I am pleased to announce the latest release of Schemathesis, which brings a range of new features, improvements, and bug fixes aimed at enhancing your API testing experience. 🎉
Here's a quick overview of what's new:
- **OpenAPI 3.1**: Experimental support for OpenAPI 3.1 provides forward compatibility for evolving APIs.
- **Security**: Automatic sanitization of sensitive data in the output is now enabled by default for better data hygiene.
- **XML Serialization**: Support for `application/xml` serialization opens up new testing possibilities for APIs that use this format.
- **Hook Shortcuts**: Minimize boilerplate in your extensions with new hook shortcuts like `filter_query`, `map_header`, etc.
- **FastAPI & GraphQL Enhancements**: Automatic FastAPI fixup and body hooks in GraphQL schemas simplify the testing process for FastAPI and GraphQL users.
- **Improved Debugging**: Refined reproduction code and shortened test case IDs for easier debugging.
For a full list of changes, please see the changelog below. Your feedback is valuable to us, and we look forward to hearing your thoughts on these updates :pray:
:rocket: Added
- `--experimental=openapi-3.1` CLI option for experimental support of OpenAPI 3.1. This enables compatible JSON Schema validation for responses, while data generation remains OpenAPI 3.0-compatible. 1820
- Automatic sanitization of sensitive data in the output is now enabled by default. This feature can be disabled using the `--sanitize-output=false` CLI option. For more advanced customization, use `schemathesis.sanitizing.configure()`. 1794
- Support for `application/xml` serialization based on Open API schema definitions. 733
- Hook shortcuts (`filter_query`, `map_header`, etc.) to minimize boilerplate in extensions. 1673
- Automatic FastAPI fixup injecting for ASGI loaders, eliminating the need for manual setup. 1797
- Support for `body` hooks in GraphQL schemas, enabling custom filtering or modification of queries and mutations. 1464
- Support for colored output from docker container. 1170
- A way to disable suggestions for visualizing test results via the `SCHEMATHESIS_REPORT_SUGGESTION=0` environment variable. 1802
- New `filter_operations` hook to conditionally include or exclude specific API operations from being tested.
- Added `contains` method to `ParameterSet` for easier parameter checks in hooks. 1789
**Note**: Experimental features can change or be removed in any minor version release.
:wrench: Changed
- Support `Werkzeug>=3.0`. 1819
- Refined generated reproduction code and shortened `X-Schemathesis-TestCaseId` for easier debugging. 1801
- Add `case` as the first argument to `AuthContext.set`. The previous calling convention is still supported. 1788
- Disable the 'explain' phase in Hypothesis to improve performance. 1808
- Simplify Python code samples for failure reproduction.
- Do not display `InsecureRequestWarning` in CLI output if the user explicitly provided `--request-tls-verify=false`. 1780
- Enhance CLI output for schema loading and internal errors, providing clearer diagnostics and guidance. 1781, 1517, 1472
**Before**:
Failed to load schema from https://127.0.0.1:6423/openapi.json
You can use `--wait-for-schema=NUM` to wait for a maximum of NUM seconds on the API schema availability.
Error: requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=6423): Max retries exceeded with url: /openapi.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:992)')))
Add this option to your command line parameters to see full tracebacks: --show-errors-tracebacks
**After**:
Schema Loading Error
SSL verification problem
[SSL: WRONG_VERSION_NUMBER] wrong version number
Tip: Bypass SSL verification with `--request-tls-verify=false`.
:wastebasket: Deprecated
- Defining `AuthProvider.get` with a single `context` argument. The support will be removed in Schemathesis `4.0`.
:bug: Fixed
- Fixed type hint for `AuthProvider`. 1776
- Do not skip negative tests if the generated value is `None`.
- Lack of execution for ASGI events during testing. 1305, 1727
- Confusing error message when trying to load the schema from a non-existing file. 1602
- Reflect disabled TLS verification in generated code samples. 1054
- Generated cURL commands now include the `Content-Type` header, which was previously omitted. 1783
- Improperly serialized headers in `SerializedHistoryEntry.case.extra_headers`.
:racing_car: Performance
- Optimize event data emission by postponing code sample generation, resulting in a `~4%` reduction in the emitted events data size.
:fire: Removed
- Unused `SerializedError.example` attribute. It used to be populated for flaky errors before they became regular failures.
- Unused `TestResult.overridden_headers` attribute.