
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
ajv-openapi-compile
Advanced tools
Generate a compiled AJV validation module from an OpenAPI definition.
Given an OpenAPI definition, compile into AJV validation modules to be used in environments (like Cloudflare Workers) where eval is not available, or a single JavaScript file is desired.
The normal way:
npm install ajv-openapi-compile --save-dev
You can use the CLI tool, as part of your build process:
ajv-openapi-compile --definition=/path/to/openapi.json \
--output=/path/to/compiled.js \
--tree=/path/to/tree.js
You can also use in your build scripts:
import { compile } from 'ajv-openapi-compile'
import { readFile, writeFile } from 'node:fs'
const definition = JSON.parse(await readFile('/path/to/openapi.json', 'utf8'))
const { code, tree } = await compile(definition)
await writeFile('/path/to/compiled.js', code, 'utf8')
await writeFile('/path/to/tree.js', tree, 'utf8')
The output from the compile function contains the code property, which has all imports/requires resolved and concatenated into the single string.
The compiled code is an ES string, and exports schema as the default, which is a map of schema identifiers to validation functions.
If you know the fully-resolved schema id, you can access the validation function explicitly:
import schemas from '/path/to/compiled.js'
const validate = schemas['#/components/schema/error']
const valid = validate({ code: 404 })
if (!valid) console.log(validate.errors)
Note: The schema identifiers are escaped using the JSON Pointer (RFC6901) specs, which turns
~into~0and/into~1.
If you don't know the fully-resolved schema id, you can use something like pointer-props to navigate the structure and resolve to the correct id:
import { resolve, toPointer } from 'pointer-props'
import { readFile } from 'node:fs'
import schemas from '/path/to/compiled.js'
const definition = JSON.parse(await readFile('/path/to/openapi.json', 'utf8'))
// lookup the id
const id = resolve(definition, '#/path/to/schema') // => '/path/to/fully/resolved/schema'
// note the relative reference requires "#" as the prefix
const validate = schemas['#' + id]
const valid = validate({ code: 404 })
if (!valid) console.log(validate.errors)
ajv-openapi-compileThe CLI takes the following parameters:
---definition, -d (String) - The path to the definition JSON file.---output, -o (String) - The path to write the compiled AJV validation code.For convenience and compatability with other tooling, the definition parameter also supports importing JavaScript files, and will follow this algorithm:
.json read and parse as JSON.yaml or .yml read and parse as YAML (using js-yaml internally)* as schemaschema.definition is set, use thatschemaschema and try thatTo be considered valid, the imported schema definition must have a paths object, with at least one "Path Object" defined.
function(definition: Object) => { code: String }The function simply takes a valid OpenAPI 3.x object.
It returns an object with the following properties:
code: String - The compiled code, with all import and require statements resolved and placed inline.Published and released under the Very Open License.
If you need a commercial license, contact me here.
FAQs
Generate a compiled AJV validation module from an OpenAPI definition.
We found that ajv-openapi-compile demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.