Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
swagger-cli
Advanced tools
The swagger-cli npm package is a command-line tool for working with Swagger and OpenAPI definitions. It provides various functionalities such as validating, bundling, dereferencing, and serving API definitions.
Validate
This feature allows you to validate your Swagger/OpenAPI definition to ensure it is correctly formatted and adheres to the specification.
swagger-cli validate my-api.yaml
Bundle
This feature bundles multiple Swagger/OpenAPI files into a single file. This is useful for managing large APIs split across multiple files.
swagger-cli bundle my-api.yaml --outfile bundled-api.yaml
Dereference
This feature dereferences $ref pointers in your Swagger/OpenAPI definition, replacing them with the actual content they point to. This can be useful for simplifying the API definition.
swagger-cli dereference my-api.yaml --outfile dereferenced-api.yaml
Serve
This feature serves your Swagger/OpenAPI definition over HTTP, allowing you to view and interact with it using a web browser.
swagger-cli serve my-api.yaml
Swagger Parser is a powerful library for parsing, validating, and dereferencing Swagger and OpenAPI definitions. It offers similar functionalities to swagger-cli but is more focused on being used as a library within Node.js applications rather than a command-line tool.
Speccy is a command-line tool for working with OpenAPI specifications. It provides features like validation, linting, and bundling. It is similar to swagger-cli but includes additional features like linting to enforce best practices.
$ref
pointersInstall using npm:
npm install -g @apidevtools/swagger-cli
swagger-cli <command> [options] <file>
Commands:
validate Validates an API definition in Swagger 2.0 or OpenAPI 3.0 format
bundle Bundles a multi-file API definition into a single file
Options:
-h, --help Show help for any command
-v, --version Output the CLI version number
-d, --debug [filter] Show debug output, optionally filtered (e.g. "*", "swagger:*", etc.)
The swagger-cli validate
command will validate your Swagger/OpenAPI definition against the Swagger 2.0 schema or OpenAPI 3.0 Schema. It also performs additional validations against the specification, which will catch some things that aren't covered by the schema, such as duplicate parameters, invalid MIME types, etc.
The command will exit with a non-zero code if the API is invalid.
swagger-cli validate [options] <file>
Options:
--no-schema Do NOT validate against the Swagger/OpenAPI JSON schema
--no-spec Do NOT validate against the Swagger/OpenAPI specification
There is a useful Python tool called pre-commit that can be used to execute a wide suite of pre-commit checks. The swagger-cli validate
command can be integrated as part of a git pre-commit hook by adding the following configuration to the repos
entry of an existing .pre-commit-config.yaml
file.
- repo: https://github.com/APIDevTools/swagger-cli
rev: v2.2.1
hooks:
- id: swagger-validation
args: ["validate", "<path to root swagger>"]
The intention is to point to single root swagger that references multiple swagger definitions. The above hook will execute the swagger-cli validation
against the root swagger anytime that a file matching the pattern .*swagger.*\.(json|yaml|yml)
is modified. Any failures in this validation will prevent the git commit from being processed.
The Swagger and OpenAPI specs allows you to split your API definition across multiple files using $ref
pointers to reference each file. You can use the swagger-cli bundle
command to combine all of those referenced files into a single file, which is useful for distribution or interoperation with other tools.
By default, the swagger-cli bundle
command tries to keep the output file size as small as possible, by only embedding each referenced file once. If the same file is referenced multiple times, then any subsequent references are simply modified to point to the single inlined copy of the file. If you want to produce a bundled file without any $ref
pointers, then add the --dereference
option. This will result in a larger file size, since multiple references to the same file will result in that file being embedded multiple times.
If you don't specify the --outfile
option, then the bundled API will be written to stdout, which means you can pipe it to other commands.
The result of this method by default is written as JSON. It can be changed to YAML with the --type
option, by passing the yaml
value.
swagger-cli bundle [options] <file>
Options:
-o, --outfile <file> The output file
-r, --dereference Fully dereference all $ref pointers
-f, --format <spaces> Formats the output using the given number of spaces
(the default is 2 spaces)
-t, --type <filetype> Defines the output file type. The valid values are: json, yaml
(the default is JSON)
-w, --wrap <column> Set the line length for YAML strings
(the default is no wrapping)
I welcome any contributions, enhancements, and bug-fixes. Open an issue on GitHub and submit a pull request.
To build/test the project locally on your computer:
Clone this repo
git clone https://github.com/APIDevTools/swagger-cli.git
Install dependencies
npm install
Run the tests
npm test
Swagger CLI is 100% free and open-source, under the MIT license. Use it however you want.
This package is Treeware. If you use it in production, then we ask that you buy the world a tree to thank us for our work. By contributing to the Treeware forest you’ll be creating employment for local families and restoring wildlife habitats.
Thanks to these awesome companies for their support of Open Source developers ❤
FAQs
Swagger 2.0 and OpenAPI 3.0 command-line tool
The npm package swagger-cli receives a total of 150,877 weekly downloads. As such, swagger-cli popularity was classified as popular.
We found that swagger-cli demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.