Modernize dependencies, fix CI, upgrade dependencies, introduce new linter and formatter

BREAKING CHANGE: Pretty large refactor of dev experience. Removes ono dependency to fix certain CJS builds

Author: jonluca

.eslintrc.yml

@@ -22,7 +22,7 @@ jobs:
           - macos-latest
           - windows-latest
         node:
-          - 20
+          - 22
 
     steps:
       - name: Checkout source
@@ -32,19 +32,19 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
-          cache: "npm"
+          cache: "yarn"
 
       - name: Install dependencies
-        run: npm ci
+        run: yarn install --immutable
 
       - name: Run linter
-        run: npm run lint
+        run: yarn lint
 
       - name: Run TypeScript tests
-        run: npm run test:typescript
+        run: yarn test:typescript
 
       - name: Run Node tests
-        run: npm run coverage:node
+        run: yarn coverage:node
 
       - name: Send code coverage results to Coveralls
         uses: coverallsapp/github-action@v1.1.0
@@ -74,33 +74,14 @@ jobs:
       - node_tests
 
     steps:
-      - name: Checkout source
-        uses: actions/checkout@v4
-
-      - name: Install Node
-        uses: actions/setup-node@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: 22
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Publish to NPM
-        run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Prepare the non-scoped packaged
-        run: |
-          cp LICENSE *.md dist
-          VERSION=$(node -e "console.log(require('./package.json').version)")
-          sed -i "s/X.X.X/${VERSION}/g" dist/package.json
+          node-version: latest
+          cache: "yarn"
+      - run: yarn install --immutable
 
-      - name: Publish the non-scoped package to NPM
-        run: npm publish --provenance --access public
-        working-directory: dist
+      - run: npx semantic-release --branches main
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/CI-CD.yaml

@@ -0,0 +1,2 @@
+.yarn
+test/**/*.html

.prettierignore

@@ -7,24 +7,17 @@
       "request": "launch",
       "program": "${workspaceRoot}/node_modules/mocha/bin/_mocha",
       "stopOnEntry": false,
-      "args": [
-        "--quick-test",
-        "--timeout=600000"
-      ],
+      "args": ["--quick-test", "--timeout=600000"],
       "cwd": "${workspaceRoot}",
       "preLaunchTask": null,
       "runtimeExecutable": null,
-      "runtimeArgs": [
-        "--nolazy"
-      ],
+      "runtimeArgs": ["--nolazy"],
       "env": {
         "NODE_ENV": "development"
       },
       "console": "internalConsole",
       "sourceMaps": false,
-      "skipFiles": [
-        "<node_internals>/**/*.js"
-      ]
+      "skipFiles": ["<node_internals>/**/*.js"]
     }
   ]
 }

.vscode/launch.json

@@ -1,5 +1,4 @@
-Swagger 2.0 and OpenAPI 3.0 parser/validator
-============================
+# Swagger 2.0 and OpenAPI 3.0 parser/validator
 
 [![Build Status](https://github.com/APIDevTools/swagger-parser/workflows/CI-CD/badge.svg?branch=master)](https://github.com/APIDevTools/swagger-parser/actions)
 [![Coverage Status](https://coveralls.io/repos/github/APIDevTools/swagger-parser/badge.svg?branch=master)](https://coveralls.io/github/APIDevTools/swagger-parser)
@@ -12,9 +11,8 @@ Swagger 2.0 and OpenAPI 3.0 parser/validator
 
 [![OS and Browser Compatibility](https://apidevtools.com/img/badges/ci-badges-with-ie.svg)](https://github.com/APIDevTools/swagger-parser/actions)
 
+## Features
 
-Features
---------------------------
 - Parses Swagger specs in **JSON** or **YAML** format
 - Validates against the [Swagger 2.0 schema](https://github.com/OAI/OpenAPI-Specification/blob/master/schemas/v2.0/schema.json) or [OpenAPI 3.0 Schema](https://github.com/OAI/OpenAPI-Specification/blob/master/schemas/v3.0/schema.json)
 - [Resolves](https://apidevtools.com/swagger-parser/docs/swagger-parser.html#resolveapi-options-callback) all `$ref` pointers, including external files and URLs
@@ -25,24 +23,18 @@ Features
 - Supports [circular references](https://apidevtools.com/swagger-parser/docs/#circular-refs), nested references, back-references, and cross-references
 - Maintains object reference equality — `$ref` pointers to the same value always resolve to the same object instance
 
+## Related Projects
 
-
-Related Projects
---------------------------
 - [Swagger CLI](https://github.com/APIDevTools/swagger-cli)
 - [Swagger Express Middleware](https://github.com/APIDevTools/swagger-express-middleware)
 
-
-
-Example
---------------------------
+## Example
 
 ```javascript
 SwaggerParser.validate(myAPI, (err, api) => {
   if (err) {
     console.error(err);
-  }
-  else {
+  } else {
     console.log("API name: %s, Version: %s", api.info.title, api.info.version);
   }
 });
@@ -54,28 +46,23 @@ Or use `async`/`await` or [Promise](http://javascriptplayground.com/blog/2015/02
 try {
   let api = await SwaggerParser.validate(myAPI);
   console.log("API name: %s, Version: %s", api.info.title, api.info.version);
-}
-catch(err) {
+} catch (err) {
   console.error(err);
 }
 ```
 
 For more detailed examples, please see the [API Documentation](https://apidevtools.com/swagger-parser/docs/)
 
+## Installation
 
-
-Installation
---------------------------
 Install using [npm](https://docs.npmjs.com/about-npm/):
 
 ```bash
 npm install @apidevtools/swagger-parser
 ```
 
+## Usage
 
-
-Usage
---------------------------
 When using Swagger Parser in Node.js apps, you'll probably want to use **CommonJS** syntax:
 
 ```javascript
@@ -85,57 +72,49 @@ const SwaggerParser = require("@apidevtools/swagger-parser");
 When using a transpiler such as [Babel](https://babeljs.io/) or [TypeScript](https://www.typescriptlang.org/), or a bundler such as [Webpack](https://webpack.js.org/) or [Rollup](https://rollupjs.org/), you can use **ECMAScript modules** syntax instead:
 
 ```javascript
-import * as SwaggerParser from '@apidevtools/swagger-parser';
+import * as SwaggerParser from "@apidevtools/swagger-parser";
 ```
 
+## Browser support
 
-
-Browser support
---------------------------
-Swagger Parser supports recent versions of every major web browser.  Older browsers may require [Babel](https://babeljs.io/) and/or [polyfills](https://babeljs.io/docs/en/next/babel-polyfill).
+Swagger Parser supports recent versions of every major web browser. Older browsers may require [Babel](https://babeljs.io/) and/or [polyfills](https://babeljs.io/docs/en/next/babel-polyfill).
 
 To use Swagger Parser in a browser, you'll need to use a bundling tool such as [Webpack](https://webpack.js.org/), [Rollup](https://rollupjs.org/), [Parcel](https://parceljs.org/), or [Browserify](http://browserify.org/). Some bundlers may require a bit of configuration, such as setting `browser: true` in [rollup-plugin-resolve](https://github.com/rollup/rollup-plugin-node-resolve).
 
+## API Documentation
 
-
-API Documentation
---------------------------
 Full API documentation is available [right here](https://apidevtools.com/swagger-parser/docs/)
 
+## Security
 
-Security
---------------------------
 The library, by default, attempts to resolve any files referenced using `$ref`, without considering file extensions or the location of the files. This can result in Local File Inclusion (LFI), thus, potentially sensitive information disclosure. Developers must be cautious when working with documents from untrusted sources. See [here](SECURITY.md) for more details and information on how to mitigate LFI.
 
+## Contributing
 
-Contributing
---------------------------
-I welcome any contributions, enhancements, and bug-fixes.  [Open an issue](https://github.com/APIDevTools/swagger-parser/issues) on GitHub and [submit a pull request](https://github.com/APIDevTools/swagger-parser/pulls).
+I welcome any contributions, enhancements, and bug-fixes. [Open an issue](https://github.com/APIDevTools/swagger-parser/issues) on GitHub and [submit a pull request](https://github.com/APIDevTools/swagger-parser/pulls).
 
 To test the project locally on your computer:
 
-1. __Clone this repo__<br>
-`git clone https://github.com/APIDevTools/swagger-parser.git`
+1. **Clone this repo**<br>
+   `git clone https://github.com/APIDevTools/swagger-parser.git`
 
-2. __Install dependencies__<br>
-`npm install`
+2. **Install dependencies**<br>
+   `npm install`
 
-3. __Run the tests__<br>
-`npm test`
+3. **Run the tests**<br>
+   `npm test`
 
-4. __Check the code coverage__<br>
-`npm run coverage`
+4. **Check the code coverage**<br>
+   `npm run coverage`
+
+## License
 
-License
---------------------------
 Swagger Parser is 100% free and open-source, under the [MIT license](LICENSE). Use it however you want.
 
 This package is [Treeware](http://treeware.earth). If you use it in production, then we ask that you [**buy the world a tree**](https://shop.protect.earth) to thank us for our work.
 
+## Big Thanks To
 
-
-Big Thanks To
---------------------------
 Thanks to these awesome companies for their support of Open Source developers ❤
 
 [![GitHub](https://apidevtools.com/img/badges/github.svg)](https://github.com/open-source)

CHANGELOG.md

@@ -6,9 +6,9 @@
 
 The library, by default, attempts to resolve any files pointed to by `$ref`, which can be a problem in specific scenarios, for example:
 
- * A backend service uses the library, AND
- * The service processes OpenAPI documents from untrusted sources, AND
- * The service performs actual requests based on the processed OpenAPI document
+- A backend service uses the library, AND
+- The service processes OpenAPI documents from untrusted sources, AND
+- The service performs actual requests based on the processed OpenAPI document
 
 For example, the below OpenAPI document refers to `/etc/passwd` via the `leak` property of the Pet object.
 
@@ -30,7 +30,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/Pet'
+              $ref: "#/components/schemas/Pet"
         required: true
 components:
   schemas:
@@ -46,8 +46,8 @@ components:
           example: 10
         leak:
           type: string
-          default: 
-            $ref: '/etc/passwd'
+          default:
+            $ref: "/etc/passwd"
         name:
           type: string
           example: doggie
@@ -110,16 +110,16 @@ Configuring the file resolver this way only partially mitigates LFI. See the nex
 
 With the previously mentioned mitigation in place, an attacker could still craft a malicious OpenAPI document to make the library read arbitrary JSON or YAML files on the filesystem and potentially gain access to sensitive data (e.g. credentials). This is possible if:
 
- * The actor knows (or successfully guesses) the location of a JSON or YAML file on the file system
- * The service using the library has privileges to read the file
- * The service using the library sends requests to the server specified in the OpenAPI document
+- The actor knows (or successfully guesses) the location of a JSON or YAML file on the file system
+- The service using the library has privileges to read the file
+- The service using the library sends requests to the server specified in the OpenAPI document
 
 You can prevent exploitation by hardening the environment in which the service is running:
 
- * The service should run under its own dedicated user account
- * File system permissions should be configured so that the service cannot read any YAML or JSON files not owned by the service user
+- The service should run under its own dedicated user account
+- File system permissions should be configured so that the service cannot read any YAML or JSON files not owned by the service user
 
 If you have any YAML or JSON files the service must have access to that may contain sensitive information, such as configuration file(s), you must take additional measures to prevent exploitation. A non-exhaustive list:
 
- * You can implement your service so that it reads the configuration into memory at start time, then uses [setuid](https://nodejs.org/api/process.html#processsetuidid) and [setgid](https://nodejs.org/api/process.html#processsetgidid) to set the process' UID and GID to the ID of a user and ID of a group that has no access to the file on the filesystem
- * Do not store sensitive information, such as credentials, in the service configuration files
+- You can implement your service so that it reads the configuration into memory at start time, then uses [setuid](https://nodejs.org/api/process.html#processsetuidid) and [setgid](https://nodejs.org/api/process.html#processsetgidid) to set the process' UID and GID to the ID of a user and ID of a group that has no access to the file on the filesystem
+- Do not store sensitive information, such as credentials, in the service configuration files

README.md

@@ -1,3 +1,8 @@
 <!-- {{ page.url }} -->
-<link rel="stylesheet" href="/css/style.css?v=3" media="screen" type="text/css">
-<link rel="stylesheet" href="/css/print.css" media="print" type="text/css">
+<link
+  rel="stylesheet"
+  href="/css/style.css?v=3"
+  media="screen"
+  type="text/css"
+/>
+<link rel="stylesheet" href="/css/print.css" media="print" type="text/css" />