Skip to content

build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.3.0#8350

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mitre/hdf-converters-3.3.0
Closed

build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.3.0#8350
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mitre/hdf-converters-3.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps @mitre/hdf-converters from 2.13.0 to 3.3.0.

Release notes

Sourced from @​mitre/hdf-converters's releases.

v3.3.0

Changes

c5f2ca7 Release/v3.3.0 prep (#103) 2020f13 fix(cli): route remaining raw doc-load sites through the schema gate (#102) 47e4553 chore(deps-dev): bump the dev-dependencies group with 3 updates (#98) 68048c3 Feat/cli schema validation gate (#100) 92609c8 Docs/site revamp (#99) b7f3e2f feat(hdf-converters): add TS-side HDF schema validation to importer tests (#101) 5024fd9 chore(release): align workspace + docs to v3.3.0 ae7a5bd chore(claude): record version-tier policy in release skill 7c75134 Refactor/lift go fetchers (#94) 581edc0 chore(hdf-fixtures): promote hdf-to-xml minimal.json to shared corpus 450e8b7 Feat/vex interop (#88) 7733f52 Fix/hdf schema helpers types resolution (#87) 38bc5d5 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#91) 6dea7ba chore(deps-dev): bump the dev-dependencies group with 7 updates (#92) 9994937 chore(deps): bump the go-dependencies group in /hdf-cli with 3 updates (#93) 3be5e29 Feat/hdf fixtures corpus and followups (#90) e87c504 refactor(hdf-cli): delegate parse and normalize to hdf-parsers (#89) 96a821b feat(hdf-extension-graph): port to Go (closes hdf-libs-hbhb) (#84) 855a3fd fix(hdf-schema): correct helpers.d.ts import path; move attw to CI (#85) 4407070 fix(hdf-parsers): normalize InSpec no-tz timestamps before validation (#83)

Installation

# TypeScript/Node.js — install the packages you need
npm install @mitre/hdf-converters   # converters + schema + parsers + utilities + mappings
npm install @mitre/hdf-validators    # schema validation
npm install @mitre/hdf-diff          # structural diff engine
npm install @mitre/hdf-generators    # InSpec profile generation
Go libraries
go get github.com/mitre/hdf-libs/hdf-converters/v3@v3.3.0
Go CLI — download a binary for your platform from the assets below, then:
chmod +x hdf && sudo mv hdf /usr/local/bin/

Schema Files

Bundled JSON schemas are attached as release assets and hosted at: https://mitre.github.io/hdf-libs/schemas/

v3.2.0

Changes

a5b6c9a fix(ci): work around attw + fflate@0.8.3 multi-chunk gunzip bug 43e2a02 chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 (#73)

... (truncated)

Changelog

Sourced from @​mitre/hdf-converters's changelog.

