fix(deps): update module github.com/oasdiff/oasdiff to v1.18.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/oasdiff/oasdiff	v1.11.4 → v1.18.1

---

Release Notes

oasdiff/oasdiff (github.com/oasdiff/oasdiff)

v1.18.1

Compare Source

What's changed

Patch release focused on --allow-external-refs handling.

• --allow-external-refs=false is now honored on the git-revision input path (#​974). Previously the setting was enforced when loading specs from files and URLs, but a spec loaded via the rev:path git form could still resolve external $refs. The behavior is now consistent across all input forms; intra-repository relative $refs continue to resolve via git show and are unaffected.
• Dedicated exit code for a refused external $ref (#​975). When --allow-external-refs=false blocks an external reference, oasdiff now exits with code 123 (distinct from the generic load-failure code 102), so tooling can detect this specific case by exit code rather than by parsing the error message.

No changes to diff/breaking/changelog output. The --allow-external-refs default is unchanged (true).

Full Changelog: oasdiff/oasdiff@v1.18.0...v1.18.1

v1.18.0

Compare Source

Annotation-only allOf false-positive fixed, --open mode-aware filtering, and the media-type walker migration completes

The user-visible headline is in breaking: adding an allOf subschema whose body is only annotation keywords no longer flags as a breaking change. Under the hood, the media-type walker migration that started in PRs #​940–#​952 finishes in this release; every checker that operates on request- or response-body schemas now runs through one uniform shape.

CLI changes

Detection rules

• Annotation-only allOf additions are no longer reported as breaking (#​964). Adding an allOf subschema whose body is only annotation keywords (title, description, examples, default, externalDocs, $comment) does not reject any previously-valid instance, so it is not a wire-contract change. Per the "Diff is Schema-Shape, Breaking is Wire-Contract" split, oasdiff diff continues to surface the structural addition unchanged, while oasdiff breaking no longer fails CI gates with --fail-on WARN on what is purely a documentation edit. oasdiff changelog still records the change at INFO under eight new check IDs covering the request × response × body × property × add × remove matrix (e.g. request-body-all-of-added-annotation-only), so audit-trail consumers see the document-level change instead of it silently disappearing. Constraint-bearing allOf additions, and mixed sets that contain at least one constraint-bearing subschema, still fire at their original severities. Motivated by OAS discussion #​3793 (handrews).

--open flag

• oasdiff breaking --open now filters the rendered page to breaking-only (#​958). The web view previously showed every change including INFO regardless of which subcommand opened it, which did not match the visitor's terminal output. The CLI now forwards mode=breaking or mode=changelog as a form field on the upload, and the rendered page filters severity to match. Backward compatible in both directions: older CLI against a newer service is treated as changelog (today's behavior), and a newer CLI against an older service has the field silently ignored. Other filtering flags (--fail-on, --level, --include-checks) are still treated as interactive concerns of the web UI and remain ignored by --open.

Localization

• Spanish, Portuguese, and Russian translations for exclusiveMinimum / exclusiveMaximum (#​969). 162 message strings (54 per locale across the exclusive-min and exclusive-max families and their -description and -comment siblings) translated by extending the already-merged min / max patterns. The OpenAPI keywords exclusiveMinimum / exclusiveMaximum stay in their canonical English casing inside the translated sentence, matching the JSON Schema specification terminology and the existing convention for allOf, oneOf, anyOf, $ref. Cuts the English-identical entries per non-English locale from 302 to 248.

Docs

• docs/GIT-DIFF-DRIVER heading typo fix (#​959). One section title said "GET" (autocorrect from "cat"), with no referent in the body. Now reads correctly. The git-diff-driver subcommand itself shipped in v1.17.0.

Internal cleanup: media-type walker migration completes

The migration introduced by #​940 moved per-checker path → operation → requestBody|response → content → mediaType → schema traversal boilerplate into a single helper. This release lands the final seven batches and removes the last in-scope checkers from the queue:

• #​960 — enum families (request × add/remove, response × add/remove)
• #​961 — numeric constraints (min / max value, min / max length, set / decreased / increased)
• #​962 — became_required / became_optional response pair
• #​963 — deprecation pair (request + response)
• #​970 — write-only / read-only triplet (request property + response optional + response required)
• #​971 — contains pair
• #​972 — generic property-updated pair

Roughly 1300 lines net removed across the full series. Per-checker function shape is now uniform; new checks added in the future drop into the same shape. No behaviour change for users — checks emit the same change IDs at the same severities. The remaining unmigrated checkers all operate on parameters / headers and would need a separate parameter walker; that work is tracked separately and is not in this release.

---

Auto-changelog below.

v1.17.0

Compare Source

Two new CLI surfaces (git-diff-driver, --open), header-default flip, walker foundation

This release adds two ways to see OpenAPI changes outside the terminal. oasdiff git-diff-driver turns git log --patch and git diff into a human-readable changelog, and a new --open flag on changelog and breaking uploads the comparison to oasdiff.com and opens a side-by-side review in your browser. Both work against any spec in any git repo, public or private. Also: a default flip for header comparison, plus a foundation refactor (media-type walker) that shipped behind the scenes.

CLI changes

New subcommands and flags

• New git-diff-driver subcommand (#​954, inspired by Jamie Tanna's post). Wire oasdiff into git as an external diff driver, and git log --patch --ext-diff renders a human-readable OpenAPI changelog inline instead of a raw YAML text diff. Two config lines:

  git config diff.oasdiff.command "oasdiff git-diff-driver"
  echo "openapi.yaml diff=oasdiff" >> .gitattributes
  

  Added (root commit) and removed cases are handled inline; source labels use the short blob hash plus path (e.g. abc1234:openapi.yaml) instead of git's tempfile paths. Full setup in docs/GIT-DIFF-DRIVER.md.
• New --open flag on changelog and breaking (#​955, #​956). After printing the changelog, uploads the comparison to oasdiff.com and opens the rendered side-by-side review in your browser. First run signs in with GitHub (minimal scopes, no repo access) and stores a token locally; subsequent runs skip. The resulting URL is shareable for 7 days, so reviewers can open it without installing the CLI themselves. Filtering and presentation flags (--fail-on, --format, etc.) apply only to terminal output; semantic flags (--flatten-params, --match-inline-refs, etc.) are forwarded to the web review so it matches what you saw locally.

Detection rules

• --case-insensitive-headers now defaults to true (#​939). HTTP header names are case-insensitive per RFC 7230; oasdiff has supported the case-insensitive comparison via flag since v1.x, but the default until now was case-sensitive, so a change between Content-Type and content-type was still flagged as breaking. The default flips to case-insensitive in this release. Pass --case-insensitive-headers=false to opt back into the previous behavior.
• Inline-equivalent and $ref-equivalent subschemas now match (#​938, plus an earlier round in #​930, thanks @​kesha1225). Refactoring an inline schema to a $ref of an equivalent component, or vice versa, no longer produces false "removed subschema" / "added subschema" findings on anyOf / oneOf. The matcher recognizes structurally-equivalent variants regardless of which form they're written in.
• Nullable source-attachment fixed for response-property pairs (#​945). The response-property-became-nullable / -not-nullable changes had asymmetric source-location attachment between matched-pair directions; both sides now attach to the property location consistently.

changelog / breaking output

• Empty-changelog output suggests oasdiff diff (#​946). When oasdiff changelog or breaking finds no significant differences but the underlying diff has document-level changes (info.contact edits, etc.), the CLI hints to try oasdiff diff for the full document-level view. JSON / YAML output also surfaces this via a top-level diff_empty field.

Misc

• ERRORS.md is linked from the validate command's help and error output (#​934).
• Docs reference oasdiff-action v0.0.48 in workflow examples (#​935).

Go package changes

Public validate package

• New github.com/oasdiff/oasdiff/validate package (#​944). The spec-validation logic the validate subcommand uses is now an independent package; library callers can import it directly without going through the CLI. validate.Validate(spec, sourcePath) returns a Findings list (each with a stable rule ID, severity, message, and origin when the loader provides line / column info).

Media-type walker foundation

• New media-type walker reusable across checkers (#​940, with batched checker migrations in #​941, #​942, #​943, #​945, #​947, #​948, #​949, #​951, #​952). Replaces the prior per-checker traversal idioms with a single shared walker over OpenAPI media types and properties. No user-visible behavior change in the common case; the refactor exposed and fixed a handful of latent asymmetries (e.g. the nullable-source attachment in #​945). Callers extending oasdiff with their own checks can now reuse the same walker shape.

Loader: blob-hash git refs

• <ref>:<path> syntax now accepts blob SHAs in addition to commit / tag refs (#​954). Required by git-diff-driver because git's external-diff protocol passes blob hashes, not commit refs. Existing commit / tag / branch ref behavior is unchanged.

v1.16.0

Compare Source

Two new subcommands (validate, upgrade), cross-version auto-upgrade, and sharper detection

oasdiff validate checks a single spec against the OpenAPI and JSON Schema rules, oasdiff upgrade canonicalises a 3.0 spec to the latest 3.x, --auto-upgrade lets you diff across 3.0 and 3.1 specs directly, and dropping a string format constraint is no longer mis-flagged as breaking.

CLI changes

New validate subcommand

• oasdiff validate <spec> flags per-RFC OpenAPI / JSON Schema violations in a single spec (#​894). It fills the gap between the parser (which only catches load and parse errors) and style linters: invalid types, missing required fields, bad regex, unresolved $refs, version-mismatched fields, and more, each with a stable kebab-case rule ID and a file:line:column location. Findings are severity-classified (error, warning, info); -o, --fail-on {ERR|WARN|INFO} (default ERR) controls the exit code, so warnings and info are reported without failing CI unless you lower the threshold. Output is -f text (default), yaml, json, or githubactions (inline pull-request annotations plus per-severity step outputs). A load failure exits 102.

New upgrade subcommand

• oasdiff upgrade <spec> canonicalises an OpenAPI 3.0 spec to the latest 3.x (#​922). It rewrites schema-level constructs in place (nullable to a type array, boolean exclusiveMinimum / exclusiveMaximum to numeric, example to examples, and similar) and bumps the version string. The transforms are idempotent: an already-canonical spec is unchanged aside from a possible version bump.

Cross-version comparison

• --auto-upgrade on diff / breaking / changelog / summary (#​923). Canonicalises both specs to the latest 3.x before comparing, so a 3.0-vs-3.1 comparison just works instead of reporting spurious dialect-shape differences.

Detection rules

• Removing a string format constraint is a generalization, not breaking (#​928, thanks @​igavila). Dropping format from a string schema widens what is accepted, so it is no longer reported as a breaking change.

Flags

• Enum flag values are accepted case-insensitively (#​932). --fail-on warn, --level info, -f YAML, --severity error, and similar now work in any case and normalize to the canonical value. Applies to every enum flag across the commands.

Misc

• Git refs documented as a spec input (#​931). The help text for the spec arguments now mentions the ref:path form (for example main:openapi.yaml).
• ERRORS.md distinguishes load failures from spec violations (#​934) and points to oasdiff validate for a strict per-spec check.

Go package changes

Breaking: formatters.Formatter interface

• Breaking: formatters.Formatter gained a RenderValidate(findings Findings, opts RenderOpts) ([]byte, error) method (#​894). Types that embed notImplementedFormatter are unaffected (they inherit a default), but a type that implements the interface directly must add the method.

Misc

• New formatters validate API (#​894): the Finding, Findings, and Source types, the OutputValidate output kind, and ComputeFingerprint (now exported, shared by changelog and validate so a downstream tool can match findings across spec versions).
• checker.IsColorEnabled is exported (#​894), letting packages outside checker gate color on the same auto-detect plus override convention the commands use.

v1.15.3

Compare Source

Sharper breaking-change detection, hardened flatten, configurable config files

Crash fixes in the allOf flattener, an additionalProperties traversal fix that finally catches a long-missed class of breaking changes, scalar-to-array query-parameter generalization that is no longer flagged as breaking, and a richer config-file story (.oasdiff.*, --config, OASDIFF_CONFIG).

CLI changes

Detection rules

• additionalProperties is now walked when properties are added or deleted (#​895, thanks @​prostomarkeloff). Removing or adding a required property inside a dict[str, X]-style response (additionalProperties: $ref, the default shape FastAPI / Pydantic emit for typed maps) was silently invisible to oasdiff breaking. The Modified processor already recursed; Added and Deleted now do too, so response-required-property-removed / -added and request-required-property-added fire on this shape as they always should have. Strictly additive: specs that did not exercise this path see no change.
• Scalar to form/explode array on a query parameter is no longer breaking (#​915). Changing a query parameter's schema from a scalar X to an array of X is the OpenAPI 3 default-serialization (style: form, explode: true) generalization: ?color=red keeps working as a one-element array. The change is now reported as request-parameter-type-generalized at INFO level. Reverse direction (array to scalar), items-type mismatch, and path / header parameters (default simple, not form) remain breaking.

Config files

• .oasdiff.*, --config, and OASDIFF_CONFIG (#​899). The preferred default config name is now .oasdiff.{json,yaml,yml,toml,hcl} (legacy oasdiff.* still works as a fallback). A new persistent --config <path> flag and OASDIFF_CONFIG env var let you point at an explicit file, with --config winning over the env var. When either override is set the file must exist; the cwd lookup keeps its silent-skip semantics.
• Path-valued config keys resolve relative to the config file (#​901). err-ignore, warn-ignore, severity-levels, and template inside a config file now resolve relative to the config file's directory rather than the process's cwd, so --config examples/.oasdiff.yaml from the repo root finds sibling files as you'd expect. Absolute paths and CLI-supplied values are left alone.

Flatten allOf hardening

• Cyclic schemas no longer crash flatten allOf (#​909). Self-referential schemas under allOf (a node whose property points back to itself, appearing twice in the merge) used to overflow the stack. The recursion sites in mergeProps, resolveItems, resolveContains, and resolvePropertyNames are now guarded with pointer-dedup plus an in-flight cycle map, so the cyclic link is preserved in the merged output.
• multipleOf: 0 no longer panics (#​891). Two allOf siblings with multipleOf: 0 (invalid per spec, but seen in the wild) used to divide by zero in lcm(0, 0); non-positive values are now skipped.

OpenAPI 3.1 keywords in flatten/allOf

• contains is merged across allOf siblings (#​888). contains: X + contains: Y flattens to contains: Merge(X, Y). Note: contains is existential (at least one item matches), so the merged form requires one item to satisfy both X and Y rather than allowing two distinct items, an over-constraint documented in docs/ALLOF.md. The flattened spec never accepts an array the original rejects.
• propertyNames is merged across allOf siblings (#​902). propertyNames: X + propertyNames: Y flattens to propertyNames: Merge(X, Y). Unlike contains, propertyNames is universal (every name matches), so the merge is semantically faithful with no over-constraint caveat.

flatten command

• Flatten failures are no longer mis-wrapped as load failures (#​908). oasdiff flatten /tmp/spec.yaml previously printed Error: failed to load original spec from "/tmp/spec.yaml": failed to flatten allOf in "/tmp/spec.yaml": ... (file path twice, wrong outer message). The CLI now distinguishes the two via a typed *load.FlattenError, prints the cleaner Error: failed to flatten allOf in "/tmp/spec.yaml": ..., and exits with code 122 instead of the load-failure code.

Misc

• Friendlier flag-parse errors (#​919). pflag's raw strconv.ParseBool: parsing "x": invalid syntax style messages are rewritten to the flag's actual type: must be true or false for bool, must be an integer for int, must be a non-negative integer for uint, must be a number for float, must be a duration like 30s or 5m for duration. Wired once on the root command, so it propagates to every subcommand. Unrelated flag types fall through unchanged.

Go package changes

Breaking: functional options on Config types

• Breaking: checker.Config migrates to functional options (#​911). The fluent WithOptionalCheck / WithOptionalChecks / WithSeverityLevels / WithDeprecation / WithSingleCheck / WithChecks / WithAttributes chain is removed; checker.NewConfig now takes ...Option arguments. Migration is mechanical (NewConfig(...).WithX(v) becomes NewConfig(..., WithX(v))), but every caller of the package needs the rewrite. Options are now first-class values: storable, composable, and passable independently of a receiver.
• Breaking: diff.Config migrates to functional options (#​912). Same shape as checker.Config: WithExcludeElements and WithExcludeExtensions are now Option values passed to diff.NewConfig, and the chained methods are removed. Both packages now use the same idiom, so contributors don't have to remember which one uses which style.

Misc

• checker.CheckBackwardCompatibilityUntilLevel no longer mutates the caller's *diff.Diff (#​913). The pipeline used to truncate PathsDiff.Deleted / per-path OperationsDiff.Deleted, delete keys from OperationsDiff.Modified for draft / alpha operations, and insert WebhooksDiff.Modified entries into PathsDiff.Modified under "webhook:..." keys, all in-place on the input. The function now clones PathsDiff and the nested fields the pipeline writes to before running checks. Callers that read the diff after running checks now see their original input intact.
• New typed *load.FlattenError (#​908). Exposes Url and Err fields plus Unwrap(), reachable via errors.As. Lets library callers distinguish a flatten-stage failure from a load-stage failure when both can come out of load.NewSpecInfo.
• Change.Fingerprint is stable across copy edits and locale changes (#​892). The 12-char fingerprint is now computed from the structured args rather than the rendered message text, so editing a message template or switching locales no longer invalidates every previously-stored fingerprint. One-way migration: fingerprints stored under the old algorithm will not match recomputed values.

v1.15.2

Compare Source

A patch release with one downstream-impacting behavior change to Change.Fingerprint, several OpenAPI 3.1 improvements to the allOf flattener, and a small refactor.

Highlights

• Change.Fingerprint is now stable across copy edits and locale switches (#​892). The fingerprint that downstream tools use to identify the same logical change across spec versions was being computed from the rendered text of the message, which made it sensitive to anything that altered rendering: a message-template tweak, a locale switch, or the '%s' to `%s` rendering change in #​836. It now hashes the structured rule arguments instead of the rendered text, giving the same disambiguation power without the fragility.

  This is a one-way migration. Any external system that has stored fingerprints from a previous oasdiff version will see them no longer match recomputed values and should plan a one-shot cleanup of those records. Future copy edits will not have the same effect.

• allOf flattener handles more OpenAPI 3.1 keywords (#​879, #​880, #​881, #​882). The flattener now merges const, minContains / maxContains, contentMediaType / contentEncoding, and dependentRequired from allOf subschemas into the parent schema, instead of silently dropping them. Subsequent diff and breaking-change checks see the full intent of the schema.

• allOf flattener no longer silently drops fields documented as "not merged" (#​884). Several keywords that the documentation describes as intentionally not merged were nevertheless being dropped from the parent schema's existing values when an allOf subschema was processed. They are now preserved. The PR also removes a duplicate Type copy that was producing identical work twice.

• allOf flattener handles 3.1 numeric exclusive bounds correctly (#​873). In OpenAPI 3.1 exclusiveMinimum / exclusiveMaximum are numeric (not booleans paired with minimum / maximum). The flattener now merges them with the right semantics.

Documentation

• $defs is intentionally dropped during allOf flatten (#​883). The doc now states this explicitly so readers don't try to track down the omission as a bug.

Refactors

• refactor(flatten/allof): rename findMaxValue to findMaxValueScalar for clarity (#​887).

How to use it

• CLI: go install github.com/oasdiff/oasdiff@latest or curl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | sh
• Docker: docker pull tufin/oasdiff:v1.15.2
• GitHub Action: pin to oasdiff/oasdiff-action/<command>@&#8203;v0.0.46 (the action release that ships oasdiff v1.15.2)

If your workflow YAML pins a fixed action version (e.g. @v0.0.44), bump the pin to @v0.0.46 so the new fingerprint algorithm runs in CI. Workflows pinned to @main or moving tags pick up the change automatically on their next run.

---

Changelog

• a543522 Merge pull request #​892 from oasdiff/fix/fingerprint-stable-args
• b8c4fe0 fix(formatters): make Change.Fingerprint stable across copy edits
• 0b722c4 Merge pull request #​887 from oasdiff/fix/issue-885-find-max-value-scalar
• 9b87905 refactor(flatten/allof): rename findMaxValue -> findMaxValueScalar (#​885)
• 8f37521 Merge pull request #​882 from oasdiff/feat/flatten-allof-dependent-required
• 8ef9da0 feat(flatten/allof): handle OpenAPI 3.1 dependentRequired
• 6d31e06 Merge pull request #​881 from oasdiff/feat/flatten-allof-content-keywords
• 35701ef feat(flatten/allof): handle OpenAPI 3.1 contentMediaType / contentEncoding
• 10261e0 Merge pull request #​880 from oasdiff/feat/flatten-allof-min-max-contains
• 9466ea3 feat(flatten/allof): handle OpenAPI 3.1 minContains / maxContains
• 3af44a2 Merge pull request #​879 from oasdiff/feat/flatten-allof-const
• 794bb5d Merge pull request #​884 from oasdiff/fix/flatten-allof-silent-drops
• 1d33e58 Merge pull request #​883 from oasdiff/docs/allof-defs-dropped
• 7854349 fix(flatten/allof): preserve fields documented as "not merged"; drop dup Type copy
• b999656 docs(allof): document that $defs is intentionally dropped during flatten
• bd362bd feat(flatten/allof): handle OpenAPI 3.1 const keyword
• a63539b Merge pull request #​873 from oasdiff/fix/issue-868-allof-31-exclusive-bounds
• b1f8552 docs: drop the now-fixed flatten/allOf 3.1 exclusive-bounds caveat
• 84cf3bb test: pin "no source-location after flatten-allof" behavior
• 6b32761 test: clarify allOf bound-merge comments
• 7f47de5 fix: gofmt alignment in const block
• 168b6dc fix(flatten/allof): handle OpenAPI 3.1 numeric exclusive bounds
• a35f0c1 Merge pull request #​877 from oasdiff/bump/oasdiff-action-v0.0.45
• 7d3689e bump: oasdiff-action v0.0.45

v1.15.1

Compare Source

A patch release with one user-facing behavior change, one new check, a privacy-friendly cleanup of the HTML report, and a substantial documentation overhaul.

Highlights

• oasdiff breaking now distinguishes "no breaking changes" from "no changes" (#​875). When oasdiff breaking finds no breaking changes but the specs do differ in non-breaking ways, the message is now "No breaking changes to report, but the specs are different" instead of the misleading "No changes to report" used in earlier versions. The changelog command's wording is unchanged.
• Detect enum value changes in deepObject parameter properties (#​862, thanks @​ampeco). Properties of deepObject-style query parameters now go through the standard enum-change checks.
• Changelog HTML report no longer pulls Google Fonts (#​876). Removes a @import of fonts.googleapis.com/css?family=Nunito from the report's <style> block. Every viewer of every report previously sent their IP to Google; the report now uses the existing system-font fallbacks (Helvetica / Arial). Useful for sites that embed the report under a strict CSP, and a privacy improvement everywhere.

Documentation

• README index reorganized by reader intent (#​874). The flat 25+ bullet feature list is replaced with a grouped Documentation section: Commands → Inputs → Comparison → Normalization → API lifecycle → Filtering changes → Output → How to run → Reference. Adds a 30-second Docker quickstart, surfaces previously-unlinked docs, and adds the missing summary subcommand.
• DIFF.md and BREAKING-CHANGES.md cross-referenced. summary, breaking, and changelog are built on the diff engine; the docs now say so. Duplicate "Additional Options" lists removed in favor of the README index.
• HEADER-DIFF.md now explains the OpenAPI / HTTP-standards tension behind oasdiff's case-sensitive header default.
• Many small content fixes: corrected diff format list, fixed a wrong Docker image name, removed dead --max-circular-dep advice, fixed an invalid -filter flag reference in usage examples, made the Go embed snippet runnable, clarified STABILITY.md, dropped a misleading "Documentation" stub from CUSTOMIZING-CHECKS.md, and more.

Dependencies

• github.com/getkin/kin-openapi bumped from v0.136.0 to v0.137.0 (#​872).

How to use it

• CLI: go install github.com/oasdiff/oasdiff@latest or curl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | sh
• Docker: docker pull tufin/oasdiff:v1.15.1
• GitHub Action: pin to oasdiff/oasdiff-action/<command>@&#8203;v0.0.45

---

Changelog

• 876a7bb Merge pull request #​875 from oasdiff/fix/empty-result-message-for-breaking
• c0f8e9e Merge pull request #​876 from oasdiff/fix/changelog-html-drop-google-fonts
• 055decb fix(html): drop external Google Fonts import from changelog template
• 963dc3c fix(formatters): say "no breaking changes" instead of "no changes" when called from breaking command
• 8422df4 Merge pull request #​874 from oasdiff/docs/reorganize-readme-index
• fc19e98 docs: refine "Download a binary" install section
• c71f1f6 docs: merge duplicated install.sh sections in README
• 2c1cdd3 docs: tighten ATTRIBUTES heading and intro
• e06876d docs: normalize top-level headings to # across all standalone docs
• 45b58c2 docs: fix code-fence indentation and trailing whitespace in COMMON-PARAMS
• 11d4939 docs: add team workflow callout to BREAKING-CHANGES.md
• 19a7a94 docs: fix USAGE_EXAMPLES and COMMON-PARAMS correctness
• f2607ec docs: drop Circular Schema References section
• d58e83e docs: correctness fixes across four files
• 1ea7f75 docs: reflect OpenAPI 3.1 GA in CONTRIB; bump action version
• d6526be docs: rename COMPOSED.md heading to user-facing label
• ce97a1b docs: clarify STABILITY.md and remove repetition
• 93beb5a docs: make the GO.md snippet runnable
• 82b32ca docs: drop duplicated "Additional Options" lists from DIFF and BREAKING-CHANGES
• d8ed012 docs: clarify that breaking/changelog/summary inherit diff behavior
• 5b2a730 docs: add summary command to README index
• 4cdfcec docs: explain why oasdiff defaults to case-sensitive headers
• 47c7c53 docs: fix wrong docker image name in DOCKER.md
• 2ea3464 docs: explain why and what --case-insensitive-headers covers
• ee72bdb docs: remove PATH-PARAM-RENAME.md stub
• fff3451 docs: drop misleading "Documentation" stub from CUSTOMIZING-CHECKS
• 525b02d docs: rename Preprocessing to Normalization; move header comparison there
• 5a0cf9a docs: split out Filtering changes; rename Output & tracking to Output
• b548b1b docs: split Inputs into Inputs / Comparison / Preprocessing
• 8e1aa1a docs: correct diff command's supported output formats
• f9f6f5f docs: reorganize README index by reader intent
• 5b6d152 Merge pull request #​872 from oasdiff/dependabot/go_modules/github.com/getkin/kin-openapi-0.137.0
• 91498c6 chore(deps): bump github.com/getkin/kin-openapi from 0.136.0 to 0.137.0
• b7aab5e Merge pull request #​862 from ampeco/fix/parameter-property-enum-value-removed
• 981775f ref: address review feedback — extract helper, consolidate tests
• f37adc2 Update checker/check_request_parameter_enum_value_updated.go
• bd77c8f fix: detect enum value changes in deepObject parameter properties
• fda3068 Merge pull request #​871 from oasdiff/docs/readme-mention-pr-review-workflow
• 8b06964 docs(readme): mention PR review workflow at oasdiff.com
• 308d9c1 Merge pull request #​870 from oasdiff/docs/source-locator-cleanup
• 5c2c56a docs: tighten SOURCE-LOCATOR

v1.15.0

Compare Source

OpenAPI 3.1 support is generally available

First stable release with OpenAPI 3.1 support across diff, breaking, and changelog. The previous beta tags (v1.15.0-openapi31.beta.* and v2.2.0-openapi31.beta.*) are superseded by this release.

See docs/OPENAPI-31.md for the full feature list and known caveats.

Highlights

• 162 new rule IDs covering 3.1-specific keywords (const, prefixItems, if/then/else, dependentRequired, dependentSchemas, unevaluatedItems/Properties, contentSchema, contentMediaType, contentEncoding, patternProperties, propertyNames, contains/minContains/maxContains, numeric exclusiveMinimum/exclusiveMaximum).
• Webhook diffs and breaking-change detection. All operation-level checks (parameters, request bodies, responses, security, deprecation, etc.) are now applied automatically to modified webhook operations.
• Type arrays with null are recognised as nullable changes, eliminating the false-positive type-change reports that 3.1 specs would have produced under the old model.
• JSON Schema 2020-12 keywords parsed and tracked end-to-end (loader, diff, breaking-change checks).

Caveats

A few 3.1 features have known limitations in the underlying parser. See the Caveats section of the OPENAPI-31 doc for the current list.

Other fixes

• Git-revision $ref resolution now works correctly for multi-file specs. oasdiff diff origin/main:openapi.yaml HEAD:openapi.yaml resolves relative $ref paths in both revisions, via the new JoinFunc hook in kin-openapi v0.136.0.
• Property paths at schema root no longer carry a leading slash (#​859). Source-location output that previously read /foo for a top-level property now reads foo, which matches the rest of oasdiff's path conventions.

How to use it

• CLI: go install github.com/oasdiff/oasdiff@latest or curl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | sh
• Docker: docker pull tufin/oasdiff:v1.15.0
• GitHub Action: pin to oasdiff/oasdiff-action/<command>@&#8203;v0.0.41

---

Changelog

• 54e9cb8 Merge pull request #​869 from oasdiff/chore/oasdiff-3.1-ga-docs
• ab1bd69 docs: drop beta label for OpenAPI 3.1 support
• 8a1ce1d Merge pull request #​791 from oasdiff/feat/openapi-3.1-support
• b8f77c2 refactor: structured DependentRequiredDiff type (#​849)
• d1d157b fix: don't tag Docker image as stable/latest for pre-release builds
• 95c48dd chore: use kin-openapi v0.138.0-openapi31.beta.1 tag
• 9b1c59c fix: switch from oasdiff/kin-openapi fork to getkin/kin-openapi upstream
• e0532f0 test: cover exclusiveMin/Max, 3.1 nullable, dependent_required props, and utils
• bf7521f test: add coverage for 3.1 checker property-level and removed paths
• cac53c2 style: run go fmt on files with formatting issues
• eca8011 fix: replace remaining getkin/kin-openapi imports with oasdiff fork
• 121852c ci: bump cache key version to invalidate stale module cache
• 844b1e9 test: add test data for OAS 3.1 $ref sibling keyword test
• cc27b7e feat: enable $ref sibling keyword support via kin-openapi beta.8
• ab6610e chore: upgrade kin-openapi to v0.137.0-openapi31.beta.5
• e376d59 chore: upgrade kin-openapi to v0.137.0-openapi31.beta.2
• 2524246 chore: upgrade kin-openapi to v0.137.0-openapi31.beta.1
• e4039ce fix: use oasdiff/kin-openapi 3.1 branch with oasdiff module path
• 57646f6 test: improve coverage for contains, unevaluated, and dependent-required checkers
• a226cec rebase feat/openapi-3.1-support onto main
• 5dc938f Merge pull request #​860 from oasdiff/fix/git-ref-slash-path-resolution
• 2408267 fix: preserve git ref prefix when resolving relative $refs
• 3139dd8 Merge pull request #​867 from oasdiff/chore/bump-kin-openapi-v0.136.0
• 87cd120 chore: bump kin-openapi to v0.136.0
• f06aae5 chore: remove dead Slack badge from README (#​863)
• 8ac52be fix: drop leading slash from property paths at schema root (#​859)
• f6df062 docs: bump OPENAPI-31.md to beta.3, add GitHub Action usage (#​852)
• e43499a docs: bump install version to v1.15.0-openapi31.beta.1, add action/service status (#​848)
• 4feaf21 fix: Docker pre-release tagging and link checker rate limiting (#​847)
• ee46712 docs: bump install version to 2.2.0-openapi31.beta.4
• 7df24bc add claude skill
• 3097561 fix: point allOf/oneOf/anyOf source to specific subschema (#​843)

v1.14.0

Compare Source

Changelog

• 5bf2d58 refactor: migrate from oasdiff/kin-openapi fork to upstream getkin/kin-openapi (#​842)
• 39983dd fix: show meaningful messages when breaking/changelog finds no results (#​841)
• aee6ae7 docs: remove auto-generated BREAKING-CHANGES-EXAMPLES.md
• 69d124a docs: add CHECKS.md and link checks command in main commands
• f072ee1 docs: remove source location tracking from roadmap (officially released)
• fd033a8 refactor: consolidate test helpers, fix source locations, update linting (#​840)

v1.13.5

Compare Source

Changes

• chore: upgrade github.com/oasdiff/kin-openapi to v0.137.0

Note: v1.13.4 was tagged before the go.mod upgrade was committed; v1.13.5 is the correct release containing both the loader refactor and the kin-openapi upgrade.

v1.13.4

Compare Source

Changes

• refactor: copy loader in loadFromGitRevision instead of mutating it — cleaner than save/restore, goroutine-safe (#​839)
• chore: upgrade github.com/oasdiff/kin-openapi to v0.137.0

v1.13.3

Compare Source

Changelog

• [be0b920](https://redirect.github.com/oas

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: cli/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go	v0.121.0 -> v0.121.6
github.com/wI2L/jsondiff	v0.6.1 -> v0.7.0
github.com/yuin/goldmark	v1.7.11 -> v1.7.13
golang.org/x/crypto	v0.37.0 -> v0.40.0
golang.org/x/net	v0.39.0 -> v0.42.0

[renovate]

ℹ️ Artifact update notice

File name: cli/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 15 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24 -> 1.26
github.com/getkin/kin-openapi	v0.132.0 -> v0.139.0
github.com/spf13/cobra	v1.9.1 -> v1.10.2
cloud.google.com/go	v0.121.0 -> v0.123.0
github.com/go-openapi/jsonpointer	v0.21.0 -> v0.22.5
github.com/mailru/easyjson	v0.9.0 -> v0.9.2
github.com/oasdiff/yaml	v0.0.0-20250309154309-f31be36b4037 -> v0.1.0
github.com/oasdiff/yaml3	v0.0.0-20250309153720-d2182401db90 -> v0.0.13
github.com/spf13/pflag	v1.0.7 -> v1.0.10
github.com/tidwall/match	v1.1.1 -> v1.2.0
github.com/wI2L/jsondiff	v0.6.1 -> v0.7.1
github.com/yuin/goldmark	v1.7.11 -> v1.8.2
golang.org/x/crypto	v0.37.0 -> v0.41.0
golang.org/x/net	v0.39.0 -> v0.43.0
golang.org/x/sys	v0.34.0 -> v0.43.0
golang.org/x/text	v0.27.0 -> v0.36.0