chore(deps): update ghcr.io/datasharingframework/bpe docker tag to v2#414
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
chore(deps): update ghcr.io/datasharingframework/bpe docker tag to v2#414renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 6 | 0 | 0 | 0.04s | |
| ✅ DOCKERFILE | hadolint | 8 | 0 | 0 | 0.63s | |
| ✅ EDITORCONFIG | editorconfig-checker | 51 | 0 | 0 | 0.05s | |
| ✅ JSON | jsonlint | 6 | 0 | 0 | 0.19s | |
| ✅ JSON | prettier | 6 | 0 | 0 | 0.73s | |
| ✅ JSON | v8r | 6 | 0 | 0 | 7.3s | |
| markdownlint | 9 | 6 | 0 | 1.03s | ||
| ✅ REPOSITORY | checkov | yes | no | no | 24.08s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.47s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.03s | |
| kics | yes | no | 2 | 4.11s | ||
| ✅ REPOSITORY | secretlint | yes | no | no | 1.88s | |
| ✅ REPOSITORY | syft | yes | no | no | 8.8s | |
| trivy | yes | 11 | 5 | 13.49s | ||
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 2.11s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 13.97s | |
| ✅ YAML | prettier | 9 | 0 | 0 | 0.53s | |
| ✅ YAML | v8r | 9 | 0 | 0 | 8.0s | |
| ✅ YAML | yamllint | 9 | 0 | 0 | 0.52s |
Detailed Issues
⚠️ REPOSITORY / kics - 2 warnings
warning: The 'Dockerfile' contains the 'chown' flag
┌─ images/ml-on-fhir/Dockerfile:43:1
│
43 │ COPY --chown=${NB_UID}:${NB_GID} requirements.txt /tmp/
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
│
= Chown Flag Exists
= It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
warning: The 'Dockerfile' contains the 'chown' flag
┌─ images/hive-metastore/Dockerfile:30:1
│
30 │ COPY --from=downloader --chown=0:0 /tmp/libs/*.jar /opt/hive/lib/
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
│
= Chown Flag Exists
= It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
warning: 2 warnings emitted
⚠️ MARKDOWN / markdownlint - 6 errors
images/dsf-bpe-full/CHANGELOG.md:141 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Description"]
images/dsf-bpe-full/CHANGELOG.md:144 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Versions:"]
images/dsf-bpe-full/CHANGELOG.md:144:13 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ':']
images/dsf-bpe-full/CHANGELOG.md:145 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* DFN CA certificate chain fro..."]
images/dsf-bpe-full/CHANGELOG.md:151:31 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Transfer" process ]"]
images/dsf-bpe-full/CHANGELOG.md:152:30 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Sharing" process ]"]
⚠️ REPOSITORY / trivy - 11 errors
error: Package: @isaacs/brace-expansion
Installed Version: 5.0.0
Vulnerability CVE-2026-25547
Severity: HIGH
Fixed Version: 5.0.1
Link: [CVE-2026-25547](https://avd.aquasec.com/nvd/cve-2026-25547)
┌─ images/semantic-release/package-lock.json:3443:1
│
3443 │ ╭ "node_modules/npm/node_modules/@isaacs/brace-expansion": {
3444 │ │ "version": "5.0.0",
3445 │ │ "inBundle": true,
3446 │ │ "license": "MIT",
· │
3452 │ │ }
3453 │ │ },
│ ╰^
│
= brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion
= @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
┌─ images/semantic-release/package-lock.json:4800:1
│
4800 │ ╭ "node_modules/npm/node_modules/node-gyp/node_modules/glob": {
4801 │ │ "version": "10.4.5",
4802 │ │ "inBundle": true,
4803 │ │ "license": "ISC",
· │
4817 │ │ }
4818 │ │ },
│ ╰^
│
= glob: glob: Command Injection Vulnerability via Malicious Filenames
= Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
error: Package: glob
Installed Version: 11.0.3
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
┌─ images/semantic-release/package-lock.json:4202:1
│
