feat: remove support for client packages #2172

mrlubos · 2025-06-13T07:55:32Z

Closes #1969
Closes #1821
Closes #1660

bolt-new-by-stackblitz · 2025-06-13T07:55:34Z

Run & review this pull request in StackBlitz Codeflow.

changeset-bot · 2025-06-13T07:55:35Z

🦋 Changeset detected

Latest commit: cfc0abb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@hey-api/openapi-ts	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel · 2025-06-13T07:55:36Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
hey-api-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 14, 2025 8:32am

pkg-pr-new · 2025-06-13T08:19:43Z

Open in StackBlitz

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/nuxt@2172

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/openapi-ts@2172

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/vite-plugin@2172

commit: cfc0abb

codecov · 2025-06-13T08:19:53Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 24.80%. Comparing base (16fb3c7) to head (cfc0abb).
Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2172      +/-   ##
==========================================
+ Coverage   22.49%   24.80%   +2.31%     
==========================================
  Files         273      293      +20     
  Lines       25634    27595    +1961     
  Branches      950     1242     +292     
==========================================
+ Hits         5766     6845    +1079     
- Misses      19862    20742     +880     
- Partials        6        8       +2

Flag	Coverage Δ
unittests	`24.80% <ø> (+2.31%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

packages/custom-client/src/core/params.ts

+      if (config.key) {
+        const field = map.get(config.key)!;
+        const name = field.map || config.key;
+        (params[field.in] as Record<string, unknown>)[name] = arg;


To fix the issue, we need to ensure that untrusted keys such as __proto__, constructor, and prototype cannot be used as property names in the assignment (params[field.in] as Record<string, unknown>)[name] = arg. This can be achieved by validating the fields parameter and rejecting or sanitizing any keys that could lead to prototype pollution. Alternatively, we can use a safer data structure, such as Map, to store the params object, as Map does not allow prototype pollution.

The best approach in this case is to validate the keys before performing the assignment. This ensures compatibility with the existing code structure while preventing prototype pollution.

packages/custom-client/src/core/params.ts

+
+        if (field) {
+          const name = field.map || key;
+          (params[field.in] as Record<string, unknown>)[name] = value;


To fix the issue, we need to ensure that keys derived from untrusted input cannot pollute the Object.prototype. This can be achieved by validating or sanitizing keys before using them in assignments. Specifically, we can check for dangerous keys like __proto__, constructor, and prototype and reject or skip them. Alternatively, we can use a prototype-less object (Object.create(null)) for params to eliminate the risk of prototype pollution entirely.

The best approach here is to create params as a prototype-less object using Object.create(null). This ensures that even if a malicious key like __proto__ is used, it will not affect Object.prototype. Additionally, we will add a safeguard to skip dangerous keys during the assignment process.

packages/openapi-ts-tests/test/openapi-ts.config.ts

@@ -2,11 +2,11 @@
 import path from 'node:path';

 // @ts-ignore
-import { customClientPlugin } from '@hey-api/client-custom/plugin';
+import { customClientPlugin } from '@hey-api/custom-client/plugin';


To fix the issue, we will remove the unused customClientPlugin import from line 5. This will eliminate the flagged error and improve the readability of the code. No other changes are necessary since the import is not used anywhere in the file.

johnny-mh · 2025-06-15T13:55:03Z

Hi @mrlubos, after updating to @hey-api/openapi-ts@0.73.0, I noticed that the @hey-api/client-* packages are now added directly into the codebase. This seems to allow for faster installation in most cases—thank you for that!

However, the source code under client/* and core/* is causing type errors with my current project settings, which prevents me from bundling it.
build-error.txt

While I could resolve this by modifying my tsconfig.json, I’d prefer to avoid potential side effects without fully verifying them.

Would it be possible to include pre-bundled client.js and client.d.ts files for each @hey-api/client-* package?

mrlubos · 2025-06-15T14:10:53Z

@johnny-mh Can you open a new issue with your tsconfig? I'll fix the types/errors so you'd be able to build the client yourself

johnny-mh · 2025-06-15T15:19:49Z

@mrlubos I moved the generated files to another package in my monorepo and copied the openapi-ts/tsconfig.json file. After that, everything built successfully without type errors.

I believe that if you change your code to match my tsconfig.json, other projects might run into the same issue. I’ll open an issue if I encounter any other problems.

Thanks again!

mrlubos · 2025-06-15T15:50:29Z

Please open an issue with your config anyway!

johnny-mh · 2025-06-15T16:13:10Z

Okay I’ll open issue tomorrow

KiwiKilian · 2025-06-23T15:17:10Z

Is there still a possibility to keep using the packages? We now have the core and client files duplicated, as we are generating for multiple OpenAPI specs. Also I would have to disable quite a lot of ESLint rules. The main benefit I see here, that the client is in sync with the version of the generated code. But otherwise it's a bit troublesome in our use case.

kylecarhart · 2025-07-01T13:53:13Z

Yeah, I was very reluctant to upgrade past this version. To echo @KiwiKilian , in our use case, we generate multiple clients which would lead to a lot of duplicated code. We need some way to allow for multiple generated clients to share the same core code.

Not to mention that I'm not really a fan of having all this generated core code in our codebase, id much rather it live in the package like it used to... but I could look past that if this issue is fixed.

mrlubos · 2025-07-01T19:24:10Z

@kylecarhart definitely feel free to not upgrade and stay pinned on an older version! But please, please let me know why so I can figure out a way to make both you and me happy with these features 🤝 I'll get to these clients again, it's on my radar

feat: remove support for client packages

96053a5

vercel bot deployed to Preview June 13, 2025 07:56 View deployment

fix: respect logs setting if initialization fails

9afbf66

vercel bot deployed to Preview June 13, 2025 08:17 View deployment

feat: bundle fetch client

4ff2aed

vercel bot deployed to Preview June 14, 2025 04:13 View deployment

feat: bundle axios client

2d7dc55

vercel bot deployed to Preview June 14, 2025 04:26 View deployment

feat: bundle next client

723f182

vercel bot deployed to Preview June 14, 2025 04:30 View deployment

docs: update client docs

39eee4a

vercel bot deployed to Preview June 14, 2025 05:57 View deployment

feat: bundle nuxt client

b43e917

vercel bot deployed to Preview June 14, 2025 06:27 View deployment

chore: update custom local client

a9bffe7

vercel bot deployed to Preview June 14, 2025 06:44 View deployment

Lubos added 2 commits June 14, 2025 15:53

chore: update custom third-party client

55f144f

test: update snapshots

a95ec86

vercel bot deployed to Preview June 14, 2025 06:57 View deployment

github-advanced-security bot found potential problems Jun 14, 2025

View reviewed changes

chore: update Angular example

d13d490

vercel bot deployed to Preview June 14, 2025 07:08 View deployment

docs: add changesets

29605a0

mrlubos marked this pull request as ready for review June 14, 2025 07:58

vercel bot deployed to Preview June 14, 2025 07:59 View deployment

mrlubos force-pushed the feat/client-bundle branch from 727ccd8 to ba08fb3 Compare June 14, 2025 08:01

vercel bot deployed to Preview June 14, 2025 08:02 View deployment

github-advanced-security bot found potential problems Jun 14, 2025

View reviewed changes

mrlubos force-pushed the feat/client-bundle branch from ba08fb3 to f2cf721 Compare June 14, 2025 08:09

vercel bot deployed to Preview June 14, 2025 08:10 View deployment

chore: fix tests

cfc0abb

mrlubos force-pushed the feat/client-bundle branch from f2cf721 to cfc0abb Compare June 14, 2025 08:31

vercel bot deployed to Preview June 14, 2025 08:32 View deployment

mrlubos merged commit a1e1395 into main Jun 14, 2025
17 checks passed

mrlubos deleted the feat/client-bundle branch June 14, 2025 08:36

github-actions bot mentioned this pull request Jun 13, 2025

Version Packages #2171

Merged

johnny-mh mentioned this pull request Jun 16, 2025

Type error on client/*, core/* #2186

Open

KiwiKilian mentioned this pull request Jul 1, 2025

Option to opt out of 'client' and 'core' generation #2258

Open

@@ -101,3 +101,5 @@
                     const name = field.map || config.key;
-                    (params[field.in] as Record<string, unknown>)[name] = arg;
+                    if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
+                      (params[field.in] as Record<string, unknown>)[name] = arg;
+                    }
                   } else {
@@ -127,3 +129,5 @@
                           if (allowed) {
-                            (params[slot as Slot] as Record<string, unknown>)[key] = value;
+                            if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
+                              (params[slot as Slot] as Record<string, unknown>)[key] = value;
+                            }
                             break;

@@ -78,6 +78,6 @@
               const params: Params = {
-                body: {},
-                headers: {},
-                path: {},
-                query: {},
+                body: Object.create(null),
+                headers: Object.create(null),
+                path: Object.create(null),
+                query: Object.create(null),
               };
@@ -111,3 +111,5 @@
                       const name = field.map || key;
-                      (params[field.in] as Record<string, unknown>)[name] = value;
+                      if (name !== '__proto__' && name !== 'constructor' && name !== 'prototype') {
+                        (params[field.in] as Record<string, unknown>)[name] = value;
+                      }
                     } else {
@@ -127,3 +129,5 @@
                           if (allowed) {
-                            (params[slot as Slot] as Record<string, unknown>)[key] = value;
+                            if (key !== '__proto__' && key !== 'constructor' && key !== 'prototype') {
+                              (params[slot as Slot] as Record<string, unknown>)[key] = value;
+                            }
                             break;

Uh oh!

feat: remove support for client packages #2172

feat: remove support for client packages #2172

Uh oh!

Conversation

mrlubos commented Jun 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bolt-new-by-stackblitz bot commented Jun 13, 2025

Uh oh!

changeset-bot bot commented Jun 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦋 Changeset detected

Uh oh!

vercel bot commented Jun 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pkg-pr-new bot commented Jun 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Jun 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!

johnny-mh commented Jun 15, 2025

Uh oh!

mrlubos commented Jun 15, 2025

Uh oh!

johnny-mh commented Jun 15, 2025

Uh oh!

mrlubos commented Jun 15, 2025

Uh oh!

johnny-mh commented Jun 15, 2025

Uh oh!

KiwiKilian commented Jun 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kylecarhart commented Jul 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mrlubos commented Jul 1, 2025

Uh oh!

Uh oh!

mrlubos commented Jun 13, 2025 •

edited

Loading

changeset-bot bot commented Jun 13, 2025 •

edited

Loading

vercel bot commented Jun 13, 2025 •

edited

Loading

pkg-pr-new bot commented Jun 13, 2025 •

edited

Loading

codecov bot commented Jun 13, 2025 •

edited

Loading

KiwiKilian commented Jun 23, 2025 •

edited

Loading

kylecarhart commented Jul 1, 2025 •

edited

Loading