VASTlint
Back to blog
Product update/6 min read

Content Taxonomy authority validation and shareable reports land in vastlint 0.8.0

vastlint 0.8.0 validates the authority attribute on <Category> and <BlockedAdCategories> against the IAB Content Taxonomy registry, and vastlint check --share now returns a public report link. Four new rules, 191 total, plus a crates.io housekeeping note for cargo users.

Author

Alex Sekowski

Published

July 5, 2026

Updated

July 5, 2026

Reading time

6 min read

Content TaxonomyBrand safetyVAST validatorAd opsRelease

What shipped

vastlint 0.8.0 adds IAB Content Taxonomy authority validation: four new rules that check the value of the authority attribute on <Category> and <BlockedAdCategories> elements, bringing the catalog to 191 rules. Presence checks existed already; these validate what the attribute actually says.

Shareable report links are also live. vastlint check tag.xml --share validates as usual, uploads the report, and prints a public vastlint.org/r/ URL you can paste into Slack, a ticket, or a partner escalation. The tag itself never leaves your machine.

Both run everywhere the core runs: the CLI, the Rust, JS, Python, Ruby, Go, and Elixir libraries, the web validator, and the hosted MCP server at vastlint.org/mcp.

Why the authority attribute matters

A category code like IAB6-7 means nothing on its own. It is a key into a taxonomy, and the authority attribute names which one: the URL of the organization that maintains the category list. VAST 4.0 made authority required on <Category>, and VAST 4.1 added it to <BlockedAdCategories>.

In production tags, authority carries everything from bare domains to typos to free prose. A malformed value breaks category mapping for every downstream system that tries to resolve it. On <BlockedAdCategories> the failure is quieter and worse: a block list nobody can resolve blocks nothing, and the wrapper's brand safety intent silently evaporates.

Three authorities, three different verdicts
xml
<Category authority="my taxonomy">IAB6-7</Category><Category authority="taxonomy.example.com">IAB6-7</Category><Category authority="https://www.iabtechlab.com/IABTC/2.2">IAB6-7</Category>

What vastlint reports on that snippet

  • VAST-4.0-category-authority-not-uri (warning) on the first: "my taxonomy" cannot be read as an authority URL, so no downstream system can resolve the codes.
  • VAST-4.0-category-authority-unknown (info) on the second: well-formed, but not an IAB Content Taxonomy registry host. Custom taxonomies are legal per spec, which is why this is Info rather than a warning; it only works if every party in the chain resolves the same authority.
  • The third passes clean. Bare domains (iabtechlab.com), scheme and www prefixes, iabtechlab.com subdomains such as ads.iabtechlab.com, and version-qualified paths like iabtechlab.com/IABTC/2.2 are all recognised forms.
  • The same pair of checks runs on <BlockedAdCategories> in wrappers from VAST 4.1 up, as VAST-4.1-blockedadcategories-authority-not-uri and VAST-4.1-blockedadcategories-authority-unknown.

Shareable report links

Validation results usually die in a terminal scrollback. When the problem is in a partner's tag, you end up screenshotting output or pasting JSON into a ticket. --share replaces that with a link: the report page shows every issue with its rule ID, severity, location, and spec reference, links each rule to its docs page, and works for whoever you send it to, no account needed.

What gets uploaded is the report, never the tag: rule IDs, severities, XPath locations, messages, and summary counts. The input XML stays local. --share is off by default and independent of telemetry, and the default no-storage behaviour of every other vastlint surface is unchanged.

Get VAST spec updates, platform guides, and release notes in your inbox.

One flag, one link
sh
$ vastlint check preroll.xml --share...Shareable report: https://vastlint.org/r/f63a5b935c

If you install with cargo

A housekeeping note for crates.io users: a release pipeline bug meant versions 0.6.3 through 0.7.2 published to npm, PyPI, RubyGems, and hex.pm but never reached crates.io. The pipeline is fixed and both crates are current again. If cargo install vastlint-cli has been serving you 0.6.2, reinstalling picks up macro validation, --share, and the taxonomy rules in one jump.

Also in 0.8.0

  • Project governance docs: GOVERNANCE.md (roles, key custody, continuity plan), a Contributor Covenant 2.1 code of conduct, a rewritten CONTRIBUTING.md with a DCO requirement and an explicit test policy, and a security assurance case in SECURITY.md. Part of ongoing OpenSSF Best Practices Silver work.
  • The web validator at vastlint.org/validate now runs the current core, so browser results match the CLI rule for rule.
  • Full details in the changelog, linked below.

Check your authorities now

Paste a VAST tag into the validator. If a Category or BlockedAdCategories authority is malformed or unresolvable, you get the rule ID, the exact location, and the fix.

Open the validator

Authoritative references

The registry the new authority checks resolve against, including current taxonomy versions.

VAST specificationIAB Tech Lab

VAST 4.x defines the authority attribute on Category (4.0) and BlockedAdCategories (4.1).

Everything in 0.8.0, including the release pipeline fix for crates.io.

All 191 rules with examples and fix guidance, including the four new authority rules.

Keep reading

Related stories

All posts