How does v4.18.0 improve stateful API testing?

The resource pool now captures more identifiers from diverse response structures and applies them better to nested fields, making stateful scenarios more robust.

What's new for GraphQL testing?

Schemathesis now supports GraphQL fuzzing with producer mutations and ID reuse, plus a new stateful phase for chained operations.

Are there fewer false positives in this version?

Yes, several fixes address false positives in negative data rejection, `use_after_free` checks, and response header conformance, improving report clarity.

Schemathesis v4.18.0: Enhanced API Fuzzing & Stateful Testing

Schemathesis v4.18.0 refines API fuzzing, boosts stateful testing with improved resource pooling, and adds dedicated GraphQL features. Essential for QA engineers.

TL;DR

Resource pool significantly enhanced for stateful API testing, capturing more identifiers from diverse responses.
Coverage and fuzzing data generation logic improved, reducing false positives and increasing test accuracy.
New features for GraphQL fuzzing, including producer mutations and chained operation scenarios.

Key Changes

Schemathesis v4.18.0 brings targeted improvements across several areas.

New Features:

Resource Pool & ID Capture: Expanded capabilities to capture identifiers from map-by-id GET responses, all list elements, and custom wrappers. This enhances stateful testing by providing a richer data source. Nested foreign-key fields in request bodies now also benefit from pool overlays.
Adaptive Testing: The tool now refines generation from 4xx errors for numerous frameworks (e.g., Spring, Pydantic, DRF). It also detects runtime authentication requirements from 401/403 responses and skips operations consistently returning 405 Method Not Allowed, improving test efficiency.
GraphQL Support: Dedicated GraphQL fuzzing now dispatches producer mutations first and reuses captured IDs. A new stateful phase enables chained operation scenarios.
Configuration: Added extra-data-sources for examples/coverage and documented the schemathesis.toml JSON Schema for editor autocompletion.

Fixes & Improvements:

Coverage Phase: Numerous fixes address issues with pattern rewrites, minProperties handling, oneOf/anyOf branches, readOnly fields, and boundary number generation (e.g., multipleOf, exclusiveMinimum/exclusiveMaximum). This ensures more precise and valid test case generation.
Resource Pool Reliability: Corrected issues with mismatched path parameters, nested foreign-key recognition, handling of composite schemas (allOf/oneOf/anyOf), and preventing re-feeding of deleted resource identifiers.
Validation & Reporting: False positives for negative_data_rejection and response_headers_conformance have been resolved. JUnit and Allure reports now accurately reflect test outcomes, even when initial phases have no inline examples.

Impact for QA Teams

This update makes stateful API testing more reliable and effective by improving identifier capture and resource management. QA engineers will benefit from more accurate test data generation, fewer false positives in validation, and enhanced support for GraphQL APIs, leading to more efficient and trustworthy test cycles.

Schemathesis v4.18.0: Enhanced API Fuzzing & Stateful Testing

TL;DR #

Key Changes #

Impact for QA Teams #

Frequently Asked Questions

TL;DR

Key Changes

Impact for QA Teams