I'm not quite understanding the limitation on only referencing local files. As far as I understand it, this is only referenced from JavaScript (running locally) and (AFAIK?) this only runs against trusted input, assuming you trust your own markdown. Being able to reference a URL to a live hosted OpenAPI spec seems like a desirable feature so you can point it at a live server, but perhaps I'm missing something?

At first I thought about external hosting servers, which don't necessarily trust the markdown, in which case an external user adding !!swagger /etc/passwd!! would cause a copy of the file. That's why I blocked non-local paths.

Referencing a remote JSON however without it copying any file is totally safe and effects only the JS running on the end user's machine.

Thanks for your contribution :-)