chore(deps): update dependency hapifhir/org.hl7.fhir.core to v6.8.0

[renovate]

This PR contains the following updates:

Package	Update	Change
hapifhir/org.hl7.fhir.core	minor	6.7.10 → 6.8.0

---

Release Notes

hapifhir/org.hl7.fhir.core (hapifhir/org.hl7.fhir.core)

v6.8.0

Compare Source

Validator Changes

• Add support for imposing a timeout on the validator
• Check for circular definitions when validating Structure and Operation definitions
• Update compliesWith checker to handle value set bindings
• Fix bug where slice .min is not set to zero for multiple slices when slicing is closed
• Fix bug in version checking with current and dev when loading packages
• fix logic checking for canonical resources when they are custom resources
• Remove spurious warning in the console log about loading simplifier IGs
• fix precedence error in FHIRPath implementation
• Fix definitions of -ig, -cert and -matchetype parameters on the CLI
• Allow -allow-example-urls to work with true/false as well
• Use json when testing tx servers
• refactor http server and add commands for stop, loadIG and txtest

Other code changes

• update language sources and fix some french phrases
• Add better support for extended operations in OpenAPI (#​2278)
• Fix up json logic for suppressing resourceType when rendering fragments
• Add identifier(s) to summary table when rendering resources
• Add support for rendering with messageIds rather than language specific message (translator troubleshooting)
• upgrade pubpack version
• Refactor OperationOutcome construction
• rebuild r5 tx cache for new terminology server
• Minor fixes to mini-terminology server for tx ecossytem tests compliance
• fix version tests
• general improvements to test robustness
• make version comparison more robust
• make json parsing more robust
• add format to terminology client
• Update junit5 to 5.14.0 and platform launcher to 1.14.0
• Bump ch.qos.logback:logback-core from 1.5.20 to 1.5.25
• Sync logback and logback-classic versions
• Fix dependency location error in POM

v6.7.11

Compare Source

Validator Changes

• The command line interface has been rewritten. This is a backward compatible change detailed here

Other code changes

• minor changes for rewriting tx.fhir.org
• Fix XHTMLToMarkdownConverter - it was removing spaces around bolded and similar elements. (See updated test cases)
• Added a removeLanguageTranslation method to ExtensionUtilities
• Added constants, messages, and rendering phrases (with translations) to support enhanced rendering of requirements statements
  make json parsing more robust
• Fixes for concurrent access of package cache in Windows environments

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.01s
✅ DOCKERFILE	hadolint	1		0	0	0.2s
✅ JSON	jsonlint	6		0	0	0.21s
✅ JSON	npm-package-json-lint	yes		no	no	0.56s
✅ JSON	prettier	6		0	0	0.66s
✅ JSON	v8r	6		0	0	7.81s
✅ MARKDOWN	markdownlint	2		0	0	0.8s
✅ MARKDOWN	markdown-table-formatter	2		0	0	0.39s
✅ REPOSITORY	checkov	yes		no	no	32.15s
✅ REPOSITORY	dustilock	yes		no	no	0.15s
✅ REPOSITORY	gitleaks	yes		no	no	0.43s
✅ REPOSITORY	git_diff	yes		no	no	0.03s
❌ REPOSITORY	grype	yes		4	2	53.24s
⚠️ REPOSITORY	kics	yes		no	1	40.25s
✅ REPOSITORY	secretlint	yes		no	no	1.57s
✅ REPOSITORY	syft	yes		no	no	4.43s
❌ REPOSITORY	trivy	yes		4	no	13.59s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.89s
✅ REPOSITORY	trufflehog	yes		no	no	7.81s
✅ YAML	prettier	10		0	0	0.65s
✅ YAML	v8r	10		0	0	8.84s
✅ YAML	yamllint	10		0	0	0.72s

Detailed Issues

❌ REPOSITORY / grype - 4 errors

warning: A medium vulnerability in npm package: lodash, version 4.17.21 was found at: /package-lock.json

warning: A medium vulnerability in npm package: lodash, version 4.17.21 was found at: /package-lock.json

error: A high vulnerability in npm package: glob, version 10.4.5 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

warning: 2 warnings emitted
error: 4 errors emitted

❌ REPOSITORY / trivy - 4 errors

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ package-lock.json:1127:1
     │  
1127 │ ╭     "node_modules/minizlib/node_modules/glob": {
1128 │ │       "version": "10.4.5",
1129 │ │       "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
1130 │ │       "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
     · │
1145 │ │       }
1146 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-23950
Severity: HIGH
Fixed Version: 7.5.4
Link: [CVE-2026-23950](https://avd.aquasec.com/nvd/cve-2026-23950)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
     = node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: [CVE-2026-24842](https://avd.aquasec.com/nvd/cve-2026-24842)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
     = node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

error: 4 errors emitted

⚠️ REPOSITORY / kics - 1 warning

warning: Dockerfile doesn't contain instruction 'HEALTHCHECK'
  ┌─ Dockerfile:1:1
  │
1 │ FROM docker.io/library/eclipse-temurin:21-jre-noble@sha256:67fc762eabacb56e5444b367889e04ce8c839b8f4b3d8ef3e459c5579fbefd8a
  │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  │
  = Healthcheck Instruction Missing
  = Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

warning: 1 warnings emitted

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/cupcake@v9.2.0 (88 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.2.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

Trivy image scan report

ghcr.io/miracum/ig-build-tools:pr-252 (ubuntu 24.04)

26 known vulnerabilities found (HIGH: 0 MEDIUM: 12 LOW: 14 CRITICAL: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
libpng16-16t64	CVE-2025-28162	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.4
libpng16-16t64	CVE-2025-28164	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.4
libpng16-16t64	CVE-2025-64505	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.1
libpng16-16t64	CVE-2025-64506	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.1
libpng16-16t64	CVE-2025-64720	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.1
libpng16-16t64	CVE-2025-65018	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.1
libpng16-16t64	CVE-2025-66293	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.3
libpng16-16t64	CVE-2026-22695	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.3
libpng16-16t64	CVE-2026-22801	MEDIUM	1.6.43-5build1	1.6.43-5ubuntu0.3
libssl3t64	CVE-2025-15467	MEDIUM	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2025-68160	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2025-69418	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2025-69419	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2025-69420	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2025-69421	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2026-22795	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libssl3t64	CVE-2026-22796	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
libtasn1-6	CVE-2025-13151	MEDIUM	4.19.0-3ubuntu0.24.04.1	4.19.0-3ubuntu0.24.04.2
openssl	CVE-2025-15467	MEDIUM	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2025-68160	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2025-69418	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2025-69419	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2025-69420	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2025-69421	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2026-22795	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7
openssl	CVE-2026-22796	LOW	3.0.13-0ubuntu3.6	3.0.13-0ubuntu3.7

No Misconfigurations found

Java

12 known vulnerabilities found (LOW: 2 CRITICAL: 0 HIGH: 4 MEDIUM: 6)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
ch.qos.logback:logback-core	CVE-2024-12798	MEDIUM	1.2.13	1.5.13, 1.3.15
ch.qos.logback:logback-core	CVE-2025-11226	MEDIUM	1.2.13	1.5.19, 1.3.16
ch.qos.logback:logback-core	CVE-2024-12801	LOW	1.2.13	1.5.13, 1.3.15
ch.qos.logback:logback-core	CVE-2026-1225	LOW	1.2.13	1.5.25
com.nimbusds:nimbus-jose-jwt	CVE-2025-53864	MEDIUM	9.37.3	10.0.2, 9.37.4
commons-beanutils:commons-beanutils	CVE-2025-48734	HIGH	1.9.4	1.11.0
org.apache.commons:commons-lang3	CVE-2025-48924	MEDIUM	3.14.0	3.18.0
org.fhir:ucum	CVE-2024-55887	HIGH	1.0.3	1.0.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	CVE-2024-52807	HIGH	1.7.1	1.7.4
org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli	CVE-2025-24363	MEDIUM	1.7.1	1.8.9
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	CVE-2024-52807	HIGH	1.7.1	1.7.4
org.hl7.fhir.publisher:org.hl7.fhir.publisher.core	CVE-2025-24363	MEDIUM	1.7.1	1.8.9

No Misconfigurations found

Node.js

6 known vulnerabilities found (CRITICAL: 0 HIGH: 4 MEDIUM: 2 LOW: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
glob	CVE-2025-64756	HIGH	10.4.5	11.1.0, 10.5.0
lodash	CVE-2025-13465	MEDIUM	4.17.21	4.17.23
lodash	CVE-2025-13465	MEDIUM	4.17.21	4.17.23
tar	CVE-2026-23745	HIGH	7.4.3	7.5.3
tar	CVE-2026-23950	HIGH	7.4.3	7.5.4
tar	CVE-2026-24842	HIGH	7.4.3	7.5.7

No Misconfigurations found

Ruby

No Vulnerabilities found

No Misconfigurations found

root/.dotnet/tools/.store/firely.terminal/3.4.0/firely.terminal/3.4.0/tools/net8.0/any/Firely.Terminal.deps.json

No Vulnerabilities found

No Misconfigurations found