fix(core): validate/remove unused securitySchemes and securityDefinitions correctly

[tatomyr]

What/Why/How?

• Updated the no-unused-components rule to validate unused security schemes
• Fixed the remove-unused-components decorator to remove unused security schemes (fixed in Swagger 2.0; added in OAS 3.x)

Reference

Resolves #944

Testing

Internal tests passed: https://github.com/Redocly/redocly/pull/23392

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Medium Risk
Changes remove-unused-components bundling behavior and no-unused-components lint output for security schemes, which may remove additional components and introduce new warnings in existing specs.

Overview
Extends unused-component handling to security schemes: remove-unused-components now treats security requirements as usage and will remove truly unused securitySchemes (OAS3) and securityDefinitions (OAS2), including transitive/derived schemes.

Updates the no-unused-components rule to also warn on unused components.securitySchemes, and refreshes docs/changesets and e2e snapshots to reflect the new warnings and potentially more aggressive pruning.

^{Reviewed by Cursor Bugbot for commit 10890ac. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 10890ac

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/openapi-core	Patch
@redocly/cli	Patch
@redocly/respect-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[tatomyr]

@cursor review

[github-actions]

CLI Version	Mean Time ± Std Dev (s)	Relative Performance (Lower is Faster)
cli-latest	2.040s ± 0.032s	▓ 1.01x
cli-next	2.019s ± 0.021s	▓ 1.00x (Fastest)

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	81.05% (🎯 80%)	7299 / 9005
🔵	Statements	80.4% (🎯 80%)	7583 / 9431
🔵	Functions	84.07% (🎯 83%)	1462 / 1739
🔵	Branches	72.54% (🎯 72%)	4938 / 6807

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
packages/core/src/decorators/oas2/remove-unused-components.ts	93.61%	90.9%	83.33%	95.23%	31, 96-101
packages/core/src/decorators/oas3/remove-unused-components.ts	96.15%	92.1%	100%	97.91%	28, 172
packages/core/src/rules/oas3/no-unused-components.ts	96.29%	86.66%	100%	100%	43

Generated in workflow #9925 for commit 10890ac by the Vitest Coverage Report Action

[github-actions]

📦 A new experimental 🧪 version v0.0.0-snapshot.1779373140 of Redocly CLI has been published for testing.

Install with NPM:

npm install @redocly/cli@0.0.0-snapshot.1779373140
# or
npm install @redocly/openapi-core@0.0.0-snapshot.1779373140
# or
npm install @redocly/respect-core@0.0.0-snapshot.1779373140

⚠️ Note: This is a development build and may contain unstable features.

[github-actions]

📦 A new experimental 🧪 version v0.0.0-snapshot.1779448714 of Redocly CLI has been published for testing.

Install with NPM:

npm install @redocly/cli@0.0.0-snapshot.1779448714
# or
npm install @redocly/openapi-core@0.0.0-snapshot.1779448714
# or
npm install @redocly/respect-core@0.0.0-snapshot.1779448714

⚠️ Note: This is a development build and may contain unstable features.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 25d2099. Configure here.}

[cursor]

Early unused scheme reporting

Medium Severity

The no-unused-components rule reports security schemes as unused too early. It flags them when visiting NamedSecuritySchemes, before all security blocks (like those in x-webhooks or components.pathItems) are processed, leading to false positives.

 

^{Reviewed by Cursor Bugbot for commit 25d2099. Configure here.}