Skip to content

v0.0.51

Choose a tag to compare

View all tags
@reuvenharrison reuvenharrison released this 31 May 05:03
· 47 commits to main since this release
v0.0.51
f30668f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's changed

The actions now default to allow-external-refs: false. Because CI typically runs on untrusted pull requests (including from forks), external $refs in a spec are no longer resolved by default. Specs loaded via the recommended git-ref form (base: 'origin/main:openapi.yaml') — single- or multi-file — are unaffected, since intra-repository $refs resolve via git show.

Opt back in with allow-external-refs: true on the step if your spec either references external URLs, or loads split multi-file specs by plain file path instead of the git-ref form. A new allow-external-refs input is available on all five actions (breaking, changelog, diff, pr-comment, validate).

Failures now surface as PR annotations. A genuine oasdiff error (unreadable spec, bad reference, …) is shown as a ::error:: annotation on the Checks tab rather than only in the raw log, with a one-line remedy when it's caused by a disallowed external $ref.

Security

This release fixes GHSA-fhj3-7267-7vv5. Before v0.0.51 the actions resolved external $refs by default, which on pull requests carrying untrusted spec content (notably fork PRs on public repositories) enabled SSRF and disclosure of structured files on the runner. Defaulting allow-external-refs to false closes this. See the advisory for impact and workarounds.

Runs on oasdiff v1.18.1.

Full Changelog: v0.0.50...v0.0.51

Assets 2
Loading