feat(java): disable Scalar by default

[hanspagel]

Problem

We got this message:

I would like to suggest making the following settings disabled (false) by default:

• scalar.enabled

When scalar.enabled is enabled by default, it can be misleading, especially when using Scalar via the springdoc-openapi-starter-webmvc-scalar Java dependency.

Also, in 2024, the CVE board updated the CNA rules, including the following:

4.1.4 Insecure default configuration settings SHOULD be determined to be vulnerabilities
So, what do you think? Is this an insecure default configuration or not?

And I think we should make this change.

I’d say the Java community is a bit more security sensitive than others, and it just makes sense to give the user full control over it. Especially when our integration is installed as a dependency of another dependency.

Solution

This PR sets scalar.enabled = false by default.

⚠️ Minor release, because breaking change.

Checklist

I've gone through the following:

• I've added an explanation why this change is needed.
• I've added a changeset (pnpm changeset).
• I've added tests for the regression or new feature.
• I've updated the documentation.

[changeset-bot]

🦋 Changeset detected

Latest commit: bd6a180

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@scalar/webjar	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[relativeci]

#12994 Bundle Size — 2.7MiB (+0.31%).

bd6a180(current) vs 12d1843 main#12739(baseline)

Warning

Bundle introduced 2 new packages: @scalar/typebox, js-base64 – View changed packages

Note

Bundle removed 3 duplicate packages – View changed duplicate packages

Bundle metrics   5 changes 1 regression 2 improvements

	Current #12994	Baseline #12739
Initial JS	2.7MiB(+0.31%)	2.69MiB
Initial CSS	0B	0B
Cache Invalidation	100%	0%
Chunks	1	1
Assets	1	1
Modules	1855(-0.91%)	1872
Duplicate Modules	0	0
Duplicate Code	0%	0%
Packages	168(-1.18%)	170
Duplicate Packages	0(-100%)	3

Bundle size by type   1 change 1 regression

	Current #12994	Baseline #12739
JS	2.7MiB (+0.31%)	2.69MiB

Bundle analysis report Branch feat/disable-scalar-by-default Project dashboard

---

^{Generated by RelativeCI Documentation Report issue}

[github-actions]

Preview Examples

https://923d0fb9-d0c7-4ffe-a2da-928e123714bc--scalar-deploy-preview.netlify.app

[github-actions]

Preview Storybook

https://6af862de-9a54-46ee-b129-5d126dc17fef--scalar-components.netlify.app

[github-actions]

Scalar Components Snapshot Test Results

 88 passed

Details

 Open report ↗︎
 88 tests across 18 suites
 19.6 seconds
 bd6a180

[github-actions]

Scalar CDN Snapshot Diff Results

 18 passed

Details

 Open report ↗︎
 18 tests across 1 suite
 33.4 seconds
 bd6a180
 These tests are non-blocking and will not prevent merging of your PR.

Important

These tests detect visual differences between the current PR and the latest CDN build which means they may be affected by other changes in main that haven't been released yet.

They can help determine if the changes in the PR are causing any unexpected visual regressions but may be less helpful in isolating the exact cause. For more details see the readme.