Bump the bundled UI versions (Scalar 1.61.0, Swagger UI 5.32.8, Stoplight 9.0.23)#106
Merged
Conversation
…ight 9.0.23) (#106) Dependabot flagged the all-ui-bundles group. Move every pin together so the parity tests stay green: package.json, the CDN version + sha384 SRI in ui/scalar and ui/swaggerui, the version + go:generate URL + re-vendored bundle in each *emb twin, and the pinning-test hashes. Scalar 1.61.0 is a clean minor (AsyncAPI rendering, an opt-in onRequestBuilt hook stdocs never sets, schema-composition fixes); it keeps the config keys the CSP-safe defaults use (showDeveloperTools, agent.disabled, mcp.disabled, withDefaultFonts) and the data-url / data-configuration bootstrap, and adds no new third-party origin. Swagger UI 5.32.6->5.32.8 is two patches (bundled dompurify/js-yaml bumps plus a try-it-out param-prefill fix) with no init-API or filename change; its JS bundle bytes change (SRI re-pinned) but the CSS is unchanged, and the hash-pinned inline init is untouched. Stoplight 9.0.23 is a security/CI patch whose web-components.min.js and styles.min.css are byte-identical to 9.0.22, so only the version string moves. Each bundle was verified by bytes: npm tarball integrity matches the published dist.integrity, the jsDelivr copy equals the tarball, the sha384 SRI is recomputed from those bytes, and the scalar.com host set is unchanged from the prior pin.
FumingPower3925
force-pushed
the
ui-bundles-bump
branch
from
c677ad9 to
0733d5e
Compare
This was referenced Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #105 (the Dependabot
all-ui-bundlesgroup bump). Dependabot only edits thepackage.jsontracker, which on its own turns CI red — the parity tests assert it matches the Go pins. This moves every pin together and re-vendors the embedded bundles.Updates
@scalar/api-reference1.60.0 → 1.61.0 (minor)swagger-ui-dist5.32.6 → 5.32.8 (two patches)@stoplight/elements9.0.22 → 9.0.23 (patch)(
redocandtypescriptunchanged.)Safety review (changelogs + bytes)
onRequestBuilthook (stdocs never sets it), schema-composition fixes. All four CSP-safe default keys survive (showDeveloperTools,agent.disabled,mcp.disabled,withDefaultFonts);data-url/data-configurationbootstrap unchanged; no new third-party origin.SwaggerUIBundle/validatorUrl/filenames untouched. JS bundle re-pinned; CSS unchanged; the hash-pinned inline init is unaffected.web-components.min.jsandstyles.min.cssare byte-identical to 9.0.22, so only the version string moves.dist.integrity, jsDelivr == tarball, the sha384 SRI is recomputed from those bytes, and thescalar.comhost set is unchanged.Verification
gofmt/build/vet/-race/golangci-lintclean; the network-backed pinning + SRI parity + CSP parity + config tests pass; the full headless-Chrome uismoke suite passes (Scalar's CSP-safe defaults still hide the chrome under 1.61.0, all UIs boot under their CSP with no violations).