Hi Andrey, Thank you for the valuable arguments.
Speaking about micronaut, it is a popular library that provides a lot of build-in features like error handling, auth, IoC, test infrastructure, and many more. The main functionality of micronaut framework is REST, so this library is scanned for vulnerabilities regularly and fixes them asap (looking to [1] it takes about a week). I don't think that Ignite REST server implementation will be scanned as regular as micronaut and issues will be fixed as quickly as micronaut does. As for autogenerated spec, I would mention that manual spec writing introduces the second source of truth for the API. So, implementation declares one API, spec declares another API and there is no prooved contract between them. For example, a developer adds "name" parameter to the existing endpoint and goes to the spec and adds "names" parameter there (makes a mistake). What is the right parameter here "name" or "names"? Also, if there won't be a compatibility test this mistake could go to the production and API spec consumers could get a REST client that is not compatible with the server. > On 19 May 2022, at 00:32, Andrey Gura <ag...@apache.org> wrote: > > I personally don't support any additional 3rd party dependencies as > well as I don't fully understand the value of autogenerated specs for > REST endpoints. In my opinion we have another option: writing spec > manually. This option doesn't require any of proposed dependencies and > allow to avoid possible vulnerabilities. Of course at the cost of > manual actions. > > I understand that my statement is arguable. So I'll just wait for > opinions of other community members.
