fix(deps): update dependency @apidevtools/json-schema-ref-parser to v15

[renovate]

Summary

Upgrades @apidevtools/json-schema-ref-parser from 13.0.5 to 15.1.3 and fixes two breaking changes introduced by v15:

1. Localhost/internal URL blocking: v15 added a security fix that blocks HTTP requests to internal/localhost URLs by default (safeUrlResolver: true). Counterfact legitimately needs to load OpenAPI specs from localhost, so safeUrlResolver: false is passed to bundle() in specification.ts.

2. Windows path handling: v15's internal isAbsoluteWin32Path regex (/^[a-zA-Z]:\\/) only matches paths with backslashes. When paths are normalized to forward slashes (e.g., C:/Users/...), the library incorrectly treats them as relative paths and prepends the CWD. Fixed by patching the library via patch-package to change the regex to /^[a-zA-Z]:[/\\]/, recognizing both C:\... and C:/... as absolute Windows paths.

Original Prompt

This PR contains the following updates:

Package	Change
@apidevtools/json-schema-ref-parser	13.0.5 → 15.1.3

Change needed to fix this: APIDevTools/json-schema-ref-parser#405

Manual acceptance tests

• Look into the patched dependency. That's probably not ideal. Open a bug on the dependency repo if it makes sense.
• Running npx counterfact@latest https://petstore3.swagger.io/api/v3/openapi.json api generates route files without errors
• Loading an OpenAPI spec from a localhost URL (e.g., a locally running API server) resolves correctly without throwing a SyntaxError
• Loading an OpenAPI spec from a local file path works as before on both Windows and Unix
• Loading an OpenAPI spec from a remote public URL works as before
• Existing generated route files and server behavior are unchanged after upgrading the dependency
• The /counterfact/openapi endpoint correctly serves the OpenAPI document with the injected Counterfact server entry

Tasks

• Updated @apidevtools/json-schema-ref-parser from 13.0.5 to 15.1.3 in package.json
• Passed { resolve: { http: { safeUrlResolver: false } } } to bundle() in src/typescript-generator/specification.ts to allow localhost URL resolution (file was converted from .js to .ts as part of a broader TypeScript migration in main)
• Added a patch-package patch (patches/@apidevtools+json-schema-ref-parser+15.1.3.patch) to fix the isAbsoluteWin32Path regex from /^[a-zA-Z]:\\/ to /^[a-zA-Z]:[/\\]/, so forward-slash Windows paths (C:/...) are correctly detected as absolute rather than having the CWD prepended
• Resolved merge conflicts with main, which had migrated src/typescript-generator/specification.js → specification.ts as part of a full TypeScript conversion of the typescript-generator/ directory

[changeset-bot]

🦋 Changeset detected

Latest commit: 7a666fb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
counterfact	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[pmcelhaney]

@copilot fix this issue per APIDevTools/json-schema-ref-parser#405

[Copilot]

@copilot fix this issue per APIDevTools/json-schema-ref-parser#405

Fixed in b72346a. The security fix in json-schema-ref-parser v15 (the commit referenced in issue #405) blocks localhost URLs by default via safeUrlResolver: true. Since Counterfact legitimately needs to load OpenAPI specs from localhost, I passed { resolve: { http: { safeUrlResolver: false } } } to bundle() in specification.js. All 38 test suites now pass.

[coveralls]

Pull Request Test Coverage Report for Build 23771126199

Details

• 3 of 3 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.004%) to 86.089%

---

Totals
Change from base Build 23770053332:	0.004%
Covered Lines:	5041
Relevant Lines:	5916

---

💛 - Coveralls

[pmcelhaney]

@copilot CI is failing on Windows. Probably because \s didn't get changed to /s somewhere. Look for exiting replaceAll() functions that fix that issue and add replaceAll()s where they're missing.

[Copilot]

@copilot CI is failing on Windows. Probably because \s didn't get changed to /s somewhere. Look for exiting replaceAll() functions that fix that issue and add replaceAll()s where they're missing.

Fixed in 109494b. The issue was that json-schema-ref-parser v15's internal isAbsoluteWin32Path regex (/^[a-zA-Z]:\\/) only matches paths with backslashes (e.g., C:\Users\...), but the withTemporaryFiles helper normalizes paths to forward slashes (C:/Users/...), causing the library to treat them as relative paths and prepend the CWD.

The fix converts filesystem paths to proper file:// URLs using Node's pathToFileURL() before passing to bundle() in both specification.js and openapi-middleware.ts. This handles both forward and backward slash variants correctly on all platforms.

[pmcelhaney]

@copilot some tests are failing now

[Copilot]

@copilot some tests are failing now

Fixed in 161ad32. The issue was that pathToFileURL (my previous fix) encodes ~ as %7E, and then fromFileSystemPath in v15 runs encodeURI on the result, double-encoding it to %257E. This only partially decodes back to %7E, leaving the path unresolvable.

The root cause is v15's isAbsoluteWin32Path regex (/^[a-zA-Z]:\\/) only recognizes backslash-style Windows paths — when paths are normalized to forward slashes (C:/Users/...), v15 doesn't detect them as absolute and incorrectly prepends the CWD.

The fix adds a patch-package patch for @apidevtools/json-schema-ref-parser@15.1.3 changing the regex from /^[a-zA-Z]:\\/ to /^[a-zA-Z]:[/\\]/ so it recognizes both C:\... and C:/... as absolute Windows paths.

[pmcelhaney]

@copilot resolve conflicts

[Copilot]

@copilot resolve conflicts

Resolved in 7a666fb. Merged latest main into this branch — the main conflict was that main had converted specification.js to specification.ts. Applied the safeUrlResolver: false fix to the new TypeScript file and removed the old JS file. All 43 tests pass.