What's new in oasdiff
New analysis capabilities, accuracy improvements, and review-surface changes shipped recently.
- Allcli
oasdiff now detects 500 kinds of API changes
With the nullability checks in oasdiff v1.23.0, the rule catalog reached a round number: 500 kinds of API changes detected, each classified by the OpenAPI object it affects, the kind of change, and whether it breaks existing clients.
The complete list is generated from the CLI itself on every release, so what you see there is exactly what runs in your CI.
- Allcli
Nullability changes reported accurately, in every form
OpenAPI has three equivalent ways to make a schema nullable:
nullable: true(3.0),type: [string, "null"](3.1), and wrapping inoneOf: [{type: "null"}, ...], the common idiom for$ref'd schemas. oasdiff now treats all three as one thing and reports a single, correctly-leveled finding.- Wrapping a schema in a null
oneOfis one INFO finding. It used to read as false breaking errors: the wrapped enum reported all its values as removed, plus type andoneOfnoise. oasdiff now proves the wrapped schema is equivalent to the original and reportsbecame-nullable. - Unwrapping reports
became-not-nullable. Breaking on the request side (the request no longer accepts null), informational on the response side, with new response verdicts that also cover forms that previously reported nothing. - Parameters are covered. A parameter flipping between
type: [string, "null"]andtype: stringwas silent in both directions, although the removal direction is breaking. New parameter and parameter-property verdicts close it. - A new nullability guide explains the model, when a nullability change is breaking, and the deliberate limits.
Available in oasdiff v1.23.0 and oasdiff-action v0.1.6.
- Wrapping a schema in a null
- Allaction
Exact source locations in your change reports
breakingandchangelognow tell you exactly where each change happened in your spec.- Precise source locations for every change. Each change carries the file, line, and column it came from, now including security, stability, sunset, and
x-extensible-enumchanges, down to the exact field or removed value. In--format jsonoryamloutput you can jump straight to it. - OpenAPI 3.1 nullable arrays no longer break
--flatten-allof. A multi-type array liketype: [integer, "null"]inside an allOf no longer fails with a type-conflict error when there is no real conflict. - A published output schema. The new
oasdiff schemacommand prints a JSON Schema for thebreaking/changelogjson output, so CI tooling can validate or type the results.
Available in oasdiff-action v0.1.5, running oasdiff v1.22.0.
- Precise source locations for every change. Each change carries the file, line, and column it came from, now including security, stability, sunset, and
- Allcli
Sharper response-side detection and clearer change messages
oasdiff v1.21.0 fills in several response-side checks, fixes a crash, and rewrites the type change messages to read in plain English.
- No more crash on schema-less media types. Comparing a response that gains or loses its schema (
content: { application/json: {} }to a typed body, or back) no longer panics; the change is reported instead. - Response type widening vs narrowing. A response type that narrows (
numbertointeger) is now flagged as a safe change, and one that widens (integertonumber) as a breaking one, instead of a single generic "type changed". - More response-side changes detected. A media type schema added or removed where there was none, and an added response header, are now reported.
- Clearer messages. Type and format change messages now name the dimension that changed, fold away empty formats, show array item types (
array<string>), and say "widened" / "narrowed" instead of "generalized" / "specialized".
Available in oasdiff v1.21.0.
- No more crash on schema-less media types. Comparing a response that gains or loses its schema (
- Allcli
More accurate diffs and valid empty output
oasdiff v1.20.1 sharpens the diff and fixes how empty results are formatted.
- No phantom security changes. When an operation allows an OR of OAuth2 scopes by listing the same scheme more than once (
- petstore_auth: [read]/- petstore_auth: [write]), the diff no longer invents a scope add or remove. It was even firing when comparing a spec against an identical copy. The diff now also identifies exactly which requirement changed. - Fewer false positives. A request property wrapped in
oneOfis no longer reported as removed. - Valid empty output in every format. A clean spec or an empty diff now renders a valid empty document (
{}or[]for JSON and YAML, and a clear "No changes detected" line for text), instead of empty or malformed output.
Available in oasdiff v1.20.1.
- No phantom security changes. When an operation allows an OR of OAuth2 scopes by listing the same scheme more than once (
- Proreview
Pro reviews are now end-to-end encrypted
The Pro review that the
changelogaction posts on your pull requests is now end-to-end encrypted. With anoasdiff-tokenset, the action encrypts your specs client-side in CI before upload, and the decryption key travels only in the review link's URL fragment, which browsers never send to a server. The review renders for your team, but oasdiff cannot read your spec content.- Approve or reject each change on the PR. The action posts a comment linking to a side-by-side review where your team approves or rejects every change. The
oasdiffcommit status gates merge until all breaking changes are approved. - Nothing readable stored at rest. Only ciphertext is uploaded; the key stays in the link, so a stored review is a blob we cannot open.
- A clear message when a trial or subscription ends. Instead of an opaque failed run, the action now says your plan has expired and links you to renew, without breaking your build.
Available in oasdiff-action v0.1.3, running oasdiff v1.20.0. See setup.
- Approve or reject each change on the PR. The action posts a comment linking to a side-by-side review where your team approves or rejects every change. The
- Allintegrations
Use oasdiff from your AI assistant
oasdiff now runs as an MCP server, so Claude, Cursor, and other AI assistants can call it directly. Ask "does this change break the API?" and your assistant runs oasdiff on the two specs and reads back the result.
It's hosted and remote (Streamable HTTP, no install, no API key): point your client at
https://api.oasdiff.com/mcp. Four tools are available: breaking changes, changelog, diff, and validate. See Use oasdiff from your AI assistant for the one-line setup for Claude Code and Cursor. - Allaction
The free review link now reaches your team more reliably
A round of fixes to the free side-by-side review that the breaking and changelog actions post on every pull request with changes:
- Get the review as a pull-request comment. When the action runs without a
github-token, it now tells you to add one (withpull-requests: write) so the review link is posted as a PR comment instead of only landing in the job summary. See the setup. - No review comment on an unchanged PR. With
format: json,yaml, ormarkup, a pull request with no API changes could still get a review comment. Detection no longer depends on the output format, so a clean PR stays clean. - A clear message in composed mode. With
composed: truethe review compares exactly two specs and isn't available; the action now says so once instead of printing a confusing "couldn't upload" warning. - A
.oasdiff.yamlin your repo can't break the review. The action pins the settings the review depends on, so a config file can't silently drop the review link or the inline annotations.
oasdiff --openis additive too: an upload hiccup never changes yourfail-onresult or the command's exit code.Available in oasdiff-action v0.1.1, running oasdiff v1.19.1.
- Get the review as a pull-request comment. When the action runs without a
- Allreview
🚀 The side-by-side change review is now free for everyone
oasdiff's side-by-side API change review is now free for everyone. See exactly what changed between two API specs, rendered as a full visual diff.
Point it at any two versions of your spec, wherever they live, and open the review three ways:
- Command line:
oasdiff changelog --open(orbreaking --open) - Free GitHub Action: the breaking and changelog actions link straight to the review on every pull request with changes
- Online diff tool: the "Share as a side-by-side review" button
Two things you'll use it for:
- Understand a change in context. Every change is highlighted inside its operation or schema in the full diff, so you see not just what changed but where.
- Share it for review. Send the link to teammates and anyone can open it, with no install and no account. Each change also has its own link, so you can point someone straight at the one you mean.
Your review stays private. What we store is an encrypted blob we cannot read: the one-time key that unlocks it lives only in the review link (the part after the
#) and never reaches our servers. From the command line and the GitHub Action it goes further, since the comparison is computed and encrypted on your own machine, so the specs never leave it in the clear. Links expire after 7 days.Need to act on a review, not just read it? oasdiff Pro lets reviewers approve or reject each change, keeps the merge blocked until every breaking change has been reviewed, and records who approved what, right on the pull request. Try Pro.
Available in oasdiff v1.19.0 and the oasdiff GitHub Action v0.1.0.
- Command line:
- Allcalculator
Copy a clean, shareable report from the diff tool
The diff tool's text output now reads like the CLI: colorized by severity, with the columns aligned. And the copy button gives you clean, paste-ready text, no color codes, tabs expanded to spaces, so a breaking-changes or changelog report drops straight into a PR comment, ticket, or doc and still lines up.
Try it on the diff tool: pick Breaking, Changelog, or Validate, choose the Text format, and copy.
- Allcalculator
Share a comparison as a side-by-side review
Compared two specs in the diff tool? You can now open them as a side-by-side review and share it with your team, instead of copying markdown or HTML into a message.
Click "Share as a side-by-side review" and sign in with GitHub. You land on the review page with the full change list, and each change has a "Copy link to this change" button, so you can point a teammate at one specific change, not just the whole diff. Anyone with a link can open it, no install and no account needed on their end. Links last 7 days.
- Allcli
Let oasdiff fetch missing commits for you with --fetch
When you compare two git revisions, say
oasdiff changelog main:openapi.yaml release:openapi.yaml, and one of the commits is not in your local clone yet, oasdiff used to stop and print thegit fetchcommand for you to run. Add--fetchand oasdiff fetches the missing revisions from origin itself, then runs the comparison in one step. Without the flag it stays read-only, so you decide when your repository is touched.Available in oasdiff v1.18.5.
- Allaction
The oasdiff GitHub Action handles more spec changes without failing
The breaking, changelog, and diff actions could fail unexpectedly on a few specific spec changes, for example an array property that dropped its
items, or a removednot/if/then/elseschema. Those comparisons now run cleanly. The breaking and changelog actions also catch property changes nested inside anotschema, which were skipped before.Available in oasdiff-action v0.0.57.
- Allaction
View breaking changes in a side-by-side review, straight from your PR
When the free oasdiff GitHub Action finds breaking changes, the Checks summary now links straight to a shareable side-by-side review. And when you run the review command locally, oasdiff now tells you the exact
git fetchto run if a commit isn't in your clone yet, instead of a cryptic git error.Available in oasdiff v1.18.4 and oasdiff-action v0.0.56.
- Proreview
Bring a teammate into a review
Reviewing breaking changes is a team decision, so it should be easy to pull the right person in.
Every breaking change on a review now has an Ask a teammate to review action. It creates a single-use invite and copies a link you can paste anywhere (Slack, a PR comment, email). When your teammate opens it, they sign in, join your team, and land directly on that change, ready to approve or reject it. Asking for a second opinion is the invite, so they arrive able to act instead of stuck on a read-only page.
And when someone who is not yet on your team opens a review, they can ask to join. You get an email and a request in your account settings; approve it and they are sent an invite automatically.
- Prosetup
Verify your setup before the first pull request
Setting up oasdiff Pro has a few moving parts: the GitHub App, the repository token, the workflow file, and your spec paths. Until now the first real signal that it all fit together was an actual pull request.
You can now check the whole chain on demand. Open your repository's Actions tab, choose the oasdiff workflow, and click Run workflow. It runs a read-only check (no pull request, no comment, no commit status) and reports a checklist: the workflow ran, the token authenticated, the oasdiff GitHub App is installed, your spec files resolved, and your GitHub sign-in can read the spec.
Results appear both in the run's summary and on your setup page, so you can spot and fix a missing step before it matters on a real PR.
- Allaction
GitHub Action: external $refs are off by default
The oasdiff GitHub Actions now default to
allow-external-refs: false. Because CI commonly runs on pull requests from forks, external$refs in a spec are no longer fetched or resolved by default — the safe choice for untrusted input.Specs loaded the recommended way are unaffected: with the git-ref form (
base: 'origin/main:openapi.yaml'), in-repository$refs — single- or multi-file — resolve viagit show, not as external references.If your spec references an external URL, or you load split multi-file specs by plain file path instead of the git-ref form, opt back in with the new
allow-external-refsinput (available on all five actions):- uses: oasdiff/oasdiff-action/breaking@v0.0.51 with: base: 'origin/${{ github.base_ref }}:openapi.yaml' revision: 'HEAD:openapi.yaml' allow-external-refs: trueFailures now also surface as annotations on the Checks tab, with a one-line hint when a blocked external
$refis the cause. Available in oasdiff-action v0.0.51 (runs on oasdiff v1.18.1).Security: this change also addresses GHSA-fhj3-7267-7vv5. Before v0.0.51, the permissive default could resolve attacker-controlled
$refs on fork pull requests (SSRF, and disclosure of structured files on the runner). The base-image fix is GHSA-2jcc-mxv7-p3f9, in oasdiff v1.18.1. If you pin an older action version, upgrade to v0.0.51. - Freecli
Side-by-side review from your terminal, with --open
oasdiff changelogandoasdiff breakingnow accept an--openflag. After printing the changelog in your terminal, the CLI uploads the two specs to oasdiff.com and opens a side-by-side review in your browser — the same view paying customers see, with the approve / reject buttons present (locked on the free tier) and the diff anchored at each breaking change.oasdiff changelog HEAD~1:openapi.yaml HEAD:openapi.yaml --openThe resulting URL is unguessable and works for 7 days. Paste it into a PR comment or your team's Slack and reviewers can open it directly — no CLI install required on their side, no GitHub OAuth approval. First run prompts for GitHub sign-in (minimal scopes, no
repoaccess) and stores a token locally; subsequent runs skip it.Works against any spec you can
git show— public or private. See /docs/free-review for the full walkthrough. - Allcli
OpenAPI changelog inline in git log
New
oasdiff git-diff-driversubcommand wires oasdiff into git as an external diff driver, sogit log --patch --ext-diffandgit diffrender a human-readable OpenAPI changelog inline instead of a raw YAML text diff.Two config lines:
git config diff.oasdiff.command "oasdiff git-diff-driver" echo "openapi.yaml diff=oasdiff" >> .gitattributesThen:
git log --patch --ext-diff -- openapi.yamlFor each commit that touched the spec, you'll see the same human-readable changelog
oasdiff changelogwould emit, instead of YAML hunks. Added (root commit) and removed files are handled inline; mode-only changes are skipped.Inspired by Jamie Tanna's post on using oasdiff as a git diff driver via a bash wrapper. The wrapper is no longer needed. Available in oasdiff v1.17.0.
- Allaccuracy
Header case differences no longer count as a change
HTTP header names are case-insensitive per RFC 9110, but the diff was treating
Content-Typeandcontent-typeas different headers. Renaming a header to a different case in your spec produced spurious "header removed + header added" findings.That's now the default behaviour. To get the strict, case-sensitive comparison back:
- On /diff: open Comparison options and uncheck Case-insensitive headers.
- On the CLI / GitHub Action: pass
--case-insensitive-headers=false.
- Freecalculator
Six comparison-tuning options exposed in the diff calculator
The /diff calculator now exposes the same fine-tuning knobs the CLI has, under a new Comparison options disclosure:
- Match inline / $ref subschemas — recognise refactors that pull an inline schema into a named component
- Case-insensitive headers — RFC 9110 default
- Flatten allOf — merge
allOfsubschemas before diffing - Flatten path-level parameters — merge path-level params with operation params
- Auto-upgrade to latest 3.x — canonicalise 3.0 specs before diffing (useful for cross-version comparisons)
- Include path parameter names in matching — treat
/pets/{id}and/pets/{petId}as different paths
Defaults match the CLI's, so the result on the page mirrors what
oasdiff diffproduces locally unless you toggle something. - Allaccuracy
Inline ↔ $ref refactors are recognised as equivalent
Refactors that pull an inline subschema into
components/schemasand reference it via$refare now recognised as the same branch insideanyOf/oneOfunions. The compared specs may look different on paper, but if they produce the same wire contract the diff reflects that.This sits in the diff engine itself, so the Diff, Breaking, and Changelog modes on /diff — and the matching CLI subcommands — all benefit consistently.
- Allvalidate
Validate an OpenAPI spec
A new Validate mode is available on /diff. Drop a single spec, get every OpenAPI and JSON Schema violation with its file and line.
The same capability is also in the CLI:
oasdiff validate spec.yamland as a GitHub Action —
oasdiff/oasdiff-action/validate— so you can fail a workflow on invalid specs without writing your own validator. - Proreview
Self-service recovery on /review
The /review page now guides visitors through the common access cases — missing repository permission, SAML authorisation needed, wrong file path — directly on the page:
- A diagnostic panel showing the signed-in user, the repo, each spec file with its status, and a Reference ID for support.
- An ordered recovery checklist filtered to the steps that match the situation.
- A "Contact us" option that pre-fills an email with the diagnostics and Reference ID, so anything that does reach us arrives with everything we need.
Inaccessible
$refsroute through the same surface, so a referenced fragment uses the same recovery flow as the top-level spec. - Freeaction
Free /review links now pin to the immutable base commit
The
/reviewlink that the freebreakingandchangelogactions emit into the GitHub Step Summary used to encode the branch name of the base (typicallymain). Ifmainadvanced past a renamed or moved spec file before someone clicked the link, the link 404'd.The action now writes the immutable base commit SHA into the URL. Once the link is in the Step Summary, it points at the same content forever, even as the base branch moves on.
- Proaction
PR comments scale to repos with very large API surfaces
The
pr-commentaction now renders cleanly on repositories with substantial API surfaces — changelogs of several megabytes are handled the same as small ones, with no special configuration needed.On the service side, when a change table would exceed GitHub's 65 KB issue-comment limit the action posts a summary (severity counts) plus a prominent link to the full review page, which has no size cap.
- Allcalculator
Diff a 3.0 spec against a 3.1 spec
You can now compare an OpenAPI 3.0 spec against an OpenAPI 3.1 spec without converting them by hand.
On /diff: open Comparison options and turn on Auto-upgrade to latest 3.x. The older spec is canonicalised to 3.1 before the comparison runs.
On the CLI / GitHub Action: pass
--auto-upgradeondiff,breaking, orchangelog. A standaloneoasdiff upgradesubcommand is also available if you want the canonicalised spec out for some other use. - Allcli
.oasdiff.yaml config file
Repeated flags can now live in a config file checked into the repo:
# .oasdiff.yaml match-inline-refs: true case-insensitive-headers: true fail-on: error exclude-elements: - description - examplesThe CLI picks it up automatically when you're in the directory, or you can point at one explicitly via
--configor theOASDIFF_CONFIGenvironment variable. The free GitHub Actions read the same file, so one.oasdiff.yamlconfigures both your local runs and your CI. - Freeaction
Side-by-side preview of breaking changes, straight from a PR
After the free
breakingorchangelogactions run on a PR, the GitHub Step Summary now includes a clickable link to a full side-by-side preview of the change:📋 Review & approve these breaking changes → https://oasdiff.com/review?...
Click it to see the diff with inline annotations and the changes laid out next to each other. Useful when the CI annotation tells you that something broke and you want to see exactly what changed before approving the PR — no install needed.
- Allcli
OpenAPI 3.1 support is generally available
OpenAPI 3.1 support is out of beta. Diff, Breaking, and Changelog all work natively against 3.1 specs, with full handling of the new keywords (
prefixItems,dependentSchemas,dependentRequired,if/then/else,contains/minContains/maxContains) and the new type-array nullability shape./diff, the GitHub Actions, and the Pro /review page all read 3.0 and 3.1 transparently. If you have a 3.0 spec to migrate, /docs/openapi-31-migration includes an interactive widget that takes your 3.0 spec and gives you the 3.1 equivalent to copy.