdiff/validate package (#​944). The spec-validation logic the validate subcommand uses is now an independent package; library callers can import it directly without going through the CLI. validate.Validate(spec, sourcePath) returns a Findings list (each with a stable rule ID, severity, message, and origin when the loader provides line / column info).

Media-type walker foundation

• New media-type walker reusable across checkers (#​940, with batched checker migrations in #​941, #​942, #​943, #​945, #​947, #​948, #​949, #​951, #​952). Replaces the prior per-checker traversal idioms with a single shared walker over OpenAPI media types and properties. No user-visible behavior change in the common case; the refactor exposed and fixed a handful of latent asymmetries (e.g. the nullable-source attachment in #​945). Callers extending oasdiff with their own checks can now reuse the same walker shape.

Loader: blob-hash git refs

• <ref>:<path> syntax now accepts blob SHAs in addition to commit / tag refs (#​954). Required by git-diff-driver because git's external-diff protocol passes blob hashes, not commit refs. Existing commit / tag / branch ref behavior is unchanged.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Upstream OpenAPI spec

API Changelog v1 vs. v1

No changes detected

[github-actions]

The OpenAPI spec, once overlay.yaml is applied to it, has the following changes.
Where possible, rootly-go maintainers should review this and reduce breaking changes where possible.

API Changelog v1 vs. v1

No changes detected