v0.133.0

Compare Source

What's Changed

• openapi3: resolve Snyk security warning with path traversal by @​seborama in #​1066
• openapi3: replace bigfloat with decimal128 to fix rounding errors during validation by @​Revolyssup in #​1068
• openapi2conv: Preserve externalDocs on operations during conversion by @​hwustrack in #​1070
• openapi3: fix ineffectual caching of compiled regexps by @​philpearl in #​1076
• openapi3: use Ptr instead of BoolPtr,Float64Ptr,Int64Ptr,Uint64Ptr by @​alexandear in #​1033
• openapi3: resolve refs in parameter examples by @​reuvenharrison in #​1086
• openapifilter: Add support for RFC 7396 application/merge-patch+json by @​byted in #​1084
• openapi3filter: use FileBodyDecoder if the format is specified as binary by @​dbarrosop in #​1088
• openapi3: preserve all validation errors for allOf by @​alexbakker in #​1087
• openapi3filter: support primitive parsing for individual text like parts in multipart/form-data by @​nmeheus in #​1090
• Some coding style fixes and cleaning up by @​fenollp in #​1093
• openapi2conv: preserve x-fields when converting from v2 to v3 by @​saltbo in #​1092

New Contributors

• @​seborama made their first contribution in #​1066
• @​Revolyssup made their first contribution in #​1068
• @​hwustrack made their first contribution in #​1070
• @​philpearl made their first contribution in #​1076
• @​byted made their first contribution in #​1084
• @​dbarrosop made their first contribution in #​1088
• @​nmeheus made their first contribution in #​1090
• @​saltbo made their first contribution in #​1092

Full Changelog: getkin/kin-openapi@v0.132.0...v0.133.0

v0.132.0

Compare Source

What's Changed

• style: Use fmt.Sprint without formating by @​gaiaz-iusipov in #​1061
• openapi3filter: don't consume request body in AuthenticatorFunc by @​jamietanna in #​1064
• openapi2conv: fix for refs on items within additional properties by @​roberth1988 in #​1067

New Contributors

• @​gaiaz-iusipov made their first contribution in #​1061
• @​roberth1988 made their first contribution in #​1067

Full Changelog: getkin/kin-openapi@v0.131.0...v0.132.0

v0.131.0

Compare Source

What's Changed

• openapi3filter: de-register ZipFileBodyDecoder and make a few decoders public by @​fenollp in #​1059

Full Changelog: getkin/kin-openapi@v0.130.0...v0.131.0

v0.130.0

Compare Source

What's Changed

• feat(openapi3gen): Customize json.RawMessage by @​kyleconroy in #​1050
• openapi3gen: Fix issue with separate component generated for time.Time by @​d1vbyz3r0 in #​1052
• openapi3filter: Remove redundant ExcludeResponseBody check by @​tatsumack in #​1056
• openapi3: use origin to minimize collisions by @​reuvenharrison in #​1057
• openapi3: delete origin keys only when IncludeOrigin=true by @​reuvenharrison in #​1055
• openapi3filter: apply default values of an array in a query param with exploded = false by @​nhochstr in #​1054

New Contributors

• @​kyleconroy made their first contribution in #​1050
• @​d1vbyz3r0 made their first contribution in #​1052
• @​tatsumack made their first contribution in #​1056
• @​nhochstr made their first contribution in #​1054

Full Changelog: getkin/kin-openapi@v0.129.0...v0.130.0

v0.129.0

Compare Source

What's Changed

• README: add Fuego to dependents by @​EwenQuim in #​1017
• openapi3: skip a test in CI to avoid 403s from some remote server by @​fenollp in #​1019
• openapi3: introduce StringMap type to enable unmarshalling of maps with Origin by @​reuvenharrison in #​1018
• openapi3: reference originating locations in YAML specs - step 1 by @​reuvenharrison in #​1007
• openapi3: reference originating locations in YAML specs - step 2 by @​reuvenharrison in #​1024
• openapi3: process discriminator mapping values as refs by @​jgresty in #​1022
• openapi3filter: register decoder for other JSON content types by @​oliverli in #​1026
• Revert "openapi3: process discriminator mapping values as refs" by @​fenollp in #​1029
• openapi3: fail to load spec because of schema names in mapping by @​reuvenharrison in #​1027
• openapi2conv: convert schemaRef for additional props by @​jayanth-tatina-groww in #​1030
• openapi3: simplify by replacing math.Min with min by @​alexandear in #​1032
• openapi3: fix deprecation comments by @​alexandear in #​1034
• test: fix expected-actual parameters in require.Equal by @​alexandear in #​1035
• use forked yaml modules without "replace" by @​reuvenharrison in #​1038
• openapi3: update date schema formats to not match months or days of '00' by @​RulerOfTheQueendom in #​1042
• openapi3,openapi3filter: replace interface{} with any by @​alexandear in #​1040
• openapi3filter: Simplify ValidateRequest implementation by @​alexandear in #​1041
• openapi3filter: validation of x-www-form-urlencoded with arbitrary nested allOf by @​mikhalytch in #​1046
• openapi2conv: convert references in nested additionalProperties schemas by @​travisnewhouse in #​1047

New Contributors

• @​EwenQuim made their first contribution in #​1017
• @​jgresty made their first contribution in #​1022
• @​oliverli made their first contribution in #​1026
• @​jayanth-tatina-groww made their first contribution in #​1030
• @​RulerOfTheQueendom made their first contribution in #​1042
• @​mikhalytch made their first contribution in #​1046
• @​travisnewhouse made their first contribution in #​1047

Full Changelog: getkin/kin-openapi@v0.128.0...v0.129.0

v5.2.3

Compare Source

What's Changed

• Add pathvalue example to README and implement PathValue handler. by @​catatsuy in #​985
• Allow multiple whitespace between method & pattern by @​JRaspass in #​1013
• Avoid potential nil dereference by @​ProjectMutilation in #​1008
• feat(mux): support http.Request.Pattern in Go 1.23 by @​Gusted in #​986
• fix/608 - Fix flaky Throttle middleware test by synchronizing token usage by @​OtavioBernardes in #​1016
• Optimize throttle middleware by avoiding unnecessary timer creation by @​vasayxtx in #​1011
• Simplify wildcard replacement in route patterns by @​srpvpn in #​1012
• Replace methodTypString func with reverseMethodMap by @​JRaspass in #​1018

New Contributors

• @​ProjectMutilation made their first contribution in #​1008
• @​Gusted made their first contribution in #​986
• @​OtavioBernardes made their first contribution in #​1016
• @​srpvpn made their first contribution in #​1012

Full Changelog: go-chi/chi@v5.2.2...v5.2.3

v5.2.2

Compare Source

What's Changed

• Use strings.Cut in a few places by @​JRaspass in #​971
• Fix non-constant format strings in t.Fatalf by @​JRaspass in #​972
• Apply fieldalignment fixes to optimize struct memory layout by @​pixel365 in #​974
• go 1.24 by @​pkieltyka in #​977
• chore: delint ioutil usage by @​costela in #​962
• Fixed typo in Router interface definition by @​mithileshgupta12 in #​958
• Add support for TinyGo by @​efraimbart in #​978
• Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @​cxjava in #​982
• Make use of strings.Cut by @​scop in #​1005
• Change install command format to code block by @​sglkc in #​1001
• Correct documentation by @​mrdomino in #​992

Security fix

• Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
  • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
  • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

• @​pixel365 made their first contribution in #​974
• @​mithileshgupta12 made their first contribution in #​958
• @​efraimbart made their first contribution in #​978
• @​cxjava made their first contribution in #​982
• @​sglkc made their first contribution in #​1001
• @​mrdomino made their first contribution in #​992

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

Compare Source

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See #​963 for related discussion.

What's Changed

• Support the four most recent major versions of Go by @​VojtechVitek in #​969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

• update credits section to link to goji license by @​pkieltyka in #​944
• go 1.23 by @​pkieltyka in #​945
• Make Context.RoutePattern() nil-safe by @​gaiaz-iusipov in #​927
• govet: Fix non-constant format string by @​marcofranssen in #​952
• Add Find to Routes interface by @​joeriddles in #​872
• Fix grammar error by @​AntonC9018 in #​917
• feat(): add CF-Connecting-IP by @​n33pm in #​908
  • Revert "feat(): add CF-Connecting-IP" by @​VojtechVitek in #​966
• Fixed incorrect comment about routing by @​jtams in #​887
• Fix condition in TestRedirectSlashes by @​tchssk in #​856
• middleware: Add strip prefix middleware by @​m1k1o in #​875
• Set up go module for _examples/versions by @​hongkuancn in #​948
• Ability to specify response HTTP status code for Throttle middleware by @​vasayxtx in #​571
• Support Content-Type headers with charset/boundary parameters by @​GocaMaric in #​880
• Fix Mux.Find not correctly handling nested routes by @​joeriddles in #​954
• fix(WrapResponseWriter): allow multiple informational statuses by @​costela in #​961

New Contributors

• @​gaiaz-iusipov made their first contribution in #​927
• @​marcofranssen made their first contribution in #​952
• @​joeriddles made their first contribution in #​872
• @​AntonC9018 made their first contribution in #​917
• @​n33pm made their first contribution in #​908
• @​jtams made their first contribution in #​887
• @​tchssk made their first contribution in #​856
• @​m1k1o made their first contribution in #​875
• @​hongkuancn made their first contribution in #​948
• @​GocaMaric made their first contribution in #​880
• @​costela made their first contribution in #​961

Full Changelog: go-chi/chi@v5.1.0...v5.2.0

v1.2.2

Compare Source

What's Changed

• Update README with install by @​Uyutaka in #​22
• Fix broken credits link by @​lordidiot in #​25
• fix test_default error message #​28 by @​ablankz in #​29
• Update Go version in CI by @​VojtechVitek in #​32
• Fix Origin header check by @​c2h5oh in #​38

New Contributors

• @​Uyutaka made their first contribution in #​22
• @​lordidiot made their first contribution in #​25
• @​ablankz made their first contribution in #​29
• @​VojtechVitek made their first contribution in #​32
• @​c2h5oh made their first contribution in #​38

Full Changelog: go-chi/cors@v1.2.1...v1.2.2

v1.1.2

Compare Source

What's Changed

• Fix cloned handlers to use same mutex by @​arthurpitman in #​97

New Contributors

• @​arthurpitman made their first contribution in #​97

Full Changelog: lmittmann/tint@v1.1.1...v1.1.2

v1.1.1

Compare Source

Bug-fix release with performance improvements for time value handling.

What's Changed

• Fix time attribute formatting to match slog.TextHandler by @​lmittmann in #​94
• Simplify Options storage in handler by @​lmittmann in #​95
• Fix uncolored tint.Attr when ReplaceAttr is present by @​lmittmann in #​96

Full Changelog: lmittmann/tint@v1.1.0...v1.1.1

v1.1.0

Compare Source

This release adds a much-requested feature: function tint.Attr(color uint8, attr slog.Attr) writes colored attributes. Like tint.Err, which writes red-colored errors, tint.Attr can be used with other slog handlers (e.g. slog.JSONHandler) and does not emit raw ANSI codes.

What's Changed

• Add colored attributes: tint.Attr(color, attr) by @​lmittmann in #​93
• workflows: Simplify Go checks by @​lmittmann in #​92

Full Changelog: lmittmann/tint@v1.0.7...v1.1.0

v1.0.7

Compare Source

What's Changed

• Don't escape ANSI colors in log values by @​lmittmann in #​87
• Fix panic on <nil> values by @​lmittmann in #​88

Full Changelog: lmittmann/tint@v1.0.6...v1.0.7

v1.0.6

Compare Source

What's Changed

• Only convert to any on KindAny values by @​database64128 in #​83
• Skip TestReplaceAttr without faketime by @​database64128 in #​84
• Avoid allocating tintError twice by @​database64128 in #​82

New Contributors

• @​database64128 made their first contribution in #​83

Full Changelog: lmittmann/tint@v1.0.5...v1.0.6

v0.1.14

Compare Source

v1.1.2: : Request bodies can now be re-used, after being read in an AuthenticationFunc and Go 1.22+-only

Compare Source

🔊 Notable features

Go 1.22+ requirement

This module now requires Go 1.22 to build (previously we supported Go 1.20+).

Go 1.22 is still fairly old, and was marked as unsupported by the Go team in 2025-02-11, and is a new requirement as part of a dependency bump from kin-openapi.

This shouldn't technically be a breaking change given the age of the Go version used and it being unsupported - so ideally isn't being used heavily - but we wanted to flag it as such in case this came as a surprise.

Request body can now be re-used, after being read in an AuthenticationFunc

A longstanding issue with the openapi3filter from kin-openapi, that we build on top of for this middleware, resulted in cases where the request body could not be re-parsed after being consumed in a middleware's AuthenticationFunc.

This could lead to errors such as:

request body has an error: value is required but missing

Or:

request body has an error: reading failed: http: invalid Read on closed Body

This has now been fixed upstream, and therefore fixed for users of this middleware as part of this release.

👻 Maintenance

• build: build against Go 1.23 and 1.24 (#​45) @​jamietanna

📦 Dependency updates

• fix(deps)!: update module github.com/getkin/kin-openapi to v0.132.0 (#​19) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v1.1.1: : fix an incorrect HTTP status code (in an unlikely failure case)

Compare Source

🐛 Bug fixes

• fix: correct error code (#​44) @​jamietanna

📦 Dependency updates

• chore(deps): update module github.com/golangci/golangci-lint to v2.1.5 (#​39) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v1.1.0: : Better error handling, allow not validating Servers (by configuration) and return an HTTP 405 Method Not Allowed where appropriate

Compare Source

🔊 Notable features

Error handling is now significantly better

As part of #​35, we have introduced a much more powerful means to handle the errors returned by the OpenAPI Validation middleware.

This has been a long-standing issue, and we appreciate the community's patience as well as different proposals over time.

Previously, when creating an error handler, the method signature was fairly lacking:

// create middleware
mw := middleware.OapiRequestValidatorWithOptions(spec, &middleware.Options{
    Options: openapi3filter.Options{
        AuthenticationFunc: authenticationFunc,
    },
    ErrorHandler: func(w http.ResponseWriter, message string, statusCode int) {
        http.Error(w, "This text/plain response will be returned to the caller: " + message, statusCode)
    },
})

This didn't give much information around what had happened - or in which route/endpoint - and not having the raw error made observability and additional steps to respond appropriately more difficult.

With this release, it's now possible to have the raw error, information about the current request + its context.Context, as well as some additional pieces of metadata inside the ErrorHandlerWithOpts:

// create middleware
mw := middleware.OapiRequestValidatorWithOptions(spec, &middleware.Options{
    // other options
    // ...
    ErrorHandlerWithOpts: func(ctx context.Context, err error, w http.ResponseWriter, r *http.Request, opts middleware.ErrorHandlerOpts) {
        // NOTE that ErrorHandlerOpts contains further information, and allows us to add additional information in the future, in an extensible and non-breaking way
    }
})

There is a full example of usage in the Go doc for this project.

Note that the old method, ErrorHandler has been marked as deprecated - there is no planned removal date, and this is largely as a way to "nudge" folks to using the new, more powerful, method.

🚀 New features and improvements

• feat: add error handler with more configuration (#​35) @​jamietanna @​pebo @​mikeschinkel @​MattiasMartens
  • refactor: migrate error to a method parameter, not part of ErrorHandlerOpts (#​43) @​jamietanna
• feat: allow not validating Servers at all (#​37) @​jamietanna

🐛 Bug fixes

• fix: return HTTP 405 when request method mismatch (#​25) @​nek023

📝 Documentation updates

• docs: correct accidentally hardcoded error message (#​36) @​jamietanna
• docs: rewrite README, add example test + improve comments (#​30) @​jamietanna
• docs(sponsors): add FUNDING.yml (#​20) @​jamietanna

👻 Maintenance

• chore(deps): remove testutil (#​33) @​jamietanna
• chore: remove references to Swagger (#​32) @​jamietanna

📦 Dependency updates

• chore(deps): update module github.com/golangci/golangci-lint to v2.1.4 (#​38) @​renovate[bot]
• chore(deps): update module github.com/golangci/golangci-lint to v2 (#​28) @​renovate[bot]
• chore(deps): pin dependencies (#​31) @​renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

v2.5.0: : No more optional pointers (optionally), omitzero, better control over initialisms, and so much more!

Compare Source

v2.5.0: No more optional pointers (optionally)!

🎉 Notable changes

Begone optional pointers! (optionally)

One of the key things oapi-codegen does is to use an "optional pointer", following idiomatic Go practices, to indicate that a field/type is optional.

This can be tuned on a per-field basis, using the x-go-type-skip-optional-pointer extension, but it can be a bit repetitive, or can be more complex when using an OpenAPI Overlay.

As of oapi-codegen v2.5.0, this can be tuned in two specific ways, via the following Output Options:

• prefer-skip-optional-pointer: a global default that you do not want the "optional pointer" generated. Optional fields will not have an "optional pointer", and will have an omitempty JSON tag
• prefer-skip-optional-pointer-with-omitzero: when used in conjunction with prefer-skip-optional-pointer, any optional fields are generated with an omitzero JSON tag. Requires Go 1.24+

In both cases, there is control on a per-field level to set x-go-type-skip-optional-pointer: false or x-omitzero: false to undo these to field(s).

[!NOTE]
The default is not changing.

We take care to avoid breaking changes so this is, as many changes, an opt-in.

See Globally skipping the "optional pointer" for more details.

Generating omitzero JSON tags, with x-omitzero

Related to the above functionality, it is possible to define the OpenAPI extension x-omitzero on fields to generate the omitzero JSON tag, based on the (now not-so-new) Go 1.24 release.

Thanks to @​lzap for the contribution 🚀

[!NOTE]
oapi-codegen does not currently validate the Go version that the module it's generating code for.

This could lead to the omitzero JSON tag being generated, but not being actually usable.

Ensure that you're using a Go 1.24+ version, and that your go directive (for source compatibility) is go 1.24 or i.e. go 1.24.1

Using OpenAPI 3.1 w