build(deps): Bump @mitre/hdf-converters from 2.13.0 to 3.2.0

[dependabot]

Bumps @mitre/hdf-converters from 2.13.0 to 3.2.0.

Release notes

Sourced from @​mitre/hdf-converters's releases.

v3.2.0

Changes

a5b6c9a fix(ci): work around attw + fflate@0.8.3 multi-chunk gunzip bug 43e2a02 chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 (#73) 973e775 chore(deps-dev): bump the dev-dependencies group with 3 updates (#74) a7bd160 Merge branch 'release/v3.2.0-version-bump' e3dce07 docs: reorganize and drop stale plans/RFCs/admin notes 9f73479 chore(beads): untrack runtime/backup cruft, extend .gitignore 6cdef36 chore(claude): add release skill capturing v3.2.0 lessons learned 7efb55f chore(release): align workspace + docs to v3.2.0 9beda89 fix(convert): guide already-HDF input to --to, rename hdf-v2-passthrough → hdf-passthrough (#72) 676b5f3 feat: add ckl-to-hdf converter (DISA STIG Viewer checklist) (#71) a9ffaaf chore(deps): bump golang.org/x/term (#60) 8b4a137 feat: add v3.2.0 control classification fields to Requirement_Core (#70) cd07fab chore(deps): bump pnpm/action-setup from 6.0.4 to 6.0.8 (#67) 4b56290 chore(deps-dev): bump the dev-dependencies group across 1 directory with 9 updates (#68) b7039ee fix: severityToImpact/impactToSeverity accept null + resolve CI security vulnerabilities (#65) 81a70a9 Feat/generate delta (#69) 6d0ef3c chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 (#57) e909211 chore(deps): bump pnpm/action-setup from 4.3.0 to 6.0.4 (#54) 6225692 chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#55) 186ed9e chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 (#56) 7daa91d chore(deps-dev): bump the dev-dependencies group with 8 updates (#58) 42e1701 chore(deps): bump the go-dependencies group in /hdf-cli with 4 updates (#59) 94b5a18 feat(converters): add Checkov-to-HDF converter (#42) ce63de4 Fix/go v3 module paths (#41) 380fee9 docs: overhaul root README and fix release workflow

Installation

# TypeScript/Node.js — install the packages you need
npm install @mitre/hdf-converters   # converters + schema + parsers + utilities + mappings
npm install @mitre/hdf-validators    # schema validation
npm install @mitre/hdf-diff          # structural diff engine
npm install @mitre/hdf-generators    # InSpec profile generation
Go libraries
go get github.com/mitre/hdf-libs/hdf-converters/v3@v3.2.0
Go CLI — download a binary for your platform from the assets below, then:
chmod +x hdf && sudo mv hdf /usr/local/bin/

Schema Files

Bundled JSON schemas are attached as release assets and hosted at: https://mitre.github.io/hdf-libs/schemas/

... (truncated)

Changelog

Sourced from @​mitre/hdf-converters's changelog.

[3.2.0] - 2026-05-11

New Features

• Control classification fields on Requirement_Core — three optional, additive enum fields make catalogs self-describing about how a requirement should be categorized, verified, and applied. All three are optional; v3.1.x documents validate cleanly under v3.2.0 and consumers continue to work unchanged.
  • controlType: policy | procedure | technical | management | operational. Aligns with NIST SP 800-53 / SP 800-53A categories. Lets cross-framework translation (NIST → CIS → CMMC) preserve fidelity instead of forcing heuristic derivation from family conventions.
  • verificationMethod: automated | manual-by-design | manual-pending-automation | hybrid. Disambiguates the two distinct cases that null code overloads today — inherently manual (e.g. FedRAMP 20x KSIs) versus automation-could-exist-but-doesn't-yet (e.g. a STIG rule lacking a fix). Enables automation-coverage metrics across frameworks from HDF alone.
  • applicability: required | optional | advisory. Distinct from severity (risk weight) and status (lifecycle state). Provides a uniform expression for the within-baseline applicability that frameworks already carry in incompatible forms (FedRAMP rev5 OSCAL CORE prop, FedRAMP 20x inline Optional: markers, CIS Implementation Group memberships, CMMC sublevels).
• Requirement_Core examples expanded with four scenarios covering: v3.1.x-style (classification fields omitted), all-three-fields populated, manual-by-design KSI-style, and manual-pending-automation STIG-style.
• code field description updated to reference verificationMethod as the canonical way to disambiguate manual-by-design from manual-pending-automation.

