From 0a8dc2f1dfd70a0135c6553d83b939f246981486 Mon Sep 17 00:00:00 2001 From: Matt Mower <135273348+mdmower-csnw@users.noreply.github.com> Date: Mon, 2 Sep 2024 13:45:41 -0700 Subject: [PATCH] Fix changelog breaking changes notice (#961) The breaking change included in entry (2024-08-31) was not added correctly. Fix it. --- CHANGE_HISTORY.md | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/CHANGE_HISTORY.md b/CHANGE_HISTORY.md index 7bf332c0..448be484 100644 --- a/CHANGE_HISTORY.md +++ b/CHANGE_HISTORY.md @@ -7,16 +7,25 @@ ### breaking change -* by defaulting to `true` when not defined by the user. - -Add tests: -1. Make sure `AjvOptions` sets the value appropriately based on whether - the end user defined `allErrors` or not. -2. When validating requests, make sure the number of errors reported - (when multiple occur) is 1 when `allErrors` is `false`. - -The `allErrors` configuration for OpenAPISchemaValidator is not changed -by this commit since that validation is for trusted content. +By default, request and response validation now stops after the first failure. Only one error will be reported even when multiple may exist. This follows best practices from AJV: +- [Security risks of trusted schemas](https://ajv.js.org/security.html#security-risks-of-trusted-schemas) +- [`allErrors` option](https://ajv.js.org/options.html#allerrors) + +To report all validation errors (only recommended in development), option `allErrors` can be set in options `validateRequests` and/or `validateResponses`. For example: + +```ts +app.use( + OpenApiValidator.middleware({ + apiSpec: 'path/to/openapi.json', + validateRequests: { + allErrors: true, + }, + validateResponses: { + allErrors: true, + }, + }) +); +``` ## (2024-08-24)