Can we disable SSL verification when fetching the target document for generation?

[jrunestone]

I'm on localhost, in a dev container, running my local API on https with a self-signed certificate. When I run orval it can't reach the target URL, so I have to resort to curl:ing the file down first (using -k) and then running orval on the local file instead. I've tried using NODE_TLS_REJECT_UNAUTHORIZED=0 without luck.

[WARN] Failed to parse JSON/YAML from URL: https://localhost:7021/openapi/v1.json
🛑 iac-api - Failed to resolve input: Please provide a valid string value or pass a loader to process the input
🛑 One or more project failed, see above for details

[melloware]

I opened this ticket: APIDevTools/json-schema-ref-parser#416 for refs. Need to look if this can be done in our repo.

[melloware]

Interesting. Ok I opened a ticket on the issues page I wonder if we need to set it on the http request of the URL.

[melloware]

I submitted a PR but CodeQL is flagging it as a High violation! #3089

[snebjorn]

can you try setting it directly in the npm script?

"scripts": {
  "gen-api": "NODE_TLS_REJECT_UNAUTHORIZED=0 oravl"
}

Assuming you're using node and npm. Actually can you post the versions?

[jrunestone]

@snebjorn I'm using "orval": "^8.5.3" and node -v = v24.14.0 and pnpm -v = 10.30.3 (npm -v = 11.9.0) and yeah sorry I've tried that script snippet - is that supposed to work? Orval doesn't seem to take that env into account even if I invoke it manually and not via an npm script.

UPDATE: Hmm I apologize, I was using a *.dev.localhost hostname which isn't working (even with the env and trusted cert) - switching to just localhost works together with NODE_TLS_REJECT_UNAUTHORIZED=0 both directly/cli and via npm scripts :)