@apidevtools/json-schema-ref-parser 13.0.4 → 14.0.0

package/dist/lib/index.d.ts

@@ -5,6 +5,7 @@ import { JSONParserError, InvalidPointerError, MissingPointerError, ResolverErro
 import type { ParserOptions } from "./options.js";
 import { getJsonSchemaRefParserDefaultOptions } from "./options.js";
 import type { $RefsCallback, JSONSchema, SchemaCallback, FileInfo, Plugin, ResolverOptions, HTTPResolverOptions } from "./types/index.js";
+import { isUnsafeUrl } from "./util/url.js";
 export type RefParserSchema = string | JSONSchema;
 /**
  * This class parses a JSON schema, builds a map of its JSON references and their resolved values,
@@ -55,7 +56,7 @@ export declare class $RefParser<S extends object = JSONSchema, O extends ParserO
      *
      * Resolves all JSON references (`$ref` pointers) in the given JSON Schema file. If it references any other files/URLs, then they will be downloaded and resolved as well. This method **does not** dereference anything. It simply gives you a `$Refs` object, which is a map of all the resolved references and their values.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
+     * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
      *
      * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
      * @param options (optional)
@@ -72,7 +73,7 @@ export declare class $RefParser<S extends object = JSONSchema, O extends ParserO
      *
      * Resolves all JSON references (`$ref` pointers) in the given JSON Schema file. If it references any other files/URLs, then they will be downloaded and resolved as well. This method **does not** dereference anything. It simply gives you a `$Refs` object, which is a map of all the resolved references and their values.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
+     * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
      *
      * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
      * @param options (optional)
@@ -89,7 +90,7 @@ export declare class $RefParser<S extends object = JSONSchema, O extends ParserO
      *
      * This also eliminates the risk of circular references, so the schema can be safely serialized using `JSON.stringify()`.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
+     * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
      *
      * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
      * @param options (optional)
@@ -106,7 +107,7 @@ export declare class $RefParser<S extends object = JSONSchema, O extends ParserO
      *
      * This also eliminates the risk of circular references, so the schema can be safely serialized using `JSON.stringify()`.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
+     * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
      *
      * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
      * @param options (optional)
@@ -123,7 +124,7 @@ export declare class $RefParser<S extends object = JSONSchema, O extends ParserO
      *
      * The dereference method maintains object reference equality, meaning that all `$ref` pointers that point to the same object will be replaced with references to the same object. Again, this is great for programmatic usage, but it does introduce the risk of circular references, so be careful if you intend to serialize the schema using `JSON.stringify()`. Consider using the bundle method instead, which does not create circular references.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
+     * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
      *
      * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
      * @param options (optional)
@@ -140,7 +141,7 @@ export declare class $RefParser<S extends object = JSONSchema, O extends ParserO
      *
      * The dereference method maintains object reference equality, meaning that all `$ref` pointers that point to the same object will be replaced with references to the same object. Again, this is great for programmatic usage, but it does introduce the risk of circular references, so be careful if you intend to serialize the schema using `JSON.stringify()`. Consider using the bundle method instead, which does not create circular references.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
+     * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
      *
      * @param path
      * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
@@ -159,4 +160,4 @@ export declare const parse: typeof $RefParser.parse;
 export declare const resolve: typeof $RefParser.resolve;
 export declare const bundle: typeof $RefParser.bundle;
 export declare const dereference: typeof $RefParser.dereference;
-export { UnmatchedResolverError, JSONParserError, JSONSchema, InvalidPointerError, MissingPointerError, ResolverError, ParserError, UnmatchedParserError, ParserOptions, $RefsCallback, isHandledError, JSONParserErrorGroup, SchemaCallback, FileInfo, Plugin, ResolverOptions, HTTPResolverOptions, _dereference as dereferenceInternal, normalizeArgs as jsonSchemaParserNormalizeArgs, getJsonSchemaRefParserDefaultOptions, $Refs, };
+export { UnmatchedResolverError, JSONParserError, JSONSchema, InvalidPointerError, MissingPointerError, ResolverError, ParserError, UnmatchedParserError, ParserOptions, $RefsCallback, isHandledError, JSONParserErrorGroup, SchemaCallback, FileInfo, Plugin, ResolverOptions, HTTPResolverOptions, _dereference as dereferenceInternal, normalizeArgs as jsonSchemaParserNormalizeArgs, getJsonSchemaRefParserDefaultOptions, $Refs, isUnsafeUrl, };

package/dist/lib/index.js

@@ -36,7 +36,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.$Refs = exports.getJsonSchemaRefParserDefaultOptions = exports.jsonSchemaParserNormalizeArgs = exports.dereferenceInternal = exports.JSONParserErrorGroup = exports.isHandledError = exports.UnmatchedParserError = exports.ParserError = exports.ResolverError = exports.MissingPointerError = exports.InvalidPointerError = exports.JSONParserError = exports.UnmatchedResolverError = exports.dereference = exports.bundle = exports.resolve = exports.parse = exports.$RefParser = void 0;
+exports.isUnsafeUrl = exports.$Refs = exports.getJsonSchemaRefParserDefaultOptions = exports.jsonSchemaParserNormalizeArgs = exports.dereferenceInternal = exports.JSONParserErrorGroup = exports.isHandledError = exports.UnmatchedParserError = exports.ParserError = exports.ResolverError = exports.MissingPointerError = exports.InvalidPointerError = exports.JSONParserError = exports.UnmatchedResolverError = exports.dereference = exports.bundle = exports.resolve = exports.parse = exports.$RefParser = void 0;
 const refs_js_1 = __importDefault(require("./refs.js"));
 exports.$Refs = refs_js_1.default;
 const parse_js_1 = __importDefault(require("./parse.js"));
@@ -60,6 +60,8 @@ Object.defineProperty(exports, "JSONParserErrorGroup", { enumerable: true, get:
 const maybe_js_1 = __importDefault(require("./util/maybe.js"));
 const options_js_1 = require("./options.js");
 Object.defineProperty(exports, "getJsonSchemaRefParserDefaultOptions", { enumerable: true, get: function () { return options_js_1.getJsonSchemaRefParserDefaultOptions; } });
+const url_js_1 = require("./util/url.js");
+Object.defineProperty(exports, "isUnsafeUrl", { enumerable: true, get: function () { return url_js_1.isUnsafeUrl; } });
 /**
  * This class parses a JSON schema, builds a map of its JSON references and their resolved values,
  * and provides methods for traversing, manipulating, and dereferencing those references.

package/dist/lib/refs.d.ts

@@ -10,19 +10,19 @@ interface $RefsMap<S extends object = JSONSchema, O extends ParserOptions<S> = P
  *
  * This object is a map of JSON References and their resolved values. It also has several convenient helper methods that make it easy for you to navigate and manipulate the JSON References.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/refs.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html
  */
 export default class $Refs<S extends object = JSONSchema, O extends ParserOptions<S> = ParserOptions<S>> {
     /**
      * This property is true if the schema contains any circular references. You may want to check this property before serializing the dereferenced schema as JSON, since JSON.stringify() does not support circular references by default.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#circular
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#circular
      */
     circular: boolean;
     /**
      * Returns the paths/URLs of all the files in your schema (including the main schema file).
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#pathstypes
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#pathstypes
      *
      * @param types (optional) Optionally only return certain types of paths ("file", "http", etc.)
      */
@@ -30,7 +30,7 @@ export default class $Refs<S extends object = JSONSchema, O extends ParserOption
     /**
      * Returns a map of paths/URLs and their correspond values.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#valuestypes
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#valuestypes
      *
      * @param types (optional) Optionally only return values from certain locations ("file", "http", etc.)
      */
@@ -38,7 +38,7 @@ export default class $Refs<S extends object = JSONSchema, O extends ParserOption
     /**
      * Returns `true` if the given path exists in the schema; otherwise, returns `false`
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#existsref
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#existsref
      *
      * @param $ref The JSON Reference path, optionally with a JSON Pointer in the hash
      */

package/dist/lib/refs.js

@@ -44,13 +44,13 @@ const convert_path_to_posix_1 = __importDefault(require("./util/convert-path-to-
  *
  * This object is a map of JSON References and their resolved values. It also has several convenient helper methods that make it easy for you to navigate and manipulate the JSON References.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/refs.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html
  */
 class $Refs {
     /**
      * Returns the paths/URLs of all the files in your schema (including the main schema file).
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#pathstypes
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#pathstypes
      *
      * @param types (optional) Optionally only return certain types of paths ("file", "http", etc.)
      */
@@ -63,7 +63,7 @@ class $Refs {
     /**
      * Returns a map of paths/URLs and their correspond values.
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#valuestypes
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#valuestypes
      *
      * @param types (optional) Optionally only return values from certain locations ("file", "http", etc.)
      */
@@ -78,7 +78,7 @@ class $Refs {
     /**
      * Returns `true` if the given path exists in the schema; otherwise, returns `false`
      *
-     * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#existsref
+     * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#existsref
      *
      * @param $ref The JSON Reference path, optionally with a JSON Pointer in the hash
      */

package/dist/lib/resolvers/http.js

@@ -64,13 +64,17 @@ exports.default = {
      * Set this to `true` if you're downloading files from a CORS-enabled server that requires authentication
      */
     withCredentials: false,
+    /**
+     * Set this to `false` if you want to allow unsafe URLs (e.g., `127.0.0.1`, localhost, and other internal URLs).
+     */
+    safeUrlResolver: true,
     /**
      * Determines whether this resolver can read a given file reference.
      * Resolvers that return true will be tried in order, until one successfully resolves the file.
      * Resolvers that return false will not be given a chance to resolve the file.
      */
     canRead(file) {
-        return url.isHttp(file.url);
+        return url.isHttp(file.url) && (!this.safeUrlResolver || !url.isUnsafeUrl(file.url));
     },
     /**
      * Reads the given URL and returns its raw contents as a Buffer.

package/dist/lib/types/index.d.ts

@@ -6,7 +6,7 @@ export type JSONSchemaObject = JSONSchema4Object | JSONSchema6Object | JSONSchem
 export type SchemaCallback<S extends object = JSONSchema> = (err: Error | null, schema?: S | object | null) => any;
 export type $RefsCallback<S extends object = JSONSchema, O extends ParserOptions<S> = ParserOptions<S>> = (err: Error | null, $refs?: $Refs<S, O>) => any;
 /**
- * See https://apitools.dev/json-schema-ref-parser/docs/options.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/options.html
  */
 export interface HTTPResolverOptions<S extends object = JSONSchema> extends Partial<ResolverOptions<S>> {
     /**
@@ -25,11 +25,15 @@ export interface HTTPResolverOptions<S extends object = JSONSchema> extends Part
      * Set this to `true` if you're downloading files from a CORS-enabled server that requires authentication
      */
     withCredentials?: boolean;
+    /**
+     * Set this to `false` if you want to allow unsafe URLs (e.g., `127.0.0.1`, localhost, and other internal URLs).
+     */
+    safeUrlResolver: true;
 }
 /**
  * JSON Schema `$Ref` Parser comes with built-in resolvers for HTTP and HTTPS URLs, as well as local filesystem paths (when running in Node.js). You can add your own custom resolvers to support additional protocols, or even replace any of the built-in resolvers with your own custom implementation.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/plugins/resolvers.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/plugins/resolvers.html
  */
 export interface ResolverOptions<S extends object = JSONSchema> {
     name?: string;
@@ -92,7 +96,7 @@ export interface Plugin {
  *
  * The file info object currently only consists of a few properties, but it may grow in the future if plug-ins end up needing more information.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/plugins/file-info-object.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/plugins/file-info-object.html
  */
 export interface FileInfo {
     /**

package/dist/lib/util/url.d.ts

@@ -55,6 +55,13 @@ export declare function stripHash(path?: string | undefined): string;
  * @returns
  */
 export declare function isHttp(path: string): boolean;
+/**
+ * Determines whether the given url is an unsafe or internal url.
+ *
+ * @param path - The URL or path to check
+ * @returns true if the URL is unsafe/internal, false otherwise
+ */
+export declare function isUnsafeUrl(path: string): boolean;
 /**
  * Determines whether the given path is a filesystem path.
  * This includes "file://" URLs.

package/dist/lib/util/url.js

@@ -45,6 +45,7 @@ exports.stripQuery = stripQuery;
 exports.getHash = getHash;
 exports.stripHash = stripHash;
 exports.isHttp = isHttp;
+exports.isUnsafeUrl = isUnsafeUrl;
 exports.isFileSystemPath = isFileSystemPath;
 exports.fromFileSystemPath = fromFileSystemPath;
 exports.toFileSystemPath = toFileSystemPath;
@@ -209,6 +210,152 @@ function isHttp(path) {
         return false;
     }
 }
+/**
+ * Determines whether the given url is an unsafe or internal url.
+ *
+ * @param path - The URL or path to check
+ * @returns true if the URL is unsafe/internal, false otherwise
+ */
+function isUnsafeUrl(path) {
+    if (!path || typeof path !== "string") {
+        return true;
+    }
+    // Trim whitespace and convert to lowercase for comparison
+    const normalizedPath = path.trim().toLowerCase();
+    // Empty or just whitespace
+    if (!normalizedPath) {
+        return true;
+    }
+    // JavaScript protocols
+    if (normalizedPath.startsWith("javascript:") ||
+        normalizedPath.startsWith("vbscript:") ||
+        normalizedPath.startsWith("data:")) {
+        return true;
+    }
+    // File protocol
+    if (normalizedPath.startsWith("file:")) {
+        return true;
+    }
+    // if we're in the browser, we assume that it is safe
+    if (typeof window !== "undefined" && window.location && window.location.href) {
+        return false;
+    }
+    // Local/internal network addresses
+    const localPatterns = [
+        // Localhost variations
+        "localhost",
+        "127.0.0.1",
+        "::1",
+        // Private IP ranges (RFC 1918)
+        "10.",
+        "172.16.",
+        "172.17.",
+        "172.18.",
+        "172.19.",
+        "172.20.",
+        "172.21.",
+        "172.22.",
+        "172.23.",
+        "172.24.",
+        "172.25.",
+        "172.26.",
+        "172.27.",
+        "172.28.",
+        "172.29.",
+        "172.30.",
+        "172.31.",
+        "192.168.",
+        // Link-local addresses
+        "169.254.",
+        // Internal domains
+        ".local",
+        ".internal",
+        ".intranet",
+        ".corp",
+        ".home",
+        ".lan",
+    ];
+    try {
+        // Try to parse as URL
+        const url = new URL(normalizedPath.startsWith("//") ? "http:" + normalizedPath : normalizedPath);
+        const hostname = url.hostname.toLowerCase();
+        // Check against local patterns
+        for (const pattern of localPatterns) {
+            if (hostname === pattern || hostname.startsWith(pattern) || hostname.endsWith(pattern)) {
+                return true;
+            }
+        }
+        // Check for IP addresses in private ranges
+        if (isPrivateIP(hostname)) {
+            return true;
+        }
+        // Check for non-standard ports that might indicate internal services
+        const port = url.port;
+        if (port && isInternalPort(parseInt(port))) {
+            return true;
+        }
+    }
+    catch (e) {
+        // If URL parsing fails, check if it's a relative path or contains suspicious patterns
+        // Relative paths starting with / are generally safe for same-origin
+        if (normalizedPath.startsWith("/") && !normalizedPath.startsWith("//")) {
+            return false;
+        }
+        // Check for localhost patterns in non-URL strings
+        for (const pattern of localPatterns) {
+            if (normalizedPath.includes(pattern)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Helper function to check if an IP address is in a private range
+ */
+function isPrivateIP(ip) {
+    const ipRegex = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+    const match = ip.match(ipRegex);
+    if (!match) {
+        return false;
+    }
+    const [, a, b, c, d] = match.map(Number);
+    // Validate IP format
+    if (a > 255 || b > 255 || c > 255 || d > 255) {
+        return false;
+    }
+    // Private IP ranges
+    return (a === 10 || a === 127 || (a === 172 && b >= 16 && b <= 31) || (a === 192 && b === 168) || (a === 169 && b === 254) // Link-local
+    );
+}
+/**
+ * Helper function to check if a port is typically used for internal services
+ */
+function isInternalPort(port) {
+    const internalPorts = [
+        22, // SSH
+        23, // Telnet
+        25, // SMTP
+        53, // DNS
+        135, // RPC
+        139, // NetBIOS
+        445, // SMB
+        993, // IMAPS
+        995, // POP3S
+        1433, // SQL Server
+        1521, // Oracle
+        3306, // MySQL
+        3389, // RDP
+        5432, // PostgreSQL
+        5900, // VNC
+        6379, // Redis
+        8080, // Common internal web
+        8443, // Common internal HTTPS
+        9200, // Elasticsearch
+        27017, // MongoDB
+    ];
+    return internalPorts.includes(port);
+}
 /**
  * Determines whether the given path is a filesystem path.
  * This includes "file://" URLs.

package/lib/index.ts

@@ -28,6 +28,7 @@ import type {
   ResolverOptions,
   HTTPResolverOptions,
 } from "./types/index.js";
+import { isUnsafeUrl } from "./util/url.js";
 
 export type RefParserSchema = string | JSONSchema;
 
@@ -180,7 +181,7 @@ export class $RefParser<S extends object = JSONSchema, O extends ParserOptions<S
    *
    * Resolves all JSON references (`$ref` pointers) in the given JSON Schema file. If it references any other files/URLs, then they will be downloaded and resolved as well. This method **does not** dereference anything. It simply gives you a `$Refs` object, which is a map of all the resolved references and their values.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
+   * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
    *
    * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
    * @param options (optional)
@@ -210,7 +211,7 @@ export class $RefParser<S extends object = JSONSchema, O extends ParserOptions<S
    *
    * Resolves all JSON references (`$ref` pointers) in the given JSON Schema file. If it references any other files/URLs, then they will be downloaded and resolved as well. This method **does not** dereference anything. It simply gives you a `$Refs` object, which is a map of all the resolved references and their values.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
+   * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#resolveschema-options-callback
    *
    * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
    * @param options (optional)
@@ -255,7 +256,7 @@ export class $RefParser<S extends object = JSONSchema, O extends ParserOptions<S
    *
    * This also eliminates the risk of circular references, so the schema can be safely serialized using `JSON.stringify()`.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
+   * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
    *
    * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
    * @param options (optional)
@@ -298,7 +299,7 @@ export class $RefParser<S extends object = JSONSchema, O extends ParserOptions<S
    *
    * This also eliminates the risk of circular references, so the schema can be safely serialized using `JSON.stringify()`.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
+   * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#bundleschema-options-callback
    *
    * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
    * @param options (optional)
@@ -327,7 +328,7 @@ export class $RefParser<S extends object = JSONSchema, O extends ParserOptions<S
    *
    * The dereference method maintains object reference equality, meaning that all `$ref` pointers that point to the same object will be replaced with references to the same object. Again, this is great for programmatic usage, but it does introduce the risk of circular references, so be careful if you intend to serialize the schema using `JSON.stringify()`. Consider using the bundle method instead, which does not create circular references.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
+   * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
    *
    * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
    * @param options (optional)
@@ -370,7 +371,7 @@ export class $RefParser<S extends object = JSONSchema, O extends ParserOptions<S
    *
    * The dereference method maintains object reference equality, meaning that all `$ref` pointers that point to the same object will be replaced with references to the same object. Again, this is great for programmatic usage, but it does introduce the risk of circular references, so be careful if you intend to serialize the schema using `JSON.stringify()`. Consider using the bundle method instead, which does not create circular references.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
+   * See https://apidevtools.com/json-schema-ref-parser/docs/ref-parser.html#dereferenceschema-options-callback
    *
    * @param path
    * @param schema A JSON Schema object, or the file path or URL of a JSON Schema file. See the `parse` method for more info.
@@ -439,4 +440,5 @@ export {
   normalizeArgs as jsonSchemaParserNormalizeArgs,
   getJsonSchemaRefParserDefaultOptions,
   $Refs,
+  isUnsafeUrl,
 };

package/lib/refs.ts

@@ -13,20 +13,20 @@ interface $RefsMap<S extends object = JSONSchema, O extends ParserOptions<S> = P
  *
  * This object is a map of JSON References and their resolved values. It also has several convenient helper methods that make it easy for you to navigate and manipulate the JSON References.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/refs.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html
  */
 export default class $Refs<S extends object = JSONSchema, O extends ParserOptions<S> = ParserOptions<S>> {
   /**
    * This property is true if the schema contains any circular references. You may want to check this property before serializing the dereferenced schema as JSON, since JSON.stringify() does not support circular references by default.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#circular
+   * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#circular
    */
   public circular: boolean;
 
   /**
    * Returns the paths/URLs of all the files in your schema (including the main schema file).
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#pathstypes
+   * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#pathstypes
    *
    * @param types (optional) Optionally only return certain types of paths ("file", "http", etc.)
    */
@@ -40,7 +40,7 @@ export default class $Refs<S extends object = JSONSchema, O extends ParserOption
   /**
    * Returns a map of paths/URLs and their correspond values.
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#valuestypes
+   * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#valuestypes
    *
    * @param types (optional) Optionally only return values from certain locations ("file", "http", etc.)
    */
@@ -56,7 +56,7 @@ export default class $Refs<S extends object = JSONSchema, O extends ParserOption
   /**
    * Returns `true` if the given path exists in the schema; otherwise, returns `false`
    *
-   * See https://apitools.dev/json-schema-ref-parser/docs/refs.html#existsref
+   * See https://apidevtools.com/json-schema-ref-parser/docs/refs.html#existsref
    *
    * @param $ref The JSON Reference path, optionally with a JSON Pointer in the hash
    */

package/lib/resolvers/http.ts

@@ -36,13 +36,18 @@ export default {
    */
   withCredentials: false,
 
+  /**
+   * Set this to `false` if you want to allow unsafe URLs (e.g., `127.0.0.1`, localhost, and other internal URLs).
+   */
+  safeUrlResolver: true,
+
   /**
    * Determines whether this resolver can read a given file reference.
    * Resolvers that return true will be tried in order, until one successfully resolves the file.
    * Resolvers that return false will not be given a chance to resolve the file.
    */
   canRead(file: FileInfo) {
-    return url.isHttp(file.url);
+    return url.isHttp(file.url) && (!this.safeUrlResolver || !url.isUnsafeUrl(file.url));
   },
 
   /**

package/lib/types/index.ts

@@ -18,7 +18,7 @@ export type $RefsCallback<S extends object = JSONSchema, O extends ParserOptions
 ) => any;
 
 /**
- * See https://apitools.dev/json-schema-ref-parser/docs/options.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/options.html
  */
 
 export interface HTTPResolverOptions<S extends object = JSONSchema> extends Partial<ResolverOptions<S>> {
@@ -41,12 +41,17 @@ export interface HTTPResolverOptions<S extends object = JSONSchema> extends Part
    * Set this to `true` if you're downloading files from a CORS-enabled server that requires authentication
    */
   withCredentials?: boolean;
+
+  /**
+   * Set this to `false` if you want to allow unsafe URLs (e.g., `127.0.0.1`, localhost, and other internal URLs).
+   */
+  safeUrlResolver: true;
 }
 
 /**
  * JSON Schema `$Ref` Parser comes with built-in resolvers for HTTP and HTTPS URLs, as well as local filesystem paths (when running in Node.js). You can add your own custom resolvers to support additional protocols, or even replace any of the built-in resolvers with your own custom implementation.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/plugins/resolvers.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/plugins/resolvers.html
  */
 export interface ResolverOptions<S extends object = JSONSchema> {
   name?: string;
@@ -126,7 +131,7 @@ export interface Plugin {
  *
  * The file info object currently only consists of a few properties, but it may grow in the future if plug-ins end up needing more information.
  *
- * See https://apitools.dev/json-schema-ref-parser/docs/plugins/file-info-object.html
+ * See https://apidevtools.com/json-schema-ref-parser/docs/plugins/file-info-object.html
  */
 export interface FileInfo {
   /**

package/lib/util/url.ts

@@ -167,7 +167,178 @@ export function isHttp(path: string) {
     return false;
   }
 }
+/**
+ * Determines whether the given url is an unsafe or internal url.
+ *
+ * @param path - The URL or path to check
+ * @returns true if the URL is unsafe/internal, false otherwise
+ */
+export function isUnsafeUrl(path: string): boolean {
+  if (!path || typeof path !== "string") {
+    return true;
+  }
+
+  // Trim whitespace and convert to lowercase for comparison
+  const normalizedPath = path.trim().toLowerCase();
 
+  // Empty or just whitespace
+  if (!normalizedPath) {
+    return true;
+  }
+
+  // JavaScript protocols
+  if (
+    normalizedPath.startsWith("javascript:") ||
+    normalizedPath.startsWith("vbscript:") ||
+    normalizedPath.startsWith("data:")
+  ) {
+    return true;
+  }
+
+  // File protocol
+  if (normalizedPath.startsWith("file:")) {
+    return true;
+  }
+
+  // if we're in the browser, we assume that it is safe
+  if (typeof window !== "undefined" && window.location && window.location.href) {
+    return false;
+  }
+
+  // Local/internal network addresses
+  const localPatterns = [
+    // Localhost variations
+    "localhost",
+    "127.0.0.1",
+    "::1",
+
+    // Private IP ranges (RFC 1918)
+    "10.",
+    "172.16.",
+    "172.17.",
+    "172.18.",
+    "172.19.",
+    "172.20.",
+    "172.21.",
+    "172.22.",
+    "172.23.",
+    "172.24.",
+    "172.25.",
+    "172.26.",
+    "172.27.",
+    "172.28.",
+    "172.29.",
+    "172.30.",
+    "172.31.",
+    "192.168.",
+
+    // Link-local addresses
+    "169.254.",
+
+    // Internal domains
+    ".local",
+    ".internal",
+    ".intranet",
+    ".corp",
+    ".home",
+    ".lan",
+  ];
+
+  try {
+    // Try to parse as URL
+    const url = new URL(normalizedPath.startsWith("//") ? "http:" + normalizedPath : normalizedPath);
+
+    const hostname = url.hostname.toLowerCase();
+
+    // Check against local patterns
+    for (const pattern of localPatterns) {
+      if (hostname === pattern || hostname.startsWith(pattern) || hostname.endsWith(pattern)) {
+        return true;
+      }
+    }
+
+    // Check for IP addresses in private ranges
+    if (isPrivateIP(hostname)) {
+      return true;
+    }
+
+    // Check for non-standard ports that might indicate internal services
+    const port = url.port;
+    if (port && isInternalPort(parseInt(port))) {
+      return true;
+    }
+  } catch (e) {
+    // If URL parsing fails, check if it's a relative path or contains suspicious patterns
+
+    // Relative paths starting with / are generally safe for same-origin
+    if (normalizedPath.startsWith("/") && !normalizedPath.startsWith("//")) {
+      return false;
+    }
+
+    // Check for localhost patterns in non-URL strings
+    for (const pattern of localPatterns) {
+      if (normalizedPath.includes(pattern)) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Helper function to check if an IP address is in a private range
+ */
+function isPrivateIP(ip: string): boolean {
+  const ipRegex = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+  const match = ip.match(ipRegex);
+
+  if (!match) {
+    return false;
+  }
+
+  const [, a, b, c, d] = match.map(Number);
+
+  // Validate IP format
+  if (a > 255 || b > 255 || c > 255 || d > 255) {
+    return false;
+  }
+
+  // Private IP ranges
+  return (
+    a === 10 || a === 127 || (a === 172 && b >= 16 && b <= 31) || (a === 192 && b === 168) || (a === 169 && b === 254) // Link-local
+  );
+}
+
+/**
+ * Helper function to check if a port is typically used for internal services
+ */
+function isInternalPort(port: number): boolean {
+  const internalPorts = [
+    22, // SSH
+    23, // Telnet
+    25, // SMTP
+    53, // DNS
+    135, // RPC
+    139, // NetBIOS
+    445, // SMB
+    993, // IMAPS
+    995, // POP3S
+    1433, // SQL Server
+    1521, // Oracle
+    3306, // MySQL
+    3389, // RDP
+    5432, // PostgreSQL
+    5900, // VNC
+    6379, // Redis
+    8080, // Common internal web
+    8443, // Common internal HTTPS
+    9200, // Elasticsearch
+    27017, // MongoDB
+  ];
+
+  return internalPorts.includes(port);
+}
 /**
  * Determines whether the given path is a filesystem path.
  * This includes "file://" URLs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apidevtools/json-schema-ref-parser",
-  "version": "13.0.4",
+  "version": "14.0.0",
   "description": "Parse, Resolve, and Dereference JSON Schema $ref pointers",
   "scripts": {
     "prepublishOnly": "yarn build",
@@ -46,7 +46,7 @@
       "email": "apis@jonlu.ca"
     }
   ],
-  "homepage": "https://apitools.dev/json-schema-ref-parser/",
+  "homepage": "https://apidevtools.com/json-schema-ref-parser/",
   "repository": {
     "type": "git",
     "url": "https://github.com/APIDevTools/json-schema-ref-parser.git"
@@ -67,16 +67,16 @@
     "cjs"
   ],
   "devDependencies": {
-    "@eslint/compat": "^1.2.9",
-    "@eslint/js": "^9.28.0",
+    "@eslint/compat": "^1.3.0",
+    "@eslint/js": "^9.29.0",
     "@types/eslint": "^9.6.1",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^22",
-    "@typescript-eslint/eslint-plugin": "^8.33.1",
-    "@typescript-eslint/parser": "^8.33.1",
-    "@vitest/coverage-v8": "^3.2.2",
+    "@types/node": "^24",
+    "@typescript-eslint/eslint-plugin": "^8.34.1",
+    "@typescript-eslint/parser": "^8.34.1",
+    "@vitest/coverage-v8": "^3.2.3",
     "cross-env": "^7.0.3",
-    "eslint": "^9.28.0",
+    "eslint": "^9.29.0",
     "eslint-config-prettier": "^10.1.5",
     "eslint-config-standard": "^17.1.0",
     "eslint-plugin-import": "^2.31.0",
@@ -88,8 +88,8 @@
     "prettier": "^3.5.3",
     "rimraf": "^6.0.1",
     "typescript": "^5.8.3",
-    "typescript-eslint": "^8.33.1",
-    "vitest": "^3.2.2"
+    "typescript-eslint": "^8.34.1",
+    "vitest": "^3.2.3"
   },
   "dependencies": {
     "@types/json-schema": "^7.0.15",