(chore): Bump Node.js base image from 24.15 to 24.16.
(fix): Bump @fern-api/generator-cli to 0.9.35, which disables minimatch negation
on .fernignore patterns so a stray !pattern no longer silently inverts
the match and discards generator output.
(fix): Fix construct_type crash on bare unparameterized dict, list, and set types.
Previously, get_args() on a bare container returned an empty tuple, causing
ValueError (dict) or IndexError (list/set). Now falls back to returning
the object unchanged, matching Dict[Any, Any] / List[Any] / Set[Any] semantics.
(fix): Fix offset pagination so generated list endpoints emit a real _has_next instead of the
literal True. When the API declares has-next-page on the pagination config, the
generator now reads that response field (bool(_parsed_response.<path>)); otherwise it
falls back to len(_items or []) > 0, matching the TypeScript generator’s
(r?.data ?? []).length > 0 semantics.
Previously every offset-paginated method hardcoded _has_next = True, so
while pager.has_next: pager = pager.next_page() loops never terminated. for x in pager
worked only because the core paginator stops iteration when get_next() returns an empty
page.
Also harden the offset paginator against two latent crashes: nested has-next-page paths
(e.g. $response.metadata.hasNext) are now wrapped in a _parsed_response.metadata is not None guard mirroring the cursor paginator, and _has_next/_get_next are
pre-initialized so endpoints with an optional response type no longer raise NameError
when the server returns a null body.
(fix): Improve SSE event parsing and deserialization performance by caching resolved type hints
and short-circuiting convert_and_respect_annotation_metadata when a type has no aliased
fields. Previously every call recomputed typing.get_type_hints and walked the entire type
graph, which was very expensive for streams parsing many events against large discriminated
unions. Output is unchanged.
(fix): Fix TypedDict alias generation when use_typeddict_requests: true so that
container element types (List[T], Dict[K, V], Set[T]) and direct aliases
(Alias = T) reach for the request-side TParams variant rather than the
Pydantic model T. Without this, request parameters typed as such aliases
rejected dict-literal values at type-check time even though the runtime accepted
them.
Note: list-typed alias bodies now resolve to typing.Sequence[…] instead of
typing.List[…] under use_typeddict_requests, consistent with how endpoint
parameters are already typed. Existing call sites that pass lists continue to
work.
(fix): Fix SSE union discrimination for both data-level and protocol-level contexts.
Data-level: Simplify parse_sse_obj to always parse the SSE data field as
JSON instead of using runtime heuristics. This fixes incorrect routing when the
discriminant field name (e.g., event) collides with an SSE envelope field.
Protocol-level: Generate an if/elif dispatch chain at code-generation time that
routes on _sse.event, parsing each variant’s data payload into its concrete
type. No runtime heuristic — the generator decides the code path statically.
(fix): Fix SSE streaming performance regression by caching pydantic.TypeAdapter instances
in parse_obj_as(). Previously, a new TypeAdapter was constructed on every call, which
is extremely expensive for discriminated union types. This caused ~8x slowdown in SSE
event parsing introduced in v4.51.0 (parse_sse_obj).
(feat): Add support for the x-fern-base-path OpenAPI extension. Root path
parameters declared on the base path are hoisted to the client
constructor; endpoint methods no longer take them as arguments and
URL substitution reads them from the client wrapper.
(fix): Use hasWebSocketInTree IR field to wire WebSocket sub-clients into the
root client, even when the WebSocket channel lives on a nested sub-resource
rather than the top-level namespace package.
(feat): Add output_directory custom config, mirroring the Java generator’s flag.
project-root (default behavior when unset) preserves today’s src/<package>/...
layout with full project scaffolding. source-root writes the source tree
directly without the src/ prefix and skips project scaffolding
(pyproject.toml, requirements.txt, README.md, py.typed, LICENSE,
.github/workflows, .gitignore, tests/ scaffolds, CONTRIBUTING.md,
reference.md) — designed for embedding generated code into an existing
Python project. Composes with package_path; combine with package_name
to drop the <package> wrapper entirely. The legacy flat_layout flag is
preserved as a deprecated alias with bit-exact behavior.
(fix): Fix test_aiohttp_autodetect.py and _default_clients.py to use the
configured package_name instead of the raw organization name. Previously,
when package_name in generators.yml differed from organization in
fern.config.json, the generated aiohttp test used incorrect import paths
and the pip install error message contained a hardcoded literal “package”
instead of the actual package name.
(chore): Update OS packages in the Python SDK generator container from Debian sid to fix
krb5 (CVE-2026-40355, CVE-2026-40356), curl (CVE-2026-1965, CVE-2026-4873,
CVE-2026-5545, CVE-2026-6253, CVE-2026-6429), gnutls28 (CVE-2026-3832),
and expat (CVE-2026-45186).
(fix): Dynamic snippets now render path-parameter arguments in IR (URL / SDK signature) order
rather than in the order they happen to appear in the input request, so generated
examples line up with the actual SDK method signature even when the spec lists path
parameters in a different order.
(fix): Dynamic snippets now pass root-level path parameters to the endpoint method instead
of the client constructor (which does not accept them), and include them alongside
endpoint-level path parameters so the rendered call matches the generated Python SDK
method signature.
(fix): Bump @fern-api/generator-cli to 0.9.28, which sets explicit author and
committer on API-created commits to the Fern bot identity. Fixes commit
attribution on GitHub Enterprise where PAT-based authentication previously
attributed commits to the PAT-owning service account instead of fern-api[bot].
(chore): Bump Poetry from 1.8.5 to 2.4.1 in the python-sdk and pydantic-model
container images. Clears CVE-2026-34591 (Poetry <2.3.3 stored credentials
in cleartext when keyring storage was unavailable). pyproject.toml’s
poetry-core constraint moves from ^1.9.0 to ^2.0.0 to stay in
lockstep with Poetry 2.4.1’s bundled poetry-core 2.4.0 under
virtualenvs.create=false. poetry.lock regenerated under Poetry 2.4.1.
(chore): Patch the bundled ip-address to v10.2.0 in the python-sdk container to
address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in Address6 HTML-
emitting methods). npm 11.12.1 (shipped with node:24.15) bundles
ip-address@10.1.0 via socks; this overlays the published 10.2.0
tarball in place at image build time. Also bumps the container-level
pip to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and
CVE-2026-1703 (self-update flaw running after wheel install). Poetry
stays at 1.8.5 because pyproject.toml’s virtualenvs.create=false flow
requires poetry-core ^1.9.0.
(fix): Stop launching WireMock with --global-response-templating in generated
wire-test docker-compose.test.yml. Response examples containing literal
{{...}} (e.g. FHIR/IPS template strings) are now served verbatim instead
of being passed through WireMock’s Handlebars transformer, which would
fail to resolve them as helpers and return 500.
