Skip to content

fix(core): enforce external ref path casing#2861

Closed
popsiclelmlm wants to merge 1 commit into
Redocly:mainfrom
popsiclelmlm:codex/redocly-case-sensitive-refs
Closed

fix(core): enforce external ref path casing#2861
popsiclelmlm wants to merge 1 commit into
Redocly:mainfrom
popsiclelmlm:codex/redocly-case-sensitive-refs

Conversation

@popsiclelmlm

@popsiclelmlm popsiclelmlm commented Jun 10, 2026

Copy link
Copy Markdown

What/Why/How?

Summary

Fixes #1326 by making local external ref resolution reject file paths whose casing does not match the filesystem entry.

Reproduction

On case-insensitive filesystems, a ref such as ./externalInfo.yaml can resolve successfully even when the real file is named externalinfo.yaml. That means rules such as no-unresolved-refs may accept refs that fail on case-sensitive environments.

The added regression test simulates this by making the filesystem report externalinfo.yaml while the resolver tries to load externalInfo.yaml.

Root cause

BaseResolver.loadExternalRef resolved local paths with path.resolve, then called lstatSync and readFile. On a case-insensitive filesystem those calls still succeed for a mismatched filename, so the resolver never observed the casing mismatch.

Changes

  • Add a local path casing check before reading non-URL external refs.
  • Keep URL refs unchanged.
  • Add a regression test for mismatched file path casing.
  • Add a patch changeset for @redocly/openapi-core and @redocly/cli.

Reference

Fixes #1326

Testing

  • git diff --check
  • VITEST_SUITE=unit ./node_modules/.bin/vitest run packages/core/src/__tests__/resolve.test.ts --coverage.enabled=false
  • npm run compile
  • npm run typecheck
  • npm run lint (0 errors; existing warnings remain)
  • npm run format:check

Screenshots (optional)

N/A

Check yourself

  • This PR follows the contributing guide
  • All new/updated code is covered by tests
  • Core code changed? - Tested with other Redocly products (internal contributions only)
  • New package installed? - Tested in different environments (browser/node)
  • Documentation update has been considered

Security

  • The security impact of the change has been considered
  • Code follows company security practices and guidelines

@popsiclelmlm popsiclelmlm requested review from a team as code owners June 10, 2026 14:19
@changeset-bot

changeset-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: c407edb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@redocly/cli Patch
@redocly/openapi-core Patch
@redocly/respect-core Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@popsiclelmlm popsiclelmlm deleted the codex/redocly-case-sensitive-refs branch June 12, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

no-unresolved-refs should be case-sensitive

1 participant

@popsiclelmlm