You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 5, 2026. It is now read-only.
We use openFHIR as our FHIR↔openEHR bridge (built from main branch). A Trivy scan on our deployment reveals 12 HIGH CVEs in bundled dependencies (0 CRITICAL after our Feb 25 rebuild).
Bump Spring Boot to 3.3.11+ (pulls in Tomcat 10.1.45+ and Spring Framework 6.1.14+ transitively), update FHIR core to 6.4.0+, and bump ucum + json-smart.
Environment
Trivy v0.69
openFHIR built from main branch (commit ~36353671)
Context
We use openFHIR as our FHIR↔openEHR bridge (built from
mainbranch). A Trivy scan on our deployment reveals 12 HIGH CVEs in bundled dependencies (0 CRITICAL after our Feb 25 rebuild).Affected Dependencies
Tomcat (3 HIGH CVEs — DoS & path traversal)
Spring Boot / Spring Framework (4 HIGH CVEs)
FHIR Core / Utilities (3 HIGH CVEs — XXE)
Other
Suggested Fix
Bump Spring Boot to
3.3.11+(pulls in Tomcat 10.1.45+ and Spring Framework 6.1.14+ transitively), update FHIR core to6.4.0+, and bump ucum + json-smart.Environment
mainbranch (commit ~36353671)Thank you for maintaining openFHIR!