Skip to content

feat: add option to disable external reference resolution #1118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AnshumohanAcharya wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add option to disable external reference resolution #1118

AnshumohanAcharya wants to merge 1 commit into from

Conversation

@AnshumohanAcharya
Copy link

@AnshumohanAcharya AnshumohanAcharya commented Dec 24, 2025

Description

This PR introduces a new resolveExternal option to the ResolverOptions interface that allows users to disable external reference resolution ($ref pointing to http, https, or file URIs) while preserving internal JSON pointer reference resolution.

Key Changes:

  • Added resolveExternal?: boolean property to ResolverOptions interface
  • Modified createResolver() function to conditionally include default resolvers (http, https, file) based on the resolveExternal option
  • When resolveExternal is set to false, external reference resolution is disabled
  • Internal JSON pointer references (e.g., #/components/messages/message) continue to work regardless of this setting
  • Default behavior remains unchanged (resolveExternal defaults to true) for backward compatibility

Usage Examples:

  1. Disable external resolution in Parser constructor:
const parser = new Parser({
  __unstable: {
    resolver: {
      resolveExternal: false
    }
  }
});
  1. Disable external resolution in validate/parse methods:
const parser = new Parser();
await parser.validate(spec, {
  __unstable: {
    resolver: {
      resolveExternal: false
    }
  }
});

Testing:

Added comprehensive test suite (external-ref-disabled.spec.ts) that verifies:

  • External HTTP/HTTPS references are blocked when disabled
  • External file references are blocked when disabled
  • Internal JSON pointer references still resolve correctly when external resolution is disabled
  • Works when configured both at parser construction and method invocation levels

All existing tests pass (2470 tests), ensuring backward compatibility.

Related issue(s)
Fixes #1098

@AnshumohanAcharya
feat: add option to disable external reference resolution
f824be1 
   - Add resolveExternal option to ResolverOptions
   - Allow disabling external (http/https/file) reference resolution
   - Internal JSON pointer references still work when disabled
   - Defaults to true for backward compatibility

   Fixes: asyncapi#1098
@changeset-bot
Copy link

changeset-bot bot commented Dec 24, 2025

⚠️ No Changeset found

Latest commit: f824be1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

github-actions[bot]
github-actions bot reviewed Dec 24, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to AsyncAPI. Thanks a lot for creating your first pull request. Please check out our contributors guide useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 24, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@fmvilas fmvilas Awaiting requested review from fmvilas fmvilas is a code owner

@magicmatatjahu magicmatatjahu Awaiting requested review from magicmatatjahu magicmatatjahu is a code owner

@asyncapi-bot-eve asyncapi-bot-eve Awaiting requested review from asyncapi-bot-eve asyncapi-bot-eve is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Disable derefencing of $ref by default.

1 participant

@AnshumohanAcharya