chore(deps): update dependency pathling to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pathling	==7.2.0 -> ==9.1.0

---

Release Notes

aehrc/pathling (pathling)

v9.1.0

Compare Source

What's Changed

New features

• Implement SQL on FHIR repeat directive for recursive traversal of nested structures by @​piotrszul in #​2516
• Implement toQuantity() and convertsToQuantity() FHIRPath functions with UCUM unit conversion support by @​piotrszul in #​2514

Bug fixes

• Fix getResourceKey() returning versioned IDs that don't match getReferenceKey() (#​2519) by @​johngrimes in #​2520

Security updates

• Bump ch.qos.logback:logback-core from 1.5.18 to 1.5.19 (CVE-2025-11226) by @​dependabot in #​2506

Other changes

• Migrate to uv and Bun for dependency management by @​johngrimes in #​2515

Full Changelog: aehrc/pathling@v9.0.0...v9.1.0

v9.0.0

Compare Source

This major release includes significant infrastructure upgrades, new FHIRPath functionality, and important bug fixes.

Major changes

Infrastructure upgrades (#​2496)

• Upgrade to Apache Spark 4.0.1
• Upgrade to Java 21
• Upgrade to Scala 2.13
• Upgrade to Python 3.9
• Update git-commit-id-plugin to version 9.0.2 (#​2493)

FHIRPath enhancements

• Implement equality and comparison operations for Quantity types per the FHIRPath specification (#​2495)
• Replace FHIR/Ucum-java with ucumate for improved UCUM performance (#​2511)
• Support for comparing quantities with the same units, including calendar quantities
• Support for comparing calendar duration quantities ≥ seconds with UCUM time quantities

Delta Lake improvements (#​2499 by @​MartinBernstorff)

• Add configurable deletion behaviour when merging Delta tables
• Enable whenNotMatchedBySourceDelete() to allow Delta Lake state to reflect current FHIR server state
• New parameter on write.delta() method to control deletion behaviour

Bug fixes

• Fix ClassCastException when using collection mode with decimal values (#​2509)
  • Resolves issue with extracting decimal values from collections using ofType(Quantity).value with collection: true
  • Refactored decimal handling to use consistent representation across all collection types
  • Fixed decimal string output to use plain format (avoiding exponential notation)

Breaking changes

This release includes breaking changes due to the infrastructure upgrades:

• Minimum Java version is now 21
• Applications must be compatible with Spark 4.0.1
• Python applications require Python 3.9 or later

v8.1.0

Compare Source

This release includes the following changes:

✨ Features

• Implement comparison for date/time types and correct equality implementation (#​2485)
  • Added precision-aware comparison and equality for Date, DateTime and Time types
  • Separated equality (=,!=) from comparison (<,>,<=,>=) operations
  • Corrected equality implementation for non-ordered types (Coding, Boolean)
  • Enabled equality between arrays (non-singular collections) of any two types

🐛 Bug Fixes

• Fix unclear error message for choice element selection (#​2489)
  • Improved error message when users attempt to select FHIR choice elements without using ofType()
  • Changed cryptic "Must have a fhirType or a definition" message to clearer "Selection of mixed collection not supported: [elementName]"

🔧 Dependencies

• Remove hadoop-aws from default Spark config in Python and R libraries (#​2488)
  • Removed automatic inclusion of hadoop-aws dependency in Python and R Spark configurations
  • Fixed trailing comma syntax error in R dependencies

v8.0.2

Compare Source

This release fixes a problem with the library-runtime package, where the version of Gson being used gets overridden by the version in Spark.

Full Changelog: aehrc/pathling@v8.0.1...v8.0.2

v8.0.1

Compare Source

What's Changed

Security updates

• Remove commons-lang (CVE-2025-48924)
• Update Derby to 10.16.1.1 (CVE-2022-46337)

Full Changelog: aehrc/pathling@v8.0.0...v8.0.1

v8.0.0

Compare Source

This release features our new SQL on FHIR view runner, a completely reworked and more performant query engine, and many other changes.

