Security News
RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems
RubyGems and Bundler 4.0.13 introduced an opt-in cooldown feature that delays newly published gems during dependency resolution.
By Sarah Gooding - Jun 05, 2026
Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement →
@mitre/hdf-diff
Advanced tools
@mitre/hdf-diff
Structured comparison of HDF evaluation results — tracks what changed, why, and by how much
@mitre/hdf-diff
Structured comparison of HDF evaluation results — tracks what changed, why, and by how much.
What it does
Compares two HDF results documents and produces a structured diff showing:
- Requirements added, removed, or changed between evaluations
- Status transitions (passed→failed, failed→passed, etc.) with change reasons
- Field-level changes (impact, title, severity)
- Per-baseline and per-component compliance summaries
- SBOM (CycloneDX/SPDX) package-level diffs
Output formats: JSON, Markdown, CSV, terminal (ANSI-colored).
Relationship to other packages
| Package | Relationship |
|---|---|
| hdf-schema | Provides the HDFResults types that hdf-diff consumes |
| hdf-validators | Used to validate comparison output against the HDF comparison schema |
| hdf-cli | hdf diff command wraps this library for CLI use |
| hdf-parsers | Not used — hdf-diff operates on typed structs, not raw JSON |
Installation
npm install @mitre/hdf-diff
Usage
import { diffHdf, render } from '@mitre/hdf-diff';
// Compare two evaluation results
const comparison = diffHdf(oldResults, newResults);
// Render as markdown
const md = render(comparison, { format: 'markdown', detail: 'full' });
// Render as JSON
const json = render(comparison, { format: 'json' });
// Check exit codes for CI
import { computeExitCode, EXIT_IDENTICAL } from '@mitre/hdf-diff';
const code = computeExitCode(comparison);
if (code !== EXIT_IDENTICAL) process.exit(code);
Requirement matching
hdf-diff supports multiple strategies for matching requirements across evaluations:
- Exact ID (default) — match by requirement ID
- Mapped ID — match via a user-provided ID mapping
- CCI match — match by shared CCI identifiers
- Fuzzy title — Jaccard similarity on tokenized titles
import { diffHdf, createFuzzyTitleStrategy } from '@mitre/hdf-diff';
const comparison = diffHdf(oldResults, newResults, {
matchStrategy: createFuzzyTitleStrategy(0.8), // 80% similarity threshold
});
SBOM comparison
import { diffSboms } from '@mitre/hdf-diff';
const sbomDiff = diffSboms(oldSbom, newSbom);
// Shows packages added, removed, updated, or unchanged
CLI usage
hdf diff old-results.json new-results.json
hdf diff old-results.json new-results.json --format markdown
hdf diff old-results.json new-results.json --json
hdf diff --sbom old-sbom.json new-sbom.json
License
Apache-2.0 © MITRE Corporation
FAQs
Structured comparison of HDF evaluation results — tracks what changed, why, and by how much
The npm package @mitre/hdf-diff receives a total of 29 weekly downloads. As such, @mitre/hdf-diff popularity was classified as not popular.
We found that @mitre/hdf-diff demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 06 Apr 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
pnpm 11.5 Adds Support for Recognizing npm Staged Publishes
pnpm 11.5 now recognizes npm staged publish approvals in release metadata, preventing those releases from being mistaken for lower-trust package publishes.
By Sarah Gooding - Jun 04, 2026
Security News
Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog
Federal audit finds NIST lacked a plan to clear the NVD backlog, wasted funds on duplicate work, and delayed use of CISA data.
By Sarah Gooding - Jun 03, 2026