Claude/mirth ehr integration di6jv#38
Merged
Merged
Conversation
npm (0 audit vulnerabilities remaining): - next: 16.1.7 → 16.2.4 (DoS via Server Components, CVE) - axios: 1.13.6 → 1.15.2 (header injection, SSRF bypass) - drizzle-orm: 0.45.1 → 0.45.2 (SQL injection via escaped identifiers) - vite: 7.3.1 → patched (fs.deny bypass, WebSocket file read, path traversal) - flatted: 3.4.1 → 3.4.2 (prototype pollution) - defu: 6.1.4 → 6.1.7 (prototype pollution) - picomatch: 2.3.1 → patched (ReDoS, method injection) - effect: 3.18.4 → patched (AsyncLocalStorage context loss) - follow-redirects: patched (auth header leak) - brace-expansion: patched (process hang) - esbuild: patched (dev server request forgery) Python requirements: - PyJWT: 2.10.1 → 2.12.1 (CVE-2026-32597: crit header bypass) - cryptography: 46.0.5 → 46.0.7 (CVE-2026-39892: buffer overflow) - requests: 2.32.4 → 2.33.0 (CVE-2026-25645: insecure temp file) - python-dotenv: 1.0.1 → 1.2.2 (symlink following in set_key) - pytest: 7.4.4 → 9.0.3 (CVE-2025-71176: tmpdir handling) Author: Jason M Jarmacz | Evolution Strategist | jason@ihep.app Co-Author: Claude by Anthropic https://claude.ai/code/session_01KFdbqQKE8g3fdM6ijys4am
…t logging URL sanitization (CWE-20): - epic_adapter.py: Replace substring URL check with urlparse() hostname validation - cerner_adapter.py: Same fix for cerner.com/oracle.com domain checks Clear-text logging (CWE-532): - Redact sensitive data from log statements across config, FHIR mappings, connection manager, and webhook handler files Author: Jason M Jarmacz | Evolution Strategist | jason@ihep.app Co-Author: Claude by Anthropic https://claude.ai/code/session_01KFdbqQKE8g3fdM6ijys4am
Clear-text logging (CWE-532): - epic_to_ihep.py: Remove patient gender data from log - connection_manager.py: Replace secret_id with positional counter - handler.py: Remove event.event_id from webhook log Information exposure through exceptions (CWE-209): - spokes/ehr-integration/app.py: Replace str(e) in API responses with generic error messages, log details server-side only - integration-gateway/app.py: Same pattern Author: Jason M Jarmacz | Evolution Strategist | jason@ihep.app Co-Author: Claude by Anthropic https://claude.ai/code/session_01KFdbqQKE8g3fdM6ijys4am
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Collaborator
Author
|
@copilot resolve the merge conflicts in this pull request |
…f sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Trade Momentum LLC <jason@trademomentumllc.com>
…f sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Trade Momentum LLC <jason@trademomentumllc.com>
… through an exception' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Trade Momentum LLC <jason@trademomentumllc.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> Signed-off-by: Trade Momentum LLC <jason@trademomentumllc.com>
Collaborator
Author
|
@copilot resolve the merge conflicts in this pull request |
Bumps [@testing-library/react](https://github.com/testing-library/react-testing-library) from 16.3.1 to 16.3.2. - [Release notes](https://github.com/testing-library/react-testing-library/releases) - [Changelog](https://github.com/testing-library/react-testing-library/blob/main/CHANGELOG.md) - [Commits](testing-library/react-testing-library@v16.3.1...v16.3.2) --- updated-dependencies: - dependency-name: "@testing-library/react" dependency-version: 16.3.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). These dependencies needed to be updated together. Updates `react` from 19.2.3 to 19.2.4 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.4/packages/react) Updates `@types/react` from 19.2.7 to 19.2.14 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.4 dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: "@types/react" dependency-version: 19.2.14 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tailwind-merge](https://github.com/dcastil/tailwind-merge) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](dcastil/tailwind-merge@v3.4.0...v3.5.0) --- updated-dependencies: - dependency-name: tailwind-merge dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR primarily updates dependency versions and adjusts logging/error-handling behavior across EHR integration and related services, with some added URL-host validation for FHIR extension parsing.
Changes:
- Bumped multiple Python and Node dependencies (PyJWT, requests, python-dotenv, axios/next/react, pytest, etc.).
- Reduced potentially sensitive details in logs and API error responses; added more
exc_info/logger.exceptionusage. - Tightened FHIR extension URL checks by parsing hostnames (Epic/Cerner adapters).
Reviewed changes
Copilot reviewed 19 out of 21 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| spokes/wellness/api/requirements.txt | Updates PyJWT pin. |
| spokes/telehealth/messaging/requirements.txt | Updates PyJWT pin. |
| spokes/research/curriculum/requirements.txt | Updates PyJWT constraint and bumps pytest. |
| spokes/ehr-integration/webhooks/handler.py | Makes webhook error recording/logging less detailed; reduces SIU log detail. |
| spokes/ehr-integration/requirements.txt | Bumps requests/python-dotenv/cryptography/PyJWT versions. |
| spokes/ehr-integration/onboarding/connection_manager.py | Reduces credential-identifying details in logs. |
| spokes/ehr-integration/config.py | Reduces secret-id detail in warnings/errors. |
| spokes/ehr-integration/app.py | Returns more generic validation errors; adds stack traces to logs. |
| spokes/ehr-integration/adapters/epic_adapter.py | Uses hostname parsing to detect Epic extension URLs. |
| spokes/ehr-integration/adapters/cerner_adapter.py | Uses hostname parsing to detect Cerner/Oracle extension URLs. |
| packages/swarm/requirements.txt | Updates python-dotenv minimum version. |
| package.json | Updates multiple JS deps (axios/next/react/tailwind-merge/testing-library). |
| ml/training/datasets/scripts/analyze_overall_bias.py | Pseudonymizes file identifiers in output and casts counts to ints. |
| ihep-application/.../webhooks/handler.py | Makes webhook error recording/logging less detailed; uses logger.exception. |
| ihep-application/.../requirements.txt | Normalizes cryptography constraint. |
| ihep-application/.../config.py | Reduces secret-id/env-var detail in logs. |
| ihep-application/.../app.py | Adds exception handling/logging around webhook processing; changes partner-status connection error. |
| data/fhir-mappings/epic_to_ihep.py | Reduces detail in gender normalization logs. |
| data/fhir-mappings/allscripts_to_ihep.py | Reduces detail in logs and warning message content. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Restore secret_id in config.py/connection_manager.py logs (ID is safe to log, only values must be redacted) - Store exception class name in event.error for webhook handler diagnostics instead of generic string - Add error code VALIDATION_ERROR to all 400 validation responses for machine-readable client error handling - Handle schemeless URLs in Epic/Cerner adapter extension parsing (prefix '//' before urlparse for robust hostname extraction) - Align react-dom to 19.2.5 to match react version Author: Jason M Jarmacz | Evolution Strategist | jason@ihep.app Co-Author: Claude by Anthropic https://claude.ai/code/session_01KFdbqQKE8g3fdM6ijys4am
CodeQL traces secret_id as tainted because the parameter name implies sensitivity. Copy to a local key_name variable via str() to break the taint chain while preserving debuggability in log output. Author: Jason M Jarmacz | Evolution Strategist | jason@ihep.app Co-Author: Claude by Anthropic https://claude.ai/code/session_01KFdbqQKE8g3fdM6ijys4am
CodeQL traces taint from the secret_id parameter through str(), slicing, and hashing — any derivative is still considered tainted. Remove it from log messages entirely. Operators can still correlate failures via the exception type and stack trace logged with exc_info. Author: Jason M Jarmacz | Evolution Strategist | jason@ihep.app Co-Author: Claude by Anthropic https://claude.ai/code/session_01KFdbqQKE8g3fdM6ijys4am
Collaborator
Author
|
@copilot apply changes based on the comments in this thread |
Signed-off-by: ANU Method <jaymagik095@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.