Architecture Changes

• Schema version bumped from v3.1.0 to v3.2.0 across all $id/$ref URLs.

Compatibility

• Fully backward compatible. New fields are optional; existing v3.1.x documents validate without modification.
• Surfacing the new fields in consumers is opt-in. Heimdall, hdf-converters, and hdf-validators continue to work unchanged.
• Internal Go consumer note: the hdf.Automated constant on PlanType was renamed to hdf.PlanTypeAutomated by quicktype to disambiguate against the new VerificationMethodEnum.Automated. One internal caller (hdf-converters/oscal-to-hdf/converter_sap.go) was updated; external Go consumers using the un-prefixed name will see the same compile-time rename.

[3.1.1] - 2026-04-23

Go Module Changes

• Go module paths now include /v3 suffix per Go major version convention. Consumers update imports from github.com/mitre/hdf-libs/hdf-converters to github.com/mitre/hdf-libs/hdf-converters/v3 (and similarly for all other modules). This enables go install and go get to resolve versions correctly from the module proxy.
• hdf-schema Go module path corrected from github.com/mitre/hdf-schema to github.com/mitre/hdf-libs/hdf-schema/dist/go/v3.
• goreleaser ldflags fixed — version, commit, and date are now correctly injected into CLI binaries.
• hdf-diff/go and hdf-utilities/go added to release workflow — these modules now receive version tags alongside the other Go modules.

[3.1.0] - 2026-04-23

Breaking Changes

• exception removed from Override_Type enum. The exception override type was redundant with waiver + status: "notApplicable" and has no equivalent in FedRAMP or NIST RMF terminology. Existing HDF documents with "type": "exception" in statusOverrides or standalone overrides will fail schema validation against v3.1.0. Migration: Replace "type": "exception" with "type": "waiver" and set "status": "notApplicable".
• Python type generation removed. The generated Python types were vestigial and never consumed. Only TypeScript and Go types are generated from v3.1.0 onward.

New Features

• Override_Type expanded with 3 new values aligned with FedRAMP deviation request categories: falsePositive (scanner incorrectly identified a finding), riskAdjustment (impact score adjusted based on environmental context), operationalRequirement (deviation required by operational constraints)
• Impact overrides — Status_Override and Standalone_Override now support an optional impact field (Impact_Override object with a value from 0.0 to 1.0). At least one of status or impact must be set (enforced via anyOf).
• disposition field on Evaluated_Requirement — indicates the type of the governing override or POAM. Enables consumers to distinguish adjudication context (e.g., false positive vs genuinely not applicable).
• effectiveImpact field on Evaluated_Requirement — the computed impact score (0.0-1.0) after applying the most recent non-expired impact override.
• vendorDependency added to POAM type enum — tracks fixes that depend on a vendor releasing a patch or update.
• Comprehensive examples added to Evaluated_Requirement covering all disposition patterns.

Architecture Changes

• Go diff engine extracted from hdf-cli/pkg/diff/ to hdf-diff/go/ — matches the monorepo pattern used by other packages.
• hdf-cli/pkg/hdf/ eliminated — all Go code now imports canonical types from hdf-schema/dist/go/.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by wdower, a new releaser for @​mitre/hdf-converters since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (2.13.0) was attested. Review the package versions before updating.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud