github schemathesis/schemathesis v4.16.0
Release 4.16.0
on GitHub

latest release: v4.16.1
11 hours ago

🚀 Added

  • schemathesis.openapi.require_security_scheme() for scoping auth providers to specific OpenAPI security schemes. #3745

🐛 Fixed

  • Query parameters not serialized when style/explode are omitted from the spec, ignoring OpenAPI 3.0 defaults.
  • Use the matching registered serializer for multipart fields with encoding.contentType. #3785
  • before_call hook setting a missing required header in the coverage phase had no effect. #3784
  • Request timeouts reported as a check failure when a replay made them flaky.

positive_data_acceptance false positives

  • example values violating constraints (examples phase):

    • When an object schema-level example has a property violating a nested format constraint (e.g. date-time without timezone).
    • When a parameter-level example value violates its declared schema type.
    • When a schema-level parameter example violates the parameter's own constraints (e.g. pattern).
    • When a response-derived parameter example violates the parameter's schema constraints.
    • When a response-derived parameter example violates the parameter's format constraint.
    • When a property example violates its field's own type (also applies to the coverage phase).
    • For content-encoded header parameters with object examples.
    • For property examples violating anyOf/oneOf constraints via bundled $refs.
    • For array body properties with minItems > 1 and object items.
    • When assembled body violates the schema (e.g. allOf with additionalProperties: false).
    • When a required property has an unsatisfiable schema.

  • Composition (allOf / oneOf / anyOf / $ref) in the coverage phase:

    • For oneOf branches with nested multi-$ref allOf.
    • For oneOf body schemas where generated values satisfy multiple branches simultaneously.
    • For oneOf body schemas where a branch requires fields only defined in the parent schema.
    • When an anyOf branch has const: null but a sibling type constraint excludes null.
    • When a multi-level allOf chain causes required properties from a base schema to be generated as null.
    • For body schemas with $ref + additionalProperties: false and pattern/minLength/maxLength constraints.

  • enum vs sibling constraints (coverage phase):

    • For required array properties with an unsatisfiable enum constraint.
    • For body properties where all enum values violate a sibling constraint (e.g. maxLength).
    • When an enum contains values violating the declared type (e.g. YAML-parsed false for type: string).
    • When enum contains values violating the declared type in template body generation.

  • Structural required / properties mismatches:

    • When a nested required field is unsatisfiable, making the parent object invalid (coverage phase).
    • When required lists fields absent from properties (examples phase).
    • When a nested object schema has required properties absent from properties (coverage phase).
    • When a property has type: object alongside items (coverage phase).
    • When a property has a boolean false schema (coverage phase).
    • For type: string properties that also declare properties: {} (coverage phase).

  • Pattern / keyword combinations (coverage phase):

    • For string parameters with pattern containing alternation inside a quantified group (e.g. ([a-z]|-[a-z])*).
    • For string fields with format: uuid and optional-hyphen pattern.
    • When a schema has pattern alongside a non-string type (e.g. number).
    • When propertyNames restricts object keys and additionalProperties is present. #3771
    • For body properties with format constraints in negative mode.

negative_data_rejection false positives

  • pattern + length-constraint interaction:

    • For string fields with pattern + maxLength where maxLength was silently lost into an unanchored regex quantifier.
    • For string fields where pattern has an inner quantifier (e.g. ^[a-z]([-a-z]*[a-z])?$) and maxLength is present.
    • When a pattern optional group wraps variable-length content and maxLength is present (coverage phase).
    • When pattern with nested quantifiers caused maxLength/minLength to be silently dropped from the schema.
    • For pattern fields ending with \x1c\x1f control characters (coverage phase).

  • Wire-identical type mutations:

    • For application/x-www-form-urlencoded and application/xml body properties where type mutations are wire-identical (e.g. integer stringifies to a valid string).
    • For application/x-www-form-urlencoded body properties whose schema contains $ref to bundled definitions.
    • For application/x-www-form-urlencoded body properties with nested array/object mutations whose serialized form satisfies the schema.

  • Schema-shape edge cases (coverage phase):

    • When additionalProperties is a schema object and required has exactly 2 fields.
    • When a schema has 15 or more properties and exactly 2 required fields.
    • For body objects with additionalProperties: {}.
    • For nullable string properties with maxLength, minLength, or format constraints.
    • When a string property has both enum and maxLength/minLength.
    • For body properties with type: integer and inapplicable minLength/maxLength constraints.
    • For multipart/form-data fields with format: binary and nullable: true. #3777
    • For maxItems array constraints with complex nested item schemas.

Runtime errors in negative_data_rejection

  • When a query, header, or cookie parameter pattern produces a large DFA (e.g. \S{1,8192}).
  • When a parameter schema has a pattern that jsonschema_rs rejects (e.g. {,3} as an incomplete quantifier).

Crashes

  • Crash generating curl command when a negative coverage case has a primitive body (e.g. integer form-urlencoded schema).
  • Crash in the coverage phase for application/x-www-form-urlencoded requests with format: binary body fields in negative mode.
  • Crash in the examples phase when a property has an unsatisfiable schema (e.g. not: {}).
  • Crash when a schema has boolean property keys (YAML artifact from bare on: fields) in the coverage phase.
  • Crash in the coverage phase when a body with boolean property keys is serialized for deduplication in negative mode.

Schema-invalid generated bodies (coverage phase)

  • Schema-invalid body when required names a property absent from properties in the coverage phase.
  • Schema-invalid body when a Swagger 2.0 array parameter has enum at the array level with items also defined in the coverage phase.
  • Schema-invalid positive body when a schema combines allOf (with required fields) and outer-level properties in the coverage phase.
  • Schema-invalid positive body when a schema property's default or example fails format validation (e.g. "7.00:00:00" for format: duration) in the coverage phase.
Check out latest releases or
releases around schemathesis/schemathesis v4.16.0

Don't miss a new schemathesis release

NewReleases is sending notifications on new releases.

Get notifications