Skip to content

Bump github.com/oapi-codegen/runtime from 1.3.1 to 1.4.0#4166

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/oapi-codegen/runtime-1.4.0
Open

Bump github.com/oapi-codegen/runtime from 1.3.1 to 1.4.0#4166
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/oapi-codegen/runtime-1.4.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 9, 2026
edited
Loading

Bumps github.com/oapi-codegen/runtime from 1.3.1 to 1.4.0.

Release notes

Sourced from github.com/oapi-codegen/runtime's releases.

Parameter handling improvements and fixes

This release fixes some missing edge cases in parameter binding and styling. We now handle all the permutations of style and explode, for the first time. Lots of tests have been added to catch regressions.

🚀 New features and improvements

  • Improve deepobject unmarshalling to support nullable.Nullable and encode.TextUnmarshaler (#45) @​j-waters
  • feat: support spaceDelimited and pipeDelimited query parameter binding (#117) @​mromaszewicz

🐛 Bug fixes

  • Fix form/explode=false incorrectly splitting primitive string values on commas (#119) @​f-kanari

📦 Dependency updates

  • fix(deps): update module github.com/labstack/echo/v4 to v4.15.1 (#105) @renovate[bot]
  • fix(deps): update module github.com/labstack/echo/v5 to v5.1.0 (#120) @renovate[bot]
  • chore(deps): update release-drafter/release-drafter action to v7 (#113) @renovate[bot]

Sponsors

We would like to thank our sponsors for their support during this release.

Commits
  • 247b459 fix(deps): update module github.com/labstack/echo/v4 to v4.15.1 (#105)
  • 1d38dfa fix(deps): update module github.com/labstack/echo/v5 to v5.1.0 (#120)
  • be9ed17 chore(deps): update release-drafter/release-drafter action to v7 (#113)
  • 77570f9 Fix form/explode=false incorrectly splitting primitive string values on comma...
  • dfe6f3b feat: support spaceDelimited and pipeDelimited query parameter binding (#117)
  • 5ea8c65 Improve deepobject unmarshalling to support nullable.Nullable and encode.Text...
  • See full diff in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 9, 2026
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 9, 2026
@qltysh
Copy link
Copy Markdown

qltysh bot commented Apr 9, 2026
edited
Loading

Qlty


Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.03%.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/oapi-codegen/runtime-1.4.0 branch from 1a5f2cf to ba0cd4d Compare April 13, 2026 13:44
@reinkrul
Copy link
Copy Markdown
Member

reinkrul commented Apr 16, 2026

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/oapi-codegen/runtime-1.4.0 branch from ba0cd4d to dc300e3 Compare April 16, 2026 13:20
@reinkrul
Copy link
Copy Markdown
Member

reinkrul commented Apr 16, 2026

Investigation: can we drop the dynamic-query-param workarounds?

We have two workarounds for deepmap oapi-codegen #1129 (binding free-form ?key=value query maps):

  • auth/api/iam/api.go:463-466HandleAuthorizeRequest reads raw *http.Request from context instead of using request.Params.Params (*map[string]string).
  • discovery/api/v1/api.go:64-85 — middleware injects URL.Query() into context; SearchPresentations reads it back instead of using request.Params.Query.

The generated handlers already call runtime.BindQueryParameter("form", true, false, ..., &target) with target being *map[string]string, so in theory only the runtime needs to populate the map. v1.4.0 claims to "handle all permutations of style and explode for the first time" — so I tested it.

Empirical results against v1.4.0

Style / config Behavior with *map[string]string
form, explode=true, optional, paramName not literally present err=nil, target=nil — silently does nothing
form, explode=true, required err: query parameter '...' is required
form, explode=true, paramName literally present err: can not bind to destination of type: map
form, explode=false, e.g. ?params=foo,1,bar,2 binds to map[bar:2 foo:1]
deepObject, e.g. ?params[foo]=1&params[bar]=2 works — all keys, empty values preserved, comma values kept whole

Reading bindparam.go: in the form, explode=true branch the type switch only handles Slice, Struct, and primitive default. reflect.Map falls into default and only inspects queryParams[paramName] — never iterates the other keys. v1.4.0 does NOT cover deepmap #1129.

Removing the workarounds with v1.4.0 alone would silently regress both endpoints (the bound map would always be nil).

Options to ever remove them

  1. Change OpenAPI spec to style: deepObject (?params[key]=value). Verified to work in v1.4.0. Breaking API change.
  2. Custom binding in strict middleware — same complexity, different location.

Test coverage gaps to close before any removal

Both TestWrapper_HandleAuthorizeRequest and TestWrapper_SearchPresentations only exercise a single-param happy path. Before removal we'd need: multi-key, repeated keys, empty values, comma-containing values, URL-encoded specials.

Decision

Keep workarounds. Merging this bump as a clean dependency update.

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/oapi-codegen/runtime-1.4.0 branch from dc300e3 to a287d22 Compare April 16, 2026 13:23
@dependabot
Bump github.com/oapi-codegen/runtime from 1.3.1 to 1.4.0
cb8670e 
Bumps [github.com/oapi-codegen/runtime](https://github.com/oapi-codegen/runtime) from 1.3.1 to 1.4.0.
- [Release notes](https://github.com/oapi-codegen/runtime/releases)
- [Commits](oapi-codegen/runtime@v1.3.1...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/oapi-codegen/runtime
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/oapi-codegen/runtime-1.4.0 branch from a287d22 to cb8670e Compare April 16, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reinkrul reinkrul reinkrul approved these changes

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

@stevenvegt stevenvegt Awaiting requested review from stevenvegt stevenvegt is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reinkrul