4202 │ ╭ "node_modules/npm/node_modules/glob": {
4203 │ │ "version": "11.0.3",
4204 │ │ "inBundle": true,
4205 │ │ "license": "ISC",
· │
4222 │ │ }
4223 │ │ },
│ ╰^
│
= glob: glob: Command Injection Vulnerability via Malicious Filenames
= Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
warning: Package: js-yaml
Installed Version: 4.1.0
Vulnerability CVE-2025-64718
Severity: MEDIUM
Fixed Version: 4.1.1, 3.14.2
Link: [CVE-2025-64718](https://avd.aquasec.com/nvd/cve-2025-64718)
┌─ images/semantic-release/package-lock.json:2874:1
│
2874 │ ╭ "node_modules/js-yaml": {
2875 │ │ "version": "4.1.0",
2876 │ │ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
2877 │ │ "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
· │
2884 │ │ }
2885 │ │ },
│ ╰^
│
= js-yaml: js-yaml prototype pollution in merge
= js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
warning: Package: lodash
Installed Version: 4.17.21
Vulnerability CVE-2025-13465
Severity: MEDIUM
Fixed Version: 4.17.23
Link: [CVE-2025-13465](https://avd.aquasec.com/nvd/cve-2025-13465)
┌─ images/semantic-release/package-lock.json:2972:1
│
2972 │ ╭ "node_modules/lodash": {
2973 │ │ "version": "4.17.21",
2974 │ │ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
2975 │ │ "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
2976 │ │ "license": "MIT"
2977 │ │ },
│ ╰^
│
= lodash: prototype pollution in _.unset and _.omit functions
= Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
warning: Package: lodash-es
Installed Version: 4.17.21
Vulnerability CVE-2025-13465
Severity: MEDIUM
Fixed Version: 4.17.23
Link: [CVE-2025-13465](https://avd.aquasec.com/nvd/cve-2025-13465)
┌─ images/semantic-release/package-lock.json:2978:1
│
2978 │ ╭ "node_modules/lodash-es": {
2979 │ │ "version": "4.17.21",
2980 │ │ "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz",
2981 │ │ "integrity": "sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==",
2982 │ │ "license": "MIT"
2983 │ │ },
│ ╰^
│
= lodash: prototype pollution in _.unset and _.omit functions
= Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
┌─ images/semantic-release/package-lock.json:5408:1
│
5408 │ ╭ "node_modules/npm/node_modules/tar": {
5409 │ │ "version": "7.5.1",
5410 │ │ "inBundle": true,
5411 │ │ "license": "ISC",
· │
5421 │ │ }
5422 │ │ },
│ ╰^
│
= node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
= node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23950
Severity: HIGH
Fixed Version: 7.5.4
Link: [CVE-2026-23950](https://avd.aquasec.com/nvd/cve-2026-23950)
┌─ images/semantic-release/package-lock.json:5408:1
│
5408 │ ╭ "node_modules/npm/node_modules/tar": {
5409 │ │ "version": "7.5.1",
5410 │ │ "inBundle": true,
5411 │ │ "license": "ISC",
· │
5421 │ │ }
5422 │ │ },
│ ╰^
│
= node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
= node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: [CVE-2026-24842](https://avd.aquasec.com/nvd/cve-2026-24842)
┌─ images/semantic-release/package-lock.json:5408:1
│
5408 │ ╭ "node_modules/npm/node_modules/tar": {
5409 │ │ "version": "7.5.1",
5410 │ │ "inBundle": true,
5411 │ │ "license": "ISC",
· │
5421 │ │ }
5422 │ │ },
│ ╰^
│
= node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
= node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
warning: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2025-64118
Severity: MEDIUM
Fixed Version: 7.5.2
Link: [CVE-2025-64118](https://avd.aquasec.com/nvd/cve-2025-64118)
┌─ images/semantic-release/package-lock.json:5408:1
│
5408 │ ╭ "node_modules/npm/node_modules/tar": {
5409 │ │ "version": "7.5.1",
5410 │ │ "inBundle": true,
5411 │ │ "license": "ISC",
· │
5421 │ │ }
5422 │ │ },
│ ╰^
│
= node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
= node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
warning: Package: undici
Installed Version: 5.29.0
Vulnerability CVE-2026-22036
Severity: MEDIUM
Fixed Version: 7.18.2, 6.23.0
Link: [CVE-2026-22036](https://avd.aquasec.com/nvd/cve-2026-22036)
┌─ images/semantic-release/package-lock.json:7375:1
│
7375 │ ╭ "node_modules/undici": {
7376 │ │ "version": "5.29.0",
7377 │ │ "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
7378 │ │ "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
· │
7385 │ │ }
7386 │ │ },
│ ╰^
│
= undici: Undici: Denial of Service via excessive decompression steps
= Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
error: Artifact: images/apache-superset/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
┌─ images/apache-superset/Dockerfile:8:1
│
8 │ ╭ RUN <<EOF
9 │
(Truncated to 13333 characters out of 16764)
See detailed reports in MegaLinter artifacts
You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:
- oxsecurity/megalinter/flavors/terraform@v9.2.0 (54 linters)
- oxsecurity/megalinter/flavors/cupcake@v9.2.0 (88 linters)
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.2.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
renovate
bot
force-pushed
the
renovate/ghcr.io-datasharingframework-bpe-2.x
branch
from
1dbee57 to
b9682b8
Compare
renovate
bot
force-pushed
the
renovate/ghcr.io-datasharingframework-bpe-2.x
branch
from
b9682b8 to
37167d7
Compare
renovate
bot
force-pushed
the
renovate/ghcr.io-datasharingframework-bpe-2.x
branch
from
37167d7 to
0c8d186
Compare
renovate
bot
force-pushed
the
renovate/ghcr.io-datasharingframework-bpe-2.x
branch
from
0c8d186 to
4f192b1
Compare
renovate
bot
force-pushed
the
renovate/ghcr.io-datasharingframework-bpe-2.x
branch
from
4f192b1 to
8e5a59b
Compare
Trivy image scan report
|
| Package | ID | Severity | Installed Version | Fixed Version |
|---|---|---|---|---|
libexpat1 |
CVE-2026-24515 | MEDIUM | 2.4.7-1ubuntu0.6 | 2.4.7-1ubuntu0.7 |
libexpat1 |
CVE-2026-25210 | MEDIUM | 2.4.7-1ubuntu0.6 | 2.4.7-1ubuntu0.7 |
No Misconfigurations found
Java
32 known vulnerabilities found (CRITICAL: 9 HIGH: 18 MEDIUM: 4 LOW: 1)
Show detailed table of vulnerabilities
| Package | ID | Severity | Installed Version | Fixed Version |
|---|---|---|---|---|
ca.uhn.hapi.fhir:org.hl7.fhir.convertors |
CVE-2023-24057 | CRITICAL | 5.1.0 | 5.6.92 |
ca.uhn.hapi.fhir:org.hl7.fhir.convertors |
CVE-2023-28465 | HIGH | 5.1.0 | 5.6.106 |
ca.uhn.hapi.fhir:org.hl7.fhir.convertors |
CVE-2024-51132 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r4 |
CVE-2024-45294 | HIGH | 5.1.0 | 6.3.23 |
ca.uhn.hapi.fhir:org.hl7.fhir.r4 |
CVE-2024-51132 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r4 |
CVE-2024-52007 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r5 |
CVE-2023-24057 | CRITICAL | 5.1.0 | 5.6.92 |
ca.uhn.hapi.fhir:org.hl7.fhir.r5 |
CVE-2023-28465 | HIGH | 5.1.0 | 5.6.106 |
ca.uhn.hapi.fhir:org.hl7.fhir.r5 |
CVE-2024-45294 | HIGH | 5.1.0 | 6.3.23 |
ca.uhn.hapi.fhir:org.hl7.fhir.r5 |
CVE-2024-51132 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.r5 |
CVE-2024-52007 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.utilities |
CVE-2023-24057 | CRITICAL | 5.1.0 | 5.6.92 |
ca.uhn.hapi.fhir:org.hl7.fhir.utilities |
CVE-2023-28465 | HIGH | 5.1.0 | 5.6.106 |
ca.uhn.hapi.fhir:org.hl7.fhir.utilities |
CVE-2024-45294 | HIGH | 5.1.0 | 6.3.23 |
ca.uhn.hapi.fhir:org.hl7.fhir.utilities |
CVE-2024-51132 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.utilities |
CVE-2024-52007 | HIGH | 5.1.0 | 6.4.0 |
ca.uhn.hapi.fhir:org.hl7.fhir.validation |
CVE-2023-24057 | CRITICAL | 5.1.0 | 5.6.92 |
ca.uhn.hapi.fhir:org.hl7.fhir.validation |
CVE-2023-28465 | HIGH | 5.1.0 | 5.6.106 |
ca.uhn.hapi.fhir:org.hl7.fhir.validation |
CVE-2024-51132 | HIGH | 5.1.0 | 6.4.0 |
com.google.guava:guava |
CVE-2023-2976 | MEDIUM | 29.0-jre | 32.0.0-android |
com.google.guava:guava |
CVE-2020-8908 | LOW | 29.0-jre | 32.0.0-android |
com.nimbusds:nimbus-jose-jwt |
CVE-2025-53864 | MEDIUM | 9.37.3 | 10.0.2, 9.37.4 |
net.minidev:json-smart |
CVE-2024-57699 | HIGH | 2.5.1 | 2.5.2 |
org.apache.commons:commons-lang3 |
CVE-2025-48924 | MEDIUM | 3.9 | 3.18.0 |
org.apache.commons:commons-text |
CVE-2022-42889 | CRITICAL | 1.7 | 1.10.0 |
org.apache.httpcomponents:httpclient |
CVE-2020-13956 | MEDIUM | 4.5.12 | 4.5.13, 5.0.3 |
org.apache.tika:tika-core |
CVE-2025-66516 | CRITICAL | 2.9.2 | 3.2.2 |
org.apache.tika:tika-core |
CVE-2025-66516 | CRITICAL | 2.9.2 | 3.2.2 |
org.apache.tika:tika-core |
CVE-2025-66516 | CRITICAL | 2.9.2 | 3.2.2 |
org.apache.tika:tika-core |
CVE-2025-66516 | CRITICAL | 2.9.2 | 3.2.2 |
org.assertj:assertj-core |
CVE-2026-24400 | HIGH | 3.27.6 | 3.27.7 |
org.fhir:ucum |
CVE-2024-55887 | HIGH | 1.0.2 | 1.0.9 |
No Misconfigurations found
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.9.0→2.0.2Release Notes
datasharingframework/dsf (ghcr.io/datasharingframework/bpe)
v2.0.2: 2.0.2 - Maintenance ReleaseCompare Source
General remarks:
Bug Fixes:
dev.dsf.bpe.fhir.client.connections.config.default.enable.debug.loggingwas used for unrelated configuration values to specify the default EnableDebugLogging value for FHIR client connections and the default OidcVerifyAuthorizedParty value for OIDC Client-Credentials-Flow connections. A new property keydev.dsf.bpe.fhir.client.connections.config.default.oidc.verify.authorized.partywas added.in-progress. Additional error handling was implemented to update Task to a statusfailed.dev.dsf.log.min.level.loggerswith default value was added to restore the DSF 1.x behavior.setJsonVariable()mechanism was unable to serialize date/time objects from thejava.timepackage. TheObjectMapperconfiguration was fixed and theJavaTimeModuleadded.Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:
Process Plugin API v1 on Maven Central:
Process Plugin API v2 on Maven Central:
DSF Maven Plugin on Maven Central:
Issues closed:
This release contains contributions from @EmteZogaf, @hhund, @jaboehri, @schwzr and @wetret.
v2.0.1: 2.0.1 - Maintenance ReleaseCompare Source
General remarks:
Bug Fixes:
keyEnciphermentextension, resulted in aFirst certificate from '...' not a client certificateerror (#405). The requirement for thekeyEnciphermentextension was removed with this release.Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:
Process Plugin API v1 on Maven Central:
Process Plugin API v2 on Maven Central:
DSF Maven Plugin on Maven Central:
Issues closed:
This release contains contributions from @hhund and @schwzr.
v2.0.0: 2.0.0 - Major ReleaseCompare Source
General remarks:
Feature Summary:
TaskandQuestionnaireResponseresources. Internal optimizations improve performance forBinaryresources with a new size limit of resources constraint by PostgreSQL's 4TB limit of Large Objects (limits of forwarding- and reverse-proxies for uploads may be smaller).Docker images for this release can be accessed via the GitHub Docker registry - ghcr.io:
Process Plugin API v1 on Maven Central:
Process Plugin API v2 on Maven Central:
DSF Maven Plugin on Maven Central:
Issues closed:
This release contains contributions from @alexanderkiel, @EmteZogaf, @hhund, @jaboehri, @MadMax93, @schwzr and @wetret.
Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.