Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@stoplight/spectral
Advanced tools
A flexible object linter with out of the box support for OpenAPI v2 and v3.
A flexible JSON object linter with out of the box support for OpenAPI v2 and v3
npm install @stoplight/spectral
npm install -g @stoplight/spectral
Supports Node v8.3+ and modern browsers.
For users without Node and/or NPM/Yarn, we provide standalone packages for all major platforms. We also provide a shell script to auto download the executable based on your operating system:
curl -L https://raw.githack.com/stoplightio/spectral/master/install.sh | sh
Note, the binaries are not auto-updatable, therefore you will need to download a new version on your own.
sudo mv ./spectral-linux /usr/local/bin/spectral
You may need to restart your terminal.
Now, spectral
command will be accessible in your terminal.
Head over to releases for the latest binaries.
docker run --rm -it stoplight/spectral lint "${URL}"`
Spectral can be run via the command-line:
spectral lint petstore.yaml
Other options include:
-e, --encoding=encoding text encoding to use
-f, --format=json|stylish formatter to use for outputting results
-h, --help show CLI help
-o, --output=output output to a file instead of stdout
-q, --quiet no logging - output only
-r, --ruleset=ruleset path to a ruleset file (supports remote files)
-s, --skip-rule=skip-rule ignore certain rules if they are causing trouble
-v, --verbose increase verbosity
--max-results=max-results [default: all] maximum results to show
Note: The Spectral CLI supports both YAML and JSON.
Currently, Spectral CLI supports validation of OpenAPI documents and lints them based on our default ruleset, or you can provide your own rulesets.
There are three key concepts in Spectral: Rulesets, Rules and Functions.
Think of a set of rules and functions as a flexible and customizable style guide for your JSON objects.
Spectral is written in TypeScript (JavaScript) and can be used directly for when you need to use Spectral programmatically. Take a look at our "JavaScript API documentation".
How is this different than Ajv?
Ajv is a popular JavaScript JSON Schema validator, but it is not a linter. Validators just check if something is technically correct, but a linter goes a step further than that and programmatically applies opinions, which is what style guide really is.
Spectral uses AJV to expose a schema
function, which you can use in your rules to validate all or part of the target object with JSON Schema. Spectral also provides a number of other functions and utilities that you can use to build up a linting ruleset to validates things that JSON Schema is not well suited for.
I want to lint my OpenAPI documents but don't want to implement Spectral right now.
No problem! A hosted version of Spectral comes free with the Stoplight platform. Sign up for a free account here.
What is the difference between Spectral and Speccy?
With Spectral, lint rules can be applied to any JSON object. Speccy is designed to work with OpenAPI v3 only. The rule structure is different between the two. Spectral uses JSONPath path
parameters instead of the object
parameters (which are OpenAPI specific), so you can write rulesets for AsyncAPI, standalone JSON Schema, whatever you like.
If you are interested in contributing to Spectral itself, check out our contributing docs to get started.
Also, most of the interesting projects are built with Spectral. Please consider using Spectral in a project or contribute to an existing one.
If you are using Spectral in your project and want to be listed in the examples section, we encourage you to open an issue.
path
you wantgetJsonPathForPosition
or getLocationForJsonPath
If you have a bug or feature request, please open an issue here.
If you need help using Spectral or have a support question, please use the Stoplight Community forum. We've created an open source category for these questions. It's also a great place to share your implementations.
If you want to discuss something in private, you can reach out to Stoplight support at support@stoplight.io.
FAQs
[![Demo of Spectral linting an OpenAPI document from the CLI](./docs/img/readme-header.svg)](https://stoplight.io/api-governance?utm_source=github&utm_medium=spectral&utm_campaign=readme) [![CircleCI](https://img.shields.io/circleci/build/github/stoplight
The npm package @stoplight/spectral receives a total of 18,658 weekly downloads. As such, @stoplight/spectral popularity was classified as popular.
We found that @stoplight/spectral demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 34 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.