[3.3.0] - 2026-06-17

New Features

  • CVE ecosystem fields on Evaluated_Requirement and Baseline_Requirement — five new optional, structured fields capture the data ecosystem around a vulnerability finding that previously lived in free-form tags:
    • cvss[] — typed CVSS scoring for all four major versions (v2, v3.0, v3.1, v4.0). Multi-entry to handle multi-CVE findings.
    • epss — EPSS exploit-probability data (percentile + score).
    • kev — CISA Known Exploited Vulnerabilities catalog status.
    • cwe[] — CWE classification IDs.
    • affectedPackages[] — affected-package identifiers (ecosystem + name + version) with a typed ecosystem enum: npm | pypi | gem | maven | nuget | cargo | go | deb | rpm | generic.
    • Four new primitive schemas back the additions: affected-package, cvss, epss, kev. See site/docs/guides/cve-ecosystem.md for the migration path away from tags.cvss_base_score/tags.cve and the multi-release deprecation timeline. (#75)
  • justification enum on Standalone_Override and Status_Override — 5-value enum from the VEX ecosystem (component_not_present, vulnerable_code_not_present, vulnerable_code_not_in_execute_path, vulnerable_code_cannot_be_controlled_by_adversary, inline_mitigations_already_exist). Complements the existing free-text reason field: reason is the auditor-readable rationale, justification is the machine-readable category for filtering / aggregation / lossless round-trip with structured ecosystems (CSAF VEX, OpenVEX, CycloneDX VEX). Open for additive extension as OSCAL / FedRAMP DR vocabularies are integrated. (#88)
  • CVSS enrichment on riskAdjustment amendmentshdf amend draft auto-scaffolds a cvss block on riskAdjustment stubs when the source requirement is a CVE-ecosystem finding. Headless validation: syntactic CVSS-vector check via hdf-utilities.ValidateCvssVector; soft stderr warning when impact.value and cvss.computedScore / 10 disagree by more than 0.05 (never blocks). (#82)
  • @mitre/hdf-extension-graph Go port — 1:1 mirror of the TypeScript implementation: same four-phase BuildExtensionGraph, same five derived methods on ContextualizedRequirement (Root, IsRedundant, FullCode, ExtensionChain, Modifications). 100% test coverage. Cross-language equivalence test runs both implementations against the same fixture and diffs their canonical JSON dumps, pinning Go↔TS parity going forward. (#84)
  • @mitre/hdf-fixtures workspace package — shared real-world fixture corpus (private; cross-package tests only) with both TS and Go APIs. Owns wild-data references for cross-package consumers. Inclusion bar is strict: at least two workspace packages must actively consume a file before it lands here, and the original location's copy is deleted (no duplicates). Initial corpus: multilayered-inspec.json promoted from hdf-extension-graph (now also consumed by hdf-parsers). (#90)
  • hdf convert / hdf fetch validate Amendments outputdetectHDFDocType recognizes amendments (top-level overrides[]) alongside results/baseline; validateHDFOutput calls ValidateAmendments for the amendments doc type. Schema-invalid amendments output is blocked before writing to disk. (#88)
  • Uniform CLI schema validation gate across all 7 HDF doc typeshdf-cli's input/output gate previously covered Results, Baseline, and Amendments; System, Plan, Evidence Package, and Comparison now route through the same gate at every load and write site (system.go, list.go, system_create.go, system_component.go, plan_create.go, doc_set.go shared helper, evidence_build.go, diff.go). Schema-invalid HDF docs are rejected before mutation or disk write; load sites refuse undetected-type input. (Closes hdf-libs-m58u; #100)
  • hdf-parsers gains ParseSystem / ParsePlan / ParseEvidencePackage / ParseComparison in both Go and TypeScript, mirroring the existing ParseResults / ParseBaseline shape (normalize-timestamps, schema-validate, decode, trailing-garbage check). The auto-detect Parse / parse extends to all 7 doc types. Library-API parity, not just CLI internal scaffolding — downstream consumers (heimdall2, saf-cli) get the symmetric surface. (#100)
  • TS-side schema validation harness for converter importer testshdf-converters/test/helpers/expectValidHdf.ts adds expectValidResults / expectValidBaseline / expectValidAmendments helpers backed by @mitre/hdf-validators. 26 converter test suites now assert schema validity on at least one success path, matching the Go-side discipline. (Closes hdf-libs-nrr4; #101)

Fixes

  • InSpec timestamp normalization in hdf-parsers — the InSpec runner emits ISO 8601 timestamps without a timezone designator (e.g. "2026-03-25T22:56:27.736808"), which the HDF schema's date-time format check and Go's time.Time JSON unmarshal both reject. Real-world result: any Go HDF consumer reading actual InSpec output got zero-valued or partial HDFResults. The new normalizeTimestamps helper in hdf-parsers finds JSON-quoted bare ISO timestamps via regex and appends Z (treating them as UTC, matching what JS Date.parse and InSpec itself assume). Applied at the top of ParseResults and ParseBaseline before schema validation and json.Decode. Already-RFC3339 strings and timestamp-shaped substrings inside prose values are left alone. (Closes hdf-libs-2nm0; #83)
  • hdf-cli parse + normalize now delegate to hdf-parsersparseHDFResults / parseHDFBaseline in input.go previously re-implemented the parser pipeline, bypassing #83's bare-timestamp normalization. Every CLI command that loaded HDF (list, query, diff) crashed on real InSpec output; validate.go had the same problem on a separate code path. CLI now delegates to hdfparsers.ParseResults / ParseBaseline; validate.go runs hdfparsers.NormalizeTimestamps before validators.Validate. Verified end-to-end against multilayered-inspec.json (1603 reqs, all timestamps lack TZ). (Closes hdf-libs-mccc; #89)
  • AWS Config converter synthesizes notApplicable for zero-evaluation ruleshdf fetch aws-config previously wrote requirements with results: [] when a deployed Config rule evaluated zero in-scope resources, violating the schema's minItems: 1 invariant. Both Go and TS converters now synthesize a single notApplicable result in that case, with a codeDesc explaining the rule's check ran but had no scope. Matches AWS Config's own console depiction (a dash, not "Compliant") — auditors see that no determination was made, not a vacuous "passed". (Fixes #80; #81)
  • hdf-schema/helpers.d.ts import pathhelpers.d.ts imported from ../dist/ts/hdf-results.js, which was the per-document file removed by #77's combined-output refactor. Every attw entry that re-exports from ./helpers.js failed type resolution post-merge, breaking the Pre-release checks workflow on main. Repointed to the consolidated ../dist/ts/hdf.js. Also moved publint + arethetypeswrong from pre-release.yml into ci.yml so packaging defects surface on the PR that introduces them, not after merge to main. (#85, #87)
  • sbomRef / systemRef produced by hdf system and hdf plan create were schema-invalid on Windows. The HDF System and Plan schemas require these fields to be uri-reference-formatted, but the CLI wrote the raw OS path. On Windows, backslashes in C:\Users\…\foo.json violate the format. Apply filepath.ToSlash at the four write sites (system_create.go FromSBOM, system_component.go add + update, plan_create.go). No behavior change on POSIX. Pre-existing cross-platform bug, surfaced by the new schema gate.
  • CLI test isolation: TestSchemaDirFlag no longer leaks validators.schemaDir to other tests in the package. Adds t.Cleanup to reset the package-global after the test runs. Previously caused later tests to load schemas from disk instead of the embedded copy, which manifested as missing-schema failures on the CI Coverage job whenever the build artifact's hdf-schema/dist/schemas/ was incomplete.
  • System-create / SBOM-import component-type mapping was producing schema-invalid Component.type values (compute, storage, other). With the v3.3.0 closed 11-value enum (see Validation Changes below), the mapping is now identity for the 11 valid types; CycloneDX SBOM mappings updated accordingly. Surfaced by the new CLI schema gate.

Breaking Changes — CLI

  • Converter generator.name now identifies each converter individually. Previously ~9 converters (nessus, all 5 oscal-* sub-converters, trufflehog, junit, xccdf-results, plus ckl / cklb via a shared helper) emitted the generic literal 'hdf-converters'. They now emit their own name (e.g. 'nessus-to-hdf', 'oscal-poam-to-hdf'). Downstream tools that pivot on generator.name == 'hdf-converters' to detect "any HDF converter output" must broaden the check (e.g. match against the substring -to-hdf).
  • hdf diff --json renames componentDiffsextensions.componentSummaries. The CLI's per-component compliance aggregation reused the schema's componentDiffs[] JSON key for a structurally different shape (it carried compliance metrics, not Component_Diff state-change records, and lacked the schema-required state field). To satisfy hdf-comparison's unevaluatedProperties: false constraint, the aggregation now ships under the schema's tool-data extensions slot at extensions.componentSummaries. Downstream consumers parsing componentDiffs from hdf diff --json --system output must update the JSON path. (#100)

Breaking Changes — Converters

  • oscal-poam-to-hdf now outputs an HDF Amendments document, not Results. OSCAL POA&M is consumer-attached remediation context — the same conceptual shape as the poam override type — so it belongs alongside the VEX converters (openvex, csaf-vex, cyclonedx-vex) as an amendment-output converter. Each poam-item becomes one Standalone_Override (type poam) with milestones; risks[] populate the override's requirementId and status. The CLI auto-detects amendments via the top-level overrides[], so downstream hdf validate / hdf amend apply work without flags. Consumers that previously parsed hdf convert --from oscal-poam output as Results must switch to Amendments (see site/docs/guides/oscal-alignment.md § POA&M to Amendments).

Breaking Changes — TypeScript

  • Generated enum type renames (no deprecation aliases provided). External code that imports any of the following from @mitre/hdf-schema must update the identifier:
    • CopyrightTargetType (component/target type discriminator)
    • OwnerTypeIdentityType (identity kind: email/username/system/simple/other)
    • StatusMilestoneStatus (POA&M milestone status)
    • SbomFormatSBOMFormat
    • PoamTypePOAMType
  • Document root type renames with deprecation aliases. Code importing the old names from @mitre/hdf-schema keeps compiling for now via @deprecated aliases; expect those aliases removed in a future bump. Migrate to the canonical names:
    • HdfResultsHDFResults
    • HdfBaselineHDFBaseline

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by wdower, a new releaser for @​mitre/hdf-converters since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (2.13.0) was attested. Review the package versions before updating.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 18, 2026
@github-actions
github-actions Bot enabled auto-merge June 18, 2026 01:21
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/mitre/hdf-converters-3.3.0 branch 25 times, most recently from f716552 to 4fa37fc Compare June 19, 2026 01:01
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/mitre/hdf-converters-3.3.0 branch 27 times, most recently from fbba956 to f760b52 Compare June 24, 2026 01:02
Bumps [@mitre/hdf-converters](https://github.com/mitre/hdf-libs/tree/HEAD/hdf-converters) from 2.13.0 to 3.3.0.
- [Release notes](https://github.com/mitre/hdf-libs/releases)
- [Changelog](https://github.com/mitre/hdf-libs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mitre/hdf-libs/commits/v3.3.0/hdf-converters)

---
updated-dependencies:
- dependency-name: "@mitre/hdf-converters"
  dependency-version: 3.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #8547.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants