Release v6.2.0: Security updates and dependency upgrades#438
Open
Release v6.2.0: Security updates and dependency upgrades#438
Conversation
## Security Fixes - Migrate from swagger-parser to @apidevtools/swagger-parser (v12.1.0) - Fixes multiple security vulnerabilities in json-schema-ref-parser - Updates to latest OpenAPI validation schemas - Update body-parser to 1.20.4+ (fixes qs DoS vulnerability) - Update express to 4.22.1+ (fixes qs vulnerability) - Update yaml from 2.0.0-1 to 2.8.1 (latest stable) - Includes security patches and API improvements - Update npm-run-all to npm-run-all2 (6.2.6) - maintained fork - Update supertest to 7.1.4 (latest) ## Breaking Changes - YAML library upgraded to 2.x with API changes - parseDocument options now passed as parameter - Anchor/alias handling updated for YAML 2.x stricter validation - Error messages format changed (YAMLParseError vs YAMLSyntaxError) ## Test Updates - Updated test snapshots for new YAML error message formats - Updated error message assertions to match YAML 2.x output - 48/50 tests passing (96% success rate) ## Known Limitations - Cross-document YAML anchor/alias references have changed behavior due to YAML 2.x stricter validation. Most use cases work, but complex cross-file anchor scenarios may need adjustment. ## Dependencies Audit - Production dependencies: 0 vulnerabilities - DevDependencies: 5 moderate (eslint-related, dev-only tools) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- 48/50 tests passing (96%) - 0 production vulnerabilities - Cross-document YAML anchors/aliases known limitation - All core functionality working
|
Why is this titled 6.2.0? That version has already been out for a few years? Did you mean 6.3.0? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR consolidates fixes from multiple open PRs into a single release that addresses critical security vulnerabilities and updates dependencies.
Security Fixes
swagger-parserto@apidevtools/swagger-parser(v12.1.0)npm audit Results
Test Results
Breaking Changes
YAML Library Upgrade (1.x → 2.x)
Known Limitations
Cross-document YAML anchor/alias references have changed behavior due to YAML 2.x stricter validation. The feature mostly works, but complex cross-file anchor scenarios may require adjustment. This affects AWS API Gateway integration templates that use external anchor references.
Related PRs Consolidated
Test Plan
🤖 Generated with Claude Code