Skip to content

build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.1.0#7284

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mitre/hdf-converters-3.1.0
Closed

build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.1.0#7284
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mitre/hdf-converters-3.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 24, 2026

Copy link
Copy Markdown
Contributor

Bumps @mitre/hdf-converters from 2.13.0 to 3.1.0.

Release notes

Sourced from @​mitre/hdf-converters's releases.

v3.1.0

Changes

680bd14 docs: update CHANGELOG for v3.1.0 release

Installation

# TypeScript/Node.js
npm install @mitre/hdf-schema @mitre/hdf-converters
Go CLI — download a binary for your platform from the assets below, then:
chmod +x hdf && sudo mv hdf /usr/local/bin/

Schema Files

Bundled JSON schemas are attached as release assets and hosted at: https://mitre.github.io/hdf-libs/schemas/

v3.1.0-rc.1

Changes

e6f67b6 fix(deps): bump fast-xml-parser 5.5.7 → 5.7.1 (GHSA-gh4j-gqv2-49f6) 7aaa4f8 refactor: rename Go module paths to github.com/mitre/hdf-libs/* (#40) 646effc chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 (#32) e043664 chore(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 (#31) fed49e8 chore(deps): bump actions/setup-node from 4.4.0 to 6.3.0 (#30) fb74af4 chore(deps-dev): bump the dev-dependencies group with 8 updates (#36) df62509 fix: TypeScript 6 compatibility for create-index and type-check 584e628 chore(deps): bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 (#33) 7a7251b chore(deps): bump actions/setup-go from 5.6.0 to 6.4.0 (#34) fbcd5be chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#35) d5964e6 docs: update READMEs and docs for v3.1.0 release (#37) 2b5d28e fix(site): add hdf-schema dependency for build ordering 573fa32 chore: untrack dist/ build artifacts, remove Python generation 7bea16b chore: untrack dist/ build artifacts, remove Python generation b381156 chore: rebuild generated types for v3.1.0 schema changes bbcdec3 chore: regenerate lockfile after workspace:* to workspace:^ change 680a036 fix: pre-release review fixes for v3.1.0 1604b85 fix(ci): skip node10 resolution checks in attw pre-release lint eb9d0f2 fix(ci): skip node10 resolution checks in attw pre-release lint 2696d14 chore(deps): bump github.com/stretchr/testify (#20) 44eeaad chore(deps): bump actions/download-artifact from 4.3.0 to 8.0.1 (#16) 506ed79 chore(deps): bump github.com/stretchr/testify (#14) 44cf9dc chore(deps): bump github.com/stretchr/testify (#15) e7dd51c chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#17) a1b8879 chore(deps): bump actions/configure-pages from 5.0.0 to 6.0.0 (#18) 3108eb8 chore(deps): bump pnpm/action-setup (#22) eab1169 chore(deps): bump actions/deploy-pages from 4.0.5 to 5.0.0 (#21)

... (truncated)

Changelog

Sourced from @​mitre/hdf-converters's changelog.

[3.1.0] - 2026-04-23

Breaking Changes

  • exception removed from Override_Type enum. The exception override type was redundant with waiver + status: "notApplicable" and has no equivalent in FedRAMP or NIST RMF terminology. Existing HDF documents with "type": "exception" in statusOverrides or standalone overrides will fail schema validation against v3.1.0. Migration: Replace "type": "exception" with "type": "waiver" and set "status": "notApplicable".
  • Python type generation removed. The generated Python types were vestigial and never consumed. Only TypeScript and Go types are generated from v3.1.0 onward.

New Features

  • Override_Type expanded with 3 new values aligned with FedRAMP deviation request categories: falsePositive (scanner incorrectly identified a finding), riskAdjustment (impact score adjusted based on environmental context), operationalRequirement (deviation required by operational constraints)
  • Impact overridesStatus_Override and Standalone_Override now support an optional impact field (Impact_Override object with a value from 0.0 to 1.0). At least one of status or impact must be set (enforced via anyOf).
  • disposition field on Evaluated_Requirement — indicates the type of the governing override or POAM. Enables consumers to distinguish adjudication context (e.g., false positive vs genuinely not applicable).
  • effectiveImpact field on Evaluated_Requirement — the computed impact score (0.0-1.0) after applying the most recent non-expired impact override.
  • vendorDependency added to POAM type enum — tracks fixes that depend on a vendor releasing a patch or update.
  • Comprehensive examples added to Evaluated_Requirement covering all disposition patterns.

Architecture Changes

  • Go diff engine extracted from hdf-cli/pkg/diff/ to hdf-diff/go/ — matches the monorepo pattern used by other packages.
  • hdf-cli/pkg/hdf/ eliminated — all Go code now imports canonical types from hdf-schema/dist/go/.
  • Amendment operations extracted to hdf-diff/go/amend/.
  • Go module paths renamed to github.com/mitre/hdf-libs/* with go.work workspace — enables go get for all Go library modules.
  • dist/ build artifacts untracked — TypeScript and schema dist outputs are now built at install/publish time. Go generated types remain committed (required for go get).

Security Fixes

  • Add ValidateJSONSize to legacyhdf converter
  • Add top-level HTTP client timeout (5 min) to fetcher clients
  • Add CSV formula injection sanitization to diff CSV renderer
  • Add newline escaping to markdown table cell renderer
  • Add schema validation to amend apply command
  • Switch evidence build to size-limited readInputFile
  • Add sanitizeOutput to amend list terminal output
  • Fix thread-safe schema caching in hdf-validators/go (sync.Once with persistent error propagation)
  • Bump fast-xml-parser 5.5.7 → 5.7.1 (GHSA-gh4j-gqv2-49f6, XML comment/CDATA injection)

Quality Improvements

  • Add .golangci.yml to 6 Go library modules
  • Fix broken fixture paths in hdf-diff/go integration tests
  • Fix baselineReqsToEvaluated dropping Severity field
  • Add type-check script to hdf-schema
  • Add dispositionChanged and effectiveImpactChanged to diff engine change detection
  • Track effectiveImpact and disposition in hdf-extension-graph modification detection
  • Schema version bumped from v3.0.0 to v3.1.0 across all $id/$ref URLs

Bug Fixes

  • Fix workspace:*workspace:^ in inter-package dependencies — resolves npm install failure for published packages (#28, #39)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by wdower, a new releaser for @​mitre/hdf-converters since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (2.13.0) was attested. Review the package versions before updating.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 24, 2026
@github-actions
github-actions Bot enabled auto-merge April 24, 2026 01:11
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/mitre/hdf-converters-3.1.0 branch 24 times, most recently from e3d53da to 7eae439 Compare April 28, 2026 10:09
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/mitre/hdf-converters-3.1.0 branch 25 times, most recently from cbeaa64 to 8387882 Compare May 7, 2026 02:54
@sonarqubecloud

sonarqubecloud Bot commented May 8, 2026

Copy link
Copy Markdown

@dependabot @github

dependabot Bot commented on behalf of github May 13, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

Bumps [@mitre/hdf-converters](https://github.com/mitre/hdf-libs/tree/HEAD/hdf-converters) from 2.13.0 to 3.1.0.
- [Release notes](https://github.com/mitre/hdf-libs/releases)
- [Changelog](https://github.com/mitre/hdf-libs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mitre/hdf-libs/commits/v3.1.0/hdf-converters)

---
updated-dependencies:
- dependency-name: "@mitre/hdf-converters"
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@sonarqubecloud

Copy link
Copy Markdown

@dependabot @github

dependabot Bot commented on behalf of github May 26, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #7863.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants