Skip to content

build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.3.2#8547

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mitre/hdf-converters-3.3.2
Closed

build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.3.2#8547
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mitre/hdf-converters-3.3.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps @mitre/hdf-converters from 2.13.0 to 3.3.2.

Release notes

Sourced from @​mitre/hdf-converters's releases.

v3.3.2

Changes

8ff70ef chore(release): bump workspace from 3.3.1 to 3.3.2 6d9bd4e fix(converters): preserve legacyhdf v1 fields (refs, skip_message, supports, release) (#120)

Installation

# TypeScript/Node.js — install the packages you need
npm install @mitre/hdf-converters   # converters + schema + parsers + utilities + mappings
npm install @mitre/hdf-validators    # schema validation
npm install @mitre/hdf-diff          # structural diff engine
npm install @mitre/hdf-generators    # InSpec profile generation
Go libraries
go get github.com/mitre/hdf-libs/hdf-converters/v3@v3.3.2
Go CLI — download a binary for your platform from the assets below, then:
chmod +x hdf && sudo mv hdf /usr/local/bin/

Schema Files

Bundled JSON schemas are attached as release assets and hosted at: https://mitre.github.io/hdf-libs/schemas/

v3.3.1

Changes

66257b1 chore(release): bump workspace from 3.3.0 to 3.3.1 59b5e36 fix(converters): resolve Phase 1 timestamp-gate findings (parity + guard hardening) (#117) b8c267f fix(converters): normalize Go custom-layout timestamps to UTC via shared helper (#116) 35cd290 refactor(converters): extract formatTimestampSeconds for hdf-to-* exporters 8c815c0 Fix/timestamp handling (#115) 555b53a docs(release): add swarm-review gate (Phase 1) and beads/issue reconcile (Phase 9) 7bea5ef fix(legacyhdf): align TS converter with Go for byte-parity; refresh snapshots a813230 fix(checklist): reject CKL/CKLB with an empty inner rule set 6c0df0a docs: changelog note for the clean-scan passed-placeholder behavior change 50f4ca5 fix(cli): convert legacy HDF v1 input to any export target (#112) 28881af fix(hdf-converters): emit schema-required result startTime (#114) 1080828 chore: refer to InSpec as a current format, not 'legacy' (#113) d758808 Feat/rev 5 (#111) 6c6d973 docs: forbid docs/ folders inside library packages c777664 chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#107) f325ca1 chore(deps): bump softprops/action-gh-release from 3.0.0 to 3.0.1 (#108) 1d749a1 chore(deps-dev): bump the dev-dependencies group with 7 updates (#110) 938a32d chore(deps): bump pnpm/action-setup from 6.0.8 to 6.0.9 (#109) 79c14be fix(registry): auto-detect NDJSON input (trufflehog --json) (#105) 7888484 fix(input): strip leading UTF-8 BOM from CLI input and auto-detect (#106)

... (truncated)

Changelog

Sourced from @​mitre/hdf-converters's changelog.

[3.3.2] - 2026-06-29

Patch release: a legacy-HDF (InSpec v1) converter fidelity fix. No schema changes — the schema $id URLs stay at v3.3.0.

Fixes

  • legacyhdf-to-hdf now preserves four valid v1 fields it previously dropped, mapping each to its v2 home in both TypeScript and Go (output kept identical across the two): control refsRequirement.refs (empty/contentless refs dropped); result skip_message → result message when no explicit message is present (the skip reason was being lost on ~35% of real InSpec results); profile supportsEvaluatedBaseline.supports (InSpec hyphenated keys mapped to the schema's camelCase fields); and a platform release with no target_id now populates the component's osName/osVersion instead of being discarded. (#120; hdf-libs-9q8o)

Compatibility

  • Additive only: for the same legacy-HDF input the converter now emits more fields than before; no fields were renamed or removed, and output remains schema-valid. v3.3.x documents are unaffected (the change is in the v1→v2 upgrade path).

[3.3.1] - 2026-06-28

Patch release: the NIST Rev 5 default flip, a workspace-wide UTC timestamp normalization that makes converter output byte-identical across TypeScript and Go, and several converter fixes. No schema changes — the schema $id URLs stay at v3.3.0.

New Features

  • Selectable NIST SP 800-53 revision. NIST-emitting mappings are now revision-aware, carrying both Rev 4 and Rev 5 data. A process-global default revision drives every converter that emits NIST control tags; hdf convert --nist-rev <4|5> overrides it per invocation. For explicit, side-effect-free selection the libraries expose per-call *ForRevision lookups (Go) and an optional rev argument on each lookup (TS). (hdf-libs-9sh5)
  • AWS Config revision-alignment guard. When an AWS Config export references managed rules that are mapped only at a NIST revision other than the one selected, aws-config-to-hdf logs one aggregated warning naming the rules and the revision that covers them — their NIST tags are omitted rather than silently dropped without explanation. hdf convert --nist-strict promotes that warning to a hard error. Rules unmapped at every revision are not flagged (a coverage gap, not a revision mismatch). (hdf-libs-9sh5)
  • Legacy InSpec (HDF v1) input converts to any export target. hdf convert now upgrades legacy hdf@1 / InSpec exec-json input in-flight (v1→v2) when the target is a non-HDF export format, instead of failing on the missing modern shape. (#112; closes #104 pt 1)
  • NDJSON input auto-detection. The converter registry detects newline-delimited JSON (e.g. trufflehog --json) without a manual format hint. (#105)

Fixes

  • All converter timestamps are normalized to UTC (trimmed RFC3339) and are now byte-identical across TypeScript and Go. Previously the two implementations could emit different strings for the same instant — TypeScript read zone-less timestamps as host-local while Go read them as UTC, and they diverged on source offset and fractional-second formatting. Parsing/formatting now flows through shared helpers (parseTimestamp / hdfutil.ParseTimestamp, NormalizeTimestamp, formatTimestamp / formatTimestampSeconds, serializeHdf) that coerce every timestamp to UTC at millisecond precision — covering ISO, InSpec, C ctime (Nessus), and vendor formats (Netsparker, ZAP, DBProtect, Veracode). The schema-required result startTime always falls back to a valid value. An ESLint rule and a pnpm lint:timestamps check guard against regressions. (#115, #116, #117; hdf-libs-jmd0, hdf-libs-d2ql, hdf-libs-4dur, hdf-libs-2v64, hdf-libs-6gpa)
  • Every converter result now emits the schema-required startTime. Several TypeScript importers previously omitted it (schema-invalid output); oscal-sar now skips zero-finding assessment results rather than emitting empty baselines, and CycloneDX / JUnit / Defender derive the document timestamp from source data instead of conversion time. (#114; hdf-libs-je13)
  • Leading UTF-8 BOM stripped from CLI input before format detection; a BOM-only file now reports "no input provided" instead of a parse error. (#106)
  • CKL / CKLB with an empty inner rule set is rejected as malformed at parse time, instead of silently producing an empty baseline. (hdf-libs-5u83)
  • legacyhdf-to-hdf TypeScript output aligned to Go for byte-parity — drops non-schema legacy fields, maps resource_classresource, emits trimmed-UTC startTime, and omits empty arrays. (hdf-libs-rf06)

Breaking Changes — Converters

  • The default NIST SP 800-53 revision is now Rev 5 (was Rev 4). Rev 4 was withdrawn in September 2023; Rev 5 is the current catalog. Converters that emit NIST control tags — most visibly aws-config-to-hdf — now emit Rev 5 control identifiers by default. For example, the access-keys-rotated rule maps to AC-3(15) instead of AC-2(1) | AC-2(j). CWE→NIST mappings are unaffected: the control identifiers are identical across revisions (only control names were refreshed), so CWE-based converters produce the same tags as before. To retain Rev 4 output, pass --nist-rev 4. (hdf-libs-9sh5)
  • Converter timestamps that previously preserved a source UTC offset now emit UTC. As part of the normalization above, a converter fed a non-UTC offset (e.g. …-05:00) now emits the equivalent …Z instant — the point in time is unchanged, only the rendering. Most visible in legacyhdf, xccdf-results, splunk, sonarqube, and scoutsuite output for offset-bearing source data.

[3.3.0] - 2026-06-17

New Features

  • CVE ecosystem fields on Evaluated_Requirement and Baseline_Requirement — five new optional, structured fields capture the data ecosystem around a vulnerability finding that previously lived in free-form tags:
    • cvss[] — typed CVSS scoring for all four major versions (v2, v3.0, v3.1, v4.0). Multi-entry to handle multi-CVE findings.
    • epss — EPSS exploit-probability data (percentile + score).
    • kev — CISA Known Exploited Vulnerabilities catalog status.
    • cwe[] — CWE classification IDs.
    • affectedPackages[] — affected-package identifiers (ecosystem + name + version) with a typed ecosystem enum: npm | pypi | gem | maven | nuget | cargo | go | deb | rpm | generic.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by wdower, a new releaser for @​mitre/hdf-converters since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (2.13.0) was attested. Review the package versions before updating.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
@github-actions github-actions Bot enabled auto-merge June 30, 2026 03:02
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/mitre/hdf-converters-3.3.2 branch 23 times, most recently from 0218d62 to 0c1fdae Compare July 1, 2026 00:43
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/mitre/hdf-converters-3.3.2 branch 27 times, most recently from 58298b5 to a9d9c2c Compare July 3, 2026 06:35
Bumps [@mitre/hdf-converters](https://github.com/mitre/hdf-libs/tree/HEAD/hdf-converters) from 2.13.0 to 3.3.2.
- [Release notes](https://github.com/mitre/hdf-libs/releases)
- [Changelog](https://github.com/mitre/hdf-libs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mitre/hdf-libs/commits/v3.3.2/hdf-converters)

---
updated-dependencies:
- dependency-name: "@mitre/hdf-converters"
  dependency-version: 3.3.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@sonarqubecloud

Copy link
Copy Markdown

@dependabot @github

dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #8891.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants