chore(deps): bump github.com/oasdiff/oasdiff from 1.18.6 to 1.19.1 in /tools/cmd/scraper

[dependabot]

Bumps github.com/oasdiff/oasdiff from 1.18.6 to 1.19.1.

Release notes

Sourced from github.com/oasdiff/oasdiff's releases.

v1.19.1

Cleaner --open review output and a config-file fix

This release hardens the --open side-by-side review flow: piped --format json/yaml output now stays valid, a failed upload no longer changes your exit code, and composed mode is rejected up front with a clear message. It also fixes a config-file regression where setting match-inline-refs made the whole file fail to load.

CLI changes

--open review flow

• --open no longer corrupts piped JSON/YAML output (#1011). oasdiff changelog --format json --open > out.json used to append the human-facing Opening <url> (expires ...) line (and any "could not open browser" notice) to stdout, right after the rendered changelog, producing invalid JSON/YAML. The success-path URL and guidance now go to stderr, so stdout carries only the rendered output. (The earlier non-fatal work already routed --open errors to stderr; this does the same for the success path.)
• --open failures are now non-fatal (#1009). The changelog/breaking output is printed before the upload runs, so an upload error, unreachable host, or unsupported spec source used to return exit code 130 and pre-empt --fail-on, changing the command's result. A review that could not be uploaded should never alter the check's outcome: such failures are now warned to stderr and the command continues to its normal --fail-on exit.
• --open with composed mode (-c) is rejected up front (#1009). Composed mode diffs a glob of many files, which the two-spec review cannot represent. This static, user-fixable combination now fails at argument validation with exit 100 and a clear message (--open cannot be used with composed mode (-c): the side-by-side review compares exactly two specs), before any diff runs. diff and summary (which share argument parsing but have no --open flag) are unaffected.

Config files

• match-inline-refs is now accepted in config files (#1010). The config file is validated with UnmarshalExact, so a flag missing from the internal Config struct did not just go unread, it made any config file that set it fail to load entirely (exit 107). match-inline-refs (a visible, default-on diff flag) was missing, so match-inline-refs: false in .oasdiff.yaml was rejected. It is now a recognized key. A new drift-guard test walks every persistent flag on the config-loading commands and asserts each is either a Config field or deliberately excluded, so a future flag cannot silently break users' configs the same way. CONFIG-FILES.md is corrected to note that --open (an interactive one-shot action) is the deliberate exception and stays command-line only.

Misc

• --open help text notes client-side encryption (#1006). The changelog/breaking --open help read "upload the comparison to oasdiff.com", which to a privacy-conscious reader looked like specs being sent in clear. It now reads "encrypt the comparison and upload it to oasdiff.com, then open the side-by-side review in a browser", signaling that encryption happens on the client before upload.
• --open comments generalized to "the server" (#1009). --open uploads to the URL from OASDIFF_URL (defaulting to oasdiff.com), so the internal comments that hardcoded "oasdiff.com" as the destination were reworded to stay accurate for a local dev server or self-hosted target.

v1.19.0

End-to-end encrypted --open reviews, sharper request body detection

oasdiff changelog --open and oasdiff breaking --open now encrypt your specs on your machine before upload, so the side-by-side review you share is readable only by someone holding the link, never by the host. Plus a detection fix that stops flagging request body type removals that widen what the API accepts.

CLI changes

Encrypted --open review

• --open is now end-to-end encrypted (#1001). The CLI bundles the two specs, their filenames, and the computed changelog, AES-256-GCM-encrypts the bundle with a fresh random key, and uploads only the ciphertext. The decryption key travels in the review URL's #fragment (oasdiff.com/review/e/<id>#k=<key>), which browsers never send to a server, so the host stores a blob it cannot read and your spec content never leaves your machine in cleartext. The link is shareable for 7 days; treat it like a secret, since anyone with the full link (key included) can read the review. A side effect of carrying nothing attributable to an account: the previous browser sign-in step is gone, so --open now works with no account. The upload target defaults to oasdiff.com and is overridable with the OASDIFF_URL environment variable to point at your own deployment.
• --open help text now signals client-side encryption (#1006). The flag description on changelog/breaking --help changed from "upload the comparison to oasdiff.com" to "encrypt the comparison and upload it to oasdiff.com, then open the side-by-side review in a browser", so a privacy-conscious reader can tell encryption happens before the upload.

Detection rules

• Request body type removal is treated as a non-breaking generalization (#1002, thanks @​pjsny). Removing a type constraint from a request body widens what the API accepts (the endpoint now takes more payloads, not fewer), so it is no longer reported as a breaking change.

Go package changes

Misc

• Breaking: load.WithIdentity is removed (#1000). The exported WithIdentity() was a no-op Option that returned specs unchanged; it is now inlined as an implementation detail inside GetOption. External callers that referenced it should use load.GetOption(opt, false) instead. GetOption(option, enable) is unchanged and remains the way to apply an option conditionally.

Commits

• d06e0c1 fix(open): write --open URL and browser notice to stderr, not stdout (#1011)
• c293d77 fix(config): allow match-inline-refs in config + guard against flag drift (#1...
• da2f424 fix(open): make --open non-fatal and reject composed mode cleanly (#1009)
• 6cbe79f bump: oasdiff-action v0.1.0 (#1008)
• fbe903b feat: note client-side encryption in the --open flag help (#1006)
• 30ac16d docs: refresh --open for the encrypted review flow; live checks catalog (#1005)
• 8f210a7 Encrypt the --open review end-to-end (share specs without the host reading th...
• 8c77a3b fix(checker): treat request body type removal as non-breaking generalization ...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)