Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@scalar/openapi-parser

Package Overview
Dependencies
Maintainers
10
Versions
70
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@scalar/openapi-parser

modern OpenAPI parser written in TypeScript

latest
Source
npmnpm
Version
0.23.1
Version published
Weekly downloads
0
Maintainers
10
Weekly downloads
 
Created
Source

Scalar OpenAPI Parser

Version Downloads License Discord

Modern OpenAPI parser written in TypeScript with support for OpenAPI 3.2, 3.1, 3.0 and Swagger 2.0.

Installation

npm add @scalar/openapi-parser

Usage

Validate

import { validate } from '@scalar/openapi-parser'

const file = `{
  "openapi": "3.1.0",
  "info": {
    "title": "Hello World",
    "version": "1.0.0"
  },
  "paths": {}
}`

const { valid, errors } = await validate(file)

console.log(valid)

if (!valid) {
  console.log(errors)
}

Resolve references

import { dereference } from '@scalar/openapi-parser'

const specification = `{
  "openapi": "3.1.0",
  "info": {
    "title": "Hello World",
    "version": "1.0.0"
  },
  "paths": {}
}`

const { schema, errors } = await dereference(specification)

Track references

The dereference function accepts an onDereference callback option that gets called whenever a reference is resolved. This can be useful for tracking which schemas are being dereferenced:

import { dereference } from '@scalar/openapi-parser'

const { schema, errors } = await dereference(specification, {
  onDereference: ({ schema, ref }) => {
    //
  },
})

Modify an OpenAPI document

import { filter } from '@scalar/openapi-parser'

const specification = `{
  "openapi": "3.1.0",
  "info": {
    "title": "Hello World",
    "version": "1.0.0"
  },
  "paths": {}
}`

const { specification } = filter(
  specification,
  (schema) => !schema?.['x-internal'],
)

Upgrade your OpenAPI document

There's an upgrade command to upgrade all your OpenAPI documents to the latest OpenAPI version.

import { upgrade } from '@scalar/openapi-parser'

const { specification } = upgrade({
  swagger: '2.0',
  info: {
    title: 'Hello World',
    version: '1.0.0',
  },
  paths: {},
})

console.log(specification.openapi)
// Output: 3.1.0

Sanitize your OpenAPI document

The sanitize() utility helps ensure your OpenAPI document is valid and complete. It automatically adds any missing required properties like the OpenAPI version and info object, collects operation tags and adds them to the global tags array and normalizes security scheme types.

This makes your document as OpenAPI-compliant as possible with minimal effort, handling many common specification requirements automatically.

⚠️ This doesn't support Swagger 2.0 documents.

import { sanitize } from '@scalar/openapi-parser'

const result = sanitize({
  info: {
    title: 'Hello World',
  },
})

console.log(result)

Then/Catch syntax

If you're more the then/catch type of guy, that's fine:

import { validate } from '@scalar/openapi-parser'

const specification = …

validate(specification, {
  throwOnError: true,
})
.then(result => {
  // Success
})
.catch(error => {
  // Failure
})

TypeScript

If you just look for our types, you can install the package separately:

npm add @scalar/openapi-types

And use it like this:

import type { OpenAPI } from '@scalar/openapi-types'

const file: OpenAPI.Document = {
  openapi: '3.1.0',
  info: {
    title: 'Hello World',
    version: '1.0.0',
  },
  paths: {},
}

Advanced: URL and file references

You can reference other files, too. To do that, the parser needs to know what files are available.

import { bundle } from "@scalar/json-magic/bundle"
import { fetchUrls } from "@scalar/json-magic/bundle/plugins/browser"
import { readFiles } from "@scalar/json-magic/bundle/plugins/node"
import { dereference } from '@scalar/openapi-parser'

// Load a file and all referenced files
const data = await bundle('./openapi.yaml', {
  plugins: [
    readFiles(),
    fetchUrls({
      limit: 5,
    }),
  ],
})

// Instead of just passing a single specification, pass the whole data object
const result = await dereference(data)

As you see, bundle() supports plugins. You can write your own plugin, if you'd like to fetch API definitions from another data source, for example your database. Look at the source code of the readFiles to learn how this could look like.

Directly load URLs

Once the fetchUrls plugin is loaded, you can also just pass an URL:

import { bundle } from "@scalar/json-magic/bundle"
import { fetchUrls, parseJson, parseYaml } from "@scalar/json-magic/bundle/plugins/browser"
import { readFiles } from "@scalar/json-magic/bundle/plugins/node"
import { dereference } from '@scalar/openapi-parser'

// Load a file and all referenced files
const data = await bundle(
  'https://registry.scalar.com/@scalar/apis/galaxy?format=yaml',
  {
    plugins: [readFiles(), fetchUrls(), parseYaml(), parseJson()],
  },
)

Intercept HTTP requests

If you're using the package in a browser environment, you may run into CORS issues when fetching from URLs. You can intercept the requests, for example to use a proxy, though:

import { bundle } from "@scalar/json-magic/bundle"
import { fetchUrls, parseJson, parseYaml } from "@scalar/json-magic/bundle/plugins/browser"
import { readFiles } from "@scalar/json-magic/bundle/plugins/node"
import { dereference } from '@scalar/openapi-parser'

// Load a file and all referenced files
const result = await bundle(
  'https://registry.scalar.com/@scalar/apis/galaxy?format=yaml',
  {
    plugins: [
      fetchUrls({
        fetch: (url) => fetch(url.replace('BANANA.net', 'jsdelivr.net')),
      }).get('https://cdn.BANANA.net/npm/@scalar/galaxy/dist/latest.yaml'),
    ],
  },
)

Migration from the load method

If you were previously using the load() method and want to migrate to the latest bundle method, the following diff illustrates the changes to apply.

-import { dereference, load } from '@scalar/openapi-parser'
-import { fetchUrls } from '@scalar/openapi-parser/plugins/fetch-urls'
+import { bundle } from "@scalar/json-magic/bundle"
+import { fetchUrls, parseJson, parseYaml } from "@scalar/json-magic/bundle/plugins/browser"
+import { readFiles } from "@scalar/json-magic/bundle/plugins/node"
+import { dereference } from '@scalar/openapi-parser'

// Load a file and all referenced files
-const { filesystem } = await load(
+const result = await bundle(
  'https://registry.scalar.com/@scalar/apis/galaxy?format=yaml',
  {
    plugins: [
      fetchUrls({
        fetch: (url) => fetch(url.replace('BANANA.net', 'jsdelivr.net')),
      }).get('https://cdn.BANANA.net/npm/@scalar/galaxy/dist/latest.yaml'),
    ],
  },
)

Community

We are API nerds. You too? Let's chat on Discord: https://discord.gg/scalar

Thank you

Thanks a ton for all the help and inspiration:

  • @philsturgeon to make sure we build something we won't hate.
  • We took a lot of inspiration from @seriousme and his package openapi-schema-validator early-on.
  • You could consider this package the modern successor of @apidevtools/swagger-parser, we even test against it to make sure we're getting the same results (where intended).
  • We stole a lot of example documents from @mermade to test against.
  • Thanks @baywet for adding OpenAPI 3.2 support.

License

The source code in this repository is licensed under MIT.

Keywords

openapi
scalar
swagger
parser
typescript

FAQs

Package last updated on 06 Nov 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads

Research

/

Security News

9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads

Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control systems.

By Kush Pandya  -  Nov 06, 2025