Skip to content

Monitor Spectral CLI deprecated transitive dependencies #137

New issue
New issue
Open
Open
Monitor Spectral CLI deprecated transitive dependencies#137
Labels
BacklogImplementation not considered short-term, long-term evolution issueenhancementNew feature or request
@hdamker

Description

@hdamker
hdamker
opened on Mar 27, 2026

Problem description

The validation framework uses @stoplight/spectral-cli@^6.14.0 (currently 6.15.0) for OpenAPI linting. During npm install, three deprecation warnings are emitted from Spectral's transitive dependency tree:

npm warn deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory.
npm warn deprecated glob@7.2.3: Old versions of glob are not supported

These warnings are cosmetic and do not affect Spectral's functionality or validation results. All three originate from @rollup/plugin-commonjs@~22.0.2, pinned in @stoplight/spectral-ruleset-bundler. The current @rollup/plugin-commonjs (v29) no longer depends on these packages, but upgrading from v22 requires a rollup v2 → v3/v4 migration within Spectral's bundler package.

The last Spectral CLI release is 6.15.0 (April 2025). Related upstream issues: stoplightio/spectral#2374 (sourcemap-codec, open since December 2022), stoplightio/spectral#2871 (glob/inflight, open since December 2025). The develop branch shows ongoing dependency bumps and bug fixes but the rollup/plugin-commonjs pin has not been addressed.

Possible evolution

No action needed now. Monitor periodically:

  1. New Spectral CLI releases that may resolve the dependency chain
  2. npm registry deprecation policies that could escalate warnings to install failures
  3. If Spectral's maintenance trajectory changes, evaluate alternatives (Redocly CLI linting, custom rules migration)

Alternative solution

  • npm overrides in package.json could force newer versions of the transitive deps, but this creates untested dependency combinations
  • Redocly CLI offers OpenAPI linting capabilities but would require migrating the custom Spectral rulesets

Additional context

Spectral runs correctly on Node.js 24 with the current dependency tree. The risk of these packages being removed from the npm registry is low given their widespread use. This is a monitoring item, not an immediate problem.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BacklogImplementation not considered short-term, long-term evolution issueenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions