FumingPower3925 · FumingPower3925 · Jun 24, 2026 · Jun 24, 2026
@@ -7,7 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
-Nothing yet.
+### Changed
+
+- Bumped the bundled UI versions: Scalar (`@scalar/api-reference`) to
+  1.61.0, Swagger UI (`swagger-ui-dist`) to 5.32.8, and Stoplight
+  Elements (`@stoplight/elements`) to 9.0.23 — across the CDN pins, the
+  embedded bundles, and the `package.json` tracker. All three are
+  additive/patch upstream releases that preserve the configuration and
+  CSP contracts stdocs relies on; the CDN SRI hashes and vendored bytes
+  are re-pinned (Scalar's bundle and Swagger UI's JS changed; Swagger
+  UI's CSS and Stoplight's assets are byte-identical to the prior pin).
 
 ## [0.7.0] - 2026-06-19
 

@@ -4,10 +4,10 @@
   "private": true,
   "description": "Dev-only manifest. Used by Dependabot to track upstream versions of the docs UI bundles and the typescript release CI type-checks tsgen output against; the Go source in ui/*/*.go is the source of truth for the bundle versions that ship. Do not 'npm install' — the runtime does not import any npm package.",
   "devDependencies": {
-    "@scalar/api-reference": "1.60.0",
-    "@stoplight/elements": "9.0.22",
+    "@scalar/api-reference": "1.61.0",
+    "@stoplight/elements": "9.0.23",
     "redoc": "2.5.3",
-    "swagger-ui-dist": "5.32.6",
+    "swagger-ui-dist": "5.32.8",
     "typescript": "6.0.3"
   }
 }
@@ -17,7 +17,7 @@
 // Scalar JavaScript and CSS are loaded from cdn.jsdelivr.net at page
 // load time, so an internet connection is required.
 //
-// The CDN URL is pinned to a specific version (1.60.0) and points at
+// The CDN URL is pinned to a specific version (1.61.0) and points at
 // the verbatim dist/browser/standalone.js file from the npm package,
 // so its bytes are deterministic and the sha384 SRI hash below is
 // pinned in the <script> tag. Bumping the pinned version requires
@@ -35,14 +35,14 @@ import (
 // scalarVersion is the version of @scalar/api-reference this
 // package is pinned to. Bumping this requires updating the SRI
 // hash below and re-vendoring the bundle in ui/scalaremb.
-const scalarVersion = "1.60.0"
+const scalarVersion = "1.61.0"
 
 // scalarSRIHash is the sha384 SRI hash of dist/browser/standalone.js
 // at the pinned version. Re-compute with:
 //
 //	curl -fsSL "https://cdn.jsdelivr.net/npm/@scalar/api-reference@<ver>/dist/browser/standalone.js" \
 //	    | openssl dgst -sha384 -binary | openssl base64 -A
-const scalarSRIHash = "sha384-3sxnxyp7pbU2/o4+gs4EbvQ4YKyF60pWDL2LW8SoFZNQBTSiPah2xcHpxsndZEgF"
+const scalarSRIHash = "sha384-Xs/iJWxWjlZkAyFsV9D9nI5WP5iKFnNNbnZVXMsTxD5dseQbCaaaYIb0YUtR9Ckl"
 
 // UIOption configures the Scalar UI installed by WithUI.
 type UIOption = uiopt.Option

@@ -14,8 +14,8 @@ import (
 // dist/browser/standalone.js file, so its sha384 SRI hash is
 // pinned too.
 func TestPinnedVersion(t *testing.T) {
-	if scalarVersion != "1.60.0" {
-		t.Errorf("scalarVersion = %q, want 1.60.0 (re-vendor the bundle in ui/scalaremb)", scalarVersion)
+	if scalarVersion != "1.61.0" {
+		t.Errorf("scalarVersion = %q, want 1.61.0 (re-vendor the bundle in ui/scalaremb)", scalarVersion)
 	}
 	wantURL := fmt.Sprintf("https://cdn.jsdelivr.net/npm/@scalar/api-reference@%s/dist/browser/standalone.js", scalarVersion)
 	if !strings.Contains(scalarHTML, `src="`+wantURL+`"`) {

@@ -6,7 +6,7 @@
 // bundle in your binary so the docs UI works without an internet
 // connection.
 //
-// The vendored bundle is pinned to @scalar/api-reference@1.60.0 and
+// The vendored bundle is pinned to @scalar/api-reference@1.61.0 and
 // ships in-repo, so importing this package is all you need; the
 // //go:generate directive below is a maintainer-only convenience for
 // re-vendoring the bundle on a version bump.
@@ -51,12 +51,12 @@ import (
 // `go generate` cannot run inside the module cache anyway). Bumping
 // the version requires updating scalarVersion, the URL below, the
 // SRI hash in ui/scalar, and the hash pin in the tests.
-//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/@scalar/api-reference@1.60.0/dist/browser/standalone.js -o assets/standalone.js"
+//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/@scalar/api-reference@1.61.0/dist/browser/standalone.js -o assets/standalone.js"
 
 // scalarVersion is the version of @scalar/api-reference vendored
 // under assets/. It must match the devDependencies entry in the
 // repo-root package.json.
-const scalarVersion = "1.60.0"
+const scalarVersion = "1.61.0"
 
 //go:embed assets/*
 var assetsFS embed.FS

@@ -12,10 +12,10 @@ import (
 
 // standaloneJSHash is the sha384 hash of the vendored
 // assets/standalone.js, verified byte-identical to
-// dist/browser/standalone.js in the @scalar/api-reference@1.60.0
+// dist/browser/standalone.js in the @scalar/api-reference@1.61.0
 // npm tarball (and to the pinned jsDelivr URL). It matches
 // scalarSRIHash in ui/scalar.
-const standaloneJSHash = "sha384-3sxnxyp7pbU2/o4+gs4EbvQ4YKyF60pWDL2LW8SoFZNQBTSiPah2xcHpxsndZEgF"
+const standaloneJSHash = "sha384-Xs/iJWxWjlZkAyFsV9D9nI5WP5iKFnNNbnZVXMsTxD5dseQbCaaaYIb0YUtR9Ckl"
 
 func sri384(data []byte) string {
 	sum := sha512.Sum384(data)

@@ -19,7 +19,7 @@
 // cdn.jsdelivr.net at page load time, so an internet connection is
 // required.
 //
-// The CDN URLs are pinned to a specific version (9.0.22) and point
+// The CDN URLs are pinned to a specific version (9.0.23) and point
 // at the verbatim web-components.min.js and styles.min.css files
 // from the npm package, so their bytes are deterministic and the
 // sha384 SRI hashes below are pinned in the <script>/<link> tags.
@@ -38,7 +38,7 @@ import (
 // stoplightVersion is the version of @stoplight/elements this
 // package is pinned to. Bumping this requires updating the SRI
 // hashes below and re-vendoring the bundle in ui/stoplightemb.
-const stoplightVersion = "9.0.22"
+const stoplightVersion = "9.0.23"
 
 // SRI hashes (sha384) for the pinned Stoplight Elements assets.
 // Re-compute with:

@@ -14,8 +14,8 @@ import (
 // files from the npm tarball, so their sha384 SRI hashes are
 // pinned too.
 func TestPinnedVersion(t *testing.T) {
-	if stoplightVersion != "9.0.22" {
-		t.Errorf("stoplightVersion = %q, want 9.0.22", stoplightVersion)
+	if stoplightVersion != "9.0.23" {
+		t.Errorf("stoplightVersion = %q, want 9.0.23", stoplightVersion)
 	}
 	wantJS := fmt.Sprintf("https://cdn.jsdelivr.net/npm/@stoplight/elements@%s/web-components.min.js", stoplightVersion)
 	if !strings.Contains(stoplightHTML, `src="`+wantJS+`"`) {

@@ -6,7 +6,7 @@
 // Stoplight web-component bundle in your binary so the docs UI
 // works without an internet connection.
 //
-// The vendored bundle is pinned to @stoplight/elements@9.0.22.
+// The vendored bundle is pinned to @stoplight/elements@9.0.23.
 //
 // To use it:
 //
@@ -49,13 +49,13 @@ import (
 // anyway). Bumping the version requires updating stoplightVersion,
 // the URLs below, the SRI hashes in ui/stoplight, and the hash pins
 // in the tests.
-//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/@stoplight/elements@9.0.22/web-components.min.js -o assets/web-components.min.js"
-//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/@stoplight/elements@9.0.22/styles.min.css -o assets/styles.min.css"
+//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/@stoplight/elements@9.0.23/web-components.min.js -o assets/web-components.min.js"
+//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/@stoplight/elements@9.0.23/styles.min.css -o assets/styles.min.css"
 
 // stoplightVersion is the version of @stoplight/elements vendored
 // under assets/. It must match the devDependencies entry in the
 // repo-root package.json.
-const stoplightVersion = "9.0.22"
+const stoplightVersion = "9.0.23"
 
 //go:embed assets/*
 var assetsFS embed.FS

@@ -11,7 +11,7 @@ import (
 )
 
 // sha384 hashes of the vendored assets, verified byte-identical to
-// the files in the @stoplight/elements@9.0.22 npm tarball (and to
+// the files in the @stoplight/elements@9.0.23 npm tarball (and to
 // the pinned jsDelivr URLs). They match the SRI hashes in
 // ui/stoplight.
 const (

@@ -17,7 +17,7 @@
 // Swagger UI JavaScript and CSS are loaded from cdn.jsdelivr.net at
 // page load time, so an internet connection is required.
 //
-// The CDN URLs are pinned to a specific version (5.32.6, the
+// The CDN URLs are pinned to a specific version (5.32.8, the
 // current latest 5.x). Integrity hashes are pre-computed
 // (sha384) and pinned in the <link>/<script> tags. Bumping the
 // pinned version requires re-computing the hashes (the recipe is
@@ -36,7 +36,7 @@ import (
 // swaggerUIVersion is the version of swagger-ui-dist this package
 // is pinned to. Bumping this requires updating the integrity
 // hashes below and re-vendoring the bundle in ui/swaggeruiemb.
-const swaggerUIVersion = "5.32.6"
+const swaggerUIVersion = "5.32.8"
 
 // SRI hashes (sha384) for the pinned Swagger UI assets. These
 // were computed from the published jsDelivr release (verified
@@ -49,7 +49,7 @@ const swaggerUIVersion = "5.32.6"
 //
 // (and the same for swagger-ui.css).
 const (
-	swaggerUIBundleHash = "sha384-EYdOaiRwn44zNjrw+Tfs06qYz9BGQVo2f4/pLY5i7VorbjnZNhdplAbTBk8FXHUJ"
+	swaggerUIBundleHash = "sha384-IKpAWwsTL0pcw7/Amtnt2eXF4P1BK64WNuY2E/RG15SWLUW5HXzFuyqCSAr/DP8C"
 	swaggerUICSSHash    = "sha384-9Q2fpS+xeS4ffJy6CagnwoUl+4ldAYhOs9pgZuEKxypVModhmZFzeMlvVsAjf7uT"
 )
 

@@ -13,8 +13,8 @@ import (
 // UI CDN version. Bumping the version requires also updating the
 // SRI hashes in swaggerui.go.
 func TestPinnedVersion(t *testing.T) {
-	if swaggerUIVersion != "5.32.6" {
-		t.Errorf("swaggerUIVersion = %q, want 5.32.6 (re-run SRI hash update)", swaggerUIVersion)
+	if swaggerUIVersion != "5.32.8" {
+		t.Errorf("swaggerUIVersion = %q, want 5.32.8 (re-run SRI hash update)", swaggerUIVersion)
 	}
 	wantJS := fmt.Sprintf("https://cdn.jsdelivr.net/npm/swagger-ui-dist@%s/swagger-ui-bundle.js", swaggerUIVersion)
 	if !strings.Contains(swaggerHTML, `src="`+wantJS+`"`) {

@@ -6,7 +6,7 @@
 // UI JavaScript and CSS in your binary so the docs UI works
 // without an internet connection.
 //
-// The vendored bundle is pinned to swagger-ui-dist@5.32.6 and its
+// The vendored bundle is pinned to swagger-ui-dist@5.32.8 and its
 // sha384 SRI hash is set in the sibling ui/swaggerui package.
 //
 // To use it:
@@ -50,13 +50,13 @@ import (
 // anyway). Bumping the version requires updating swaggerUIVersion,
 // the URLs below, the SRI hashes in ui/swaggerui, and the hash pins
 // in the tests.
-//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.32.6/swagger-ui-bundle.js -o assets/swagger-ui-bundle.js"
-//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.32.6/swagger-ui.css -o assets/swagger-ui.css"
+//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.32.8/swagger-ui-bundle.js -o assets/swagger-ui-bundle.js"
+//go:generate bash -c "curl -fsSL https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.32.8/swagger-ui.css -o assets/swagger-ui.css"
 
 // swaggerUIVersion is the version of swagger-ui-dist vendored under
 // assets/. It must match the devDependencies entry in the repo-root
 // package.json.
-const swaggerUIVersion = "5.32.6"
+const swaggerUIVersion = "5.32.8"
 
 //go:embed assets/*
 var assetsFS embed.FS

@@ -11,10 +11,10 @@ import (
 )
 
 // sha384 hashes of the vendored assets, verified byte-identical to
-// the files in the swagger-ui-dist@5.32.6 npm tarball (and to the
+// the files in the swagger-ui-dist@5.32.8 npm tarball (and to the
 // pinned jsDelivr URLs). They match the SRI hashes in ui/swaggerui.
 const (
-	bundleJSHash = "sha384-EYdOaiRwn44zNjrw+Tfs06qYz9BGQVo2f4/pLY5i7VorbjnZNhdplAbTBk8FXHUJ"
+	bundleJSHash = "sha384-IKpAWwsTL0pcw7/Amtnt2eXF4P1BK64WNuY2E/RG15SWLUW5HXzFuyqCSAr/DP8C"
 	cssHash      = "sha384-9Q2fpS+xeS4ffJy6CagnwoUl+4ldAYhOs9pgZuEKxypVModhmZFzeMlvVsAjf7uT"
 )