As part of this release, we took the decision to significantly change the focus and scope of Pathling with the purpose of rebuilding it around the SQL on FHIR specification.

This will mean that the server implementation will be temporarily removed. It will also mean that the scope of FHIRPath functions will be temporarily reduced to the minimal FHIRPath subset defined within the SQL on FHIR Shareable View Definition specification (with the exception of the terminology functions).

We have released this functionality as version 8, and we have spawned three work streams to build upon this new foundation:

• Implementation of a new server focused upon the Bulk Data Access IG and the draft SQL
  on FHIR server API. This server will not include the aggregate or extract operations.
• Expansion of the scope of the FHIRPath implementation to achieve full or close to full coverage of the FHIRPath spec.
• Implementation of Parquet on FHIR as the new schema for lossless persistence of FHIR data for analytics.

We think that this is the best way to align Pathling to user needs, and also to make sure that the code base is sustainable going forwards.

If you are a current user of the server, aggregate or extract operations, please continue using the v7.x series. We are happy to continue maintaining and accepting contributions to this series as
requested by users, but will be focusing our enhancement efforts on v8.

Major dependency updates

• Spark 3.5.6
• HAPI 8.2.1
• Java 17

Full Changelog: aehrc/pathling@v7.2.0...v8.0.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6		0	0	0.02s
✅ DOCKERFILE	hadolint	8		0	0	0.39s
✅ EDITORCONFIG	editorconfig-checker	51		0	0	0.09s
✅ JSON	jsonlint	6		0	0	0.2s
✅ JSON	prettier	6		0	0	0.86s
✅ JSON	v8r	6		0	0	8.23s
⚠️ MARKDOWN	markdownlint	9		6	0	1.26s
✅ REPOSITORY	gitleaks	yes		no	no	0.37s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
⚠️ REPOSITORY	kics	yes		no	2	3.46s
✅ REPOSITORY	secretlint	yes		no	no	2.05s
✅ REPOSITORY	syft	yes		no	no	5.7s
⚠️ REPOSITORY	trivy	yes		7	2	9.73s
✅ REPOSITORY	trivy-sbom	yes		no	no	1.94s
✅ REPOSITORY	trufflehog	yes		no	no	14.21s
✅ YAML	prettier	9		0	0	0.56s
✅ YAML	v8r	9		0	0	7.06s
✅ YAML	yamllint	9		0	0	0.46s

Detailed Issues

⚠️ REPOSITORY / kics - 2 warnings

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/ml-on-fhir/Dockerfile:43:1
   │
43 │ COPY --chown=${NB_UID}:${NB_GID} requirements.txt /tmp/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/hive-metastore/Dockerfile:30:1
   │
30 │ COPY --from=downloader --chown=0:0 /tmp/libs/*.jar /opt/hive/lib/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: 2 warnings emitted

⚠️ MARKDOWN / markdownlint - 6 errors

images/dsf-bpe-full/CHANGELOG.md:133 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Description"]
images/dsf-bpe-full/CHANGELOG.md:136 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Versions:"]
images/dsf-bpe-full/CHANGELOG.md:136:13 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ':']
images/dsf-bpe-full/CHANGELOG.md:137 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* DFN CA certificate chain fro..."]
images/dsf-bpe-full/CHANGELOG.md:143:31 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Transfer" process ]"]
images/dsf-bpe-full/CHANGELOG.md:144:30 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Sharing" process ]"]

