diff options
author | Julian Berman <Julian@GrayVines.com> | 2023-04-25 16:21:15 -0400 |
---|---|---|
committer | Julian Berman <Julian@GrayVines.com> | 2023-04-25 16:21:15 -0400 |
commit | dc683c3105216f0c3fbfba78815b97f510e434c8 (patch) | |
tree | 5552c78b536553563c89d32c709672c20d3fd80b /CHANGELOG.rst | |
parent | 29ad460fb37072200ce019ae4dce4d899350527f (diff) | |
download | jsonschema-dc683c3105216f0c3fbfba78815b97f510e434c8.tar.gz |
Re-enable (but deprecate) automatic reference retrieval.
Changing this without deprecation is backwards incompatible, so we
re-introduce a warning.
This only applies if you have not configured neither a Registry nor a legacy
RefResolver. Both of the former 2 cases already have 'correct' behavior (the
former will not automatically retrieve references and is not backwards
incompatible as it is a new API, and the latter will do so but is already
fully deprecated by this release).
Cloess: #1089
Diffstat (limited to 'CHANGELOG.rst')
-rw-r--r-- | CHANGELOG.rst | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 10372e8..da49bc3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,9 @@ It does so in a way that *should* be backwards compatible, preserving old behavi This change is a culmination of a meaningful chunk of work to make ``$ref`` resolution more flexible and more correct. Backwards compatibility *should* be preserved for existing code which uses ``RefResolver``, though doing so is again now deprecated, and all such use cases should be doable using the new APIs. Please file issues on the ``referencing`` tracker if there is functionality missing from it, or here on the ``jsonschema`` issue tracker if you have issues with existing code not functioning the same, or with figuring out how to change it to use ``referencing``. + In particular, this referencing change includes a change concerning *automatic* retrieval of remote references (retrieving ``http://foo/bar`` automatically within a schema). + This behavior has always been a potential security risk and counter to the recommendations of the JSON Schema specifications; it has survived this long essentially only for backwards compatibility reasons, and now explicitly produces warnings. + The ``referencing`` library itself will *not* automatically retrieve references if you interact directly with it, so the deprecated behavior is only triggered if you fully rely on the default ``$ref`` resolution behavior and also include remote references in your schema, which will still be retrieved during the deprecation period (after which they will become an error). * Support for Python 3.7 has been dropped, as it is nearing end-of-life. This should not be a "visible" change in the sense that ``requires-python`` has been updated, so users using 3.7 should still receive ``v4.17.3`` when installing the library. * On draft 2019-09, ``unevaluatedItems`` now properly does *not* consider items to be evaluated by an ``additionalItems`` schema if ``items`` is missing from the schema, as the specification says in this case that ``additionalItems`` must be completely ignored. @@ -20,6 +23,7 @@ Deprecations * ``jsonschema.RefResolver`` -- see above for details on the replacement * ``jsonschema.RefResolutionError`` -- see above for details on the replacement +* relying on automatic resolution of remote references -- see above for details on the replacement * importing ``jsonschema.ErrorTree`` -- instead import it via ``jsonschema.exceptions.ErrorTree`` * importing ``jsonschema.FormatError`` -- instead import it via ``jsonschema.exceptions.FormatError`` |