⚠️ REPOSITORY / trivy - 7 errors

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4702:1
     │  
4702 │ ╭     "node_modules/npm/node_modules/node-gyp/node_modules/glob": {
4703 │ │       "version": "10.4.5",
4704 │ │       "inBundle": true,
4705 │ │       "license": "ISC",
     · │
4719 │ │       }
4720 │ │     },
     │ ╰^
     │  
     = glob CLI: Command injection via -c/--cmd executes matches with shell:true
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: glob
Installed Version: 11.0.3
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4104:1
     │  
4104 │ ╭     "node_modules/npm/node_modules/glob": {
4105 │ │       "version": "11.0.3",
4106 │ │       "inBundle": true,
4107 │ │       "license": "ISC",
     · │
4124 │ │       }
4125 │ │     },
     │ ╰^
     │  
     = glob CLI: Command injection via -c/--cmd executes matches with shell:true
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

warning: Package: js-yaml
Installed Version: 4.1.0
Vulnerability CVE-2025-64718
Severity: MEDIUM
Fixed Version: 4.1.1, 3.14.2
Link: [CVE-2025-64718](https://avd.aquasec.com/nvd/cve-2025-64718)
     ┌─ images/semantic-release/package-lock.json:2776:1
     │  
2776 │ ╭     "node_modules/js-yaml": {
2777 │ │       "version": "4.1.0",
2778 │ │       "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
2779 │ │       "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
     · │
2786 │ │       }
2787 │ │     },
     │ ╰^
     │  
     = js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and b ...
     = js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

warning: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2025-64118
Severity: MEDIUM
Fixed Version: 7.5.2
Link: [CVE-2025-64118](https://avd.aquasec.com/nvd/cve-2025-64118)
     ┌─ images/semantic-release/package-lock.json:5310:1
     │  
5310 │ ╭     "node_modules/npm/node_modules/tar": {
5311 │ │       "version": "7.5.1",
5312 │ │       "inBundle": true,
5313 │ │       "license": "ISC",
     · │
5323 │ │       }
5324 │ │     },
     │ ╰^
     │  
     = node-tar has a race condition leading to uninitialized memory exposure
     = node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

error: Artifact: images/apache-superset/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/apache-superset/Dockerfile:8:1
   │  
 8 │ ╭ RUN <<EOF
 9 │ │ set -e
10 │ │ apt-get update -y
11 │ │ apt-get install -y --no-install-recommends alien libaio-dev libaio1 unzip wget
   · │
16 │ │ rm oracle-instantclient-basic-23.6.0.24.10-1.el9.x86_64.rpm
17 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/coder-base/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/coder-base/Dockerfile:14:1
   │  
14 │ ╭ RUN <<EOF
15 │ │ apt-get update
16 │ │ xargs -r -a /tmp/setup/packages.txt apt-get install -y --no-install-recommends
17 │ │ 
   · │
27 │ │ useradd coder --create-home --shell=/bin/bash --uid=10001 --user-group
28 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/hive-metastore/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/hive-metastore/Dockerfile:20:1
   │  
20 │ ╭ RUN <<EOF
21 │ │ chown -R 1000:1000 /opt/hive
22 │ │ apt-get update
23 │ │ apt-get upgrade -y
   · │
27 │ │ rm -rf /var/lib/apt/lists/*
28 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/ml-on-fhir/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/ml-on-fhir/Dockerfile:8:1
   │  
 8 │ ╭ RUN <<EOF
 9 │ │ apt-get -y update
10 │ │ apt-get install --no-install-recommends -y openjdk-17-jre-headless
11 │ │ rm -rf /var/lib/apt/lists/*
12 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

error: Artifact: images/semantic-release/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/semantic-release/Dockerfile:10:1
   │  
10 │ ╭ RUN <<EOF
11 │ │ apt-get update
12 │ │ apt-get install --no-install-recommends -y git bash
13 │ │ apt-get clean
14 │ │ rm -rf /var/lib/apt/lists/*
15 │ │ EOF
   │ ╰^
   │  
   = 'RUN <package-manager> update' instruction alone
   = The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

warning: 2 warnings emitted
error: 7 errors emitted

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/[email protected] (53 linters)
• oxsecurity/megalinter/flavors/[email protected] (87 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R