It's time for another release of HAPI FHIR.

HAPI FHIR 5.4.0 (Codename: Pangolin) brings a whole bunch of great new features, bugfixes, and more.

Highlights of this release are shown below. See the Changelog for a complete list. There will be a live Webinar (recording available on-demand afterward) on May 20 2021. Details available here: https://www.smilecdr.com/quarterly-product-release-webinar-reminder

Security Changes

• A resource exhaustion vulnerability in the HAPI FHIR JPA server was corrected. Learn more about CVE-2021-32053 here. Thanks to Zachary Minneker at Security Innovation for reporting!

General Client/Server/Parser Changes

• HAPI FHIR now supports OpenAPI (aka Swagger). See here for an example.
• Normalization and Standardization interceptors have been added. These can be used to normalize selected data fields according to configurable rules prior to storage.
• Contained resources can now reference to containing resources, as allowed in the FHIR Specification. Previously this direction was blocked and contained resources with no incoming reference from the containing resource were automatically stripped, as this style was not permitted in early versions of the FHIR specification. In addition, contained resource order will now be preserved during parsing round-trips.
• New interceptors have been added that can automatically map terminology in response resources using HAPI FHIR terminology services, returning configurable canonical terminology in the response payload.
• Support for the FHIR Prefer: handling=lenient header has been added via an optional interceptor.
• The automatic CapabiityStatement generation has been completely rewritten for R4+ servers. CapabilityStatements now include many new data elements, such as supported profiles, revincludes, resource level operations, and more.
• Token Search Parameters in GraphQL expressions are now correctly parsed.

JDK Changes

• HAPI FHIR now supports JDK 16, and this version is used to execute our CI test suite in order to ensure continued compliance. The minimum Java version required in order to use HAPI FHIR remains JDK 8. This may be updated to JDK 11 in an upcoming release, as many of the libraries we use are now either contemplating or have already completed an upgrade to JDK 11 as a minimum requirement.

JPA Server General Changes

• Support for the _list search parameter has been added to the JPA server
• Support for the :contained modifier has been added, allowing searches to select from data in contained resources found within the resource being searches. Note that this feature is disabled by default and must be enabled if needed.
• The JPA server now supports persisting FHIR extensions in Resource.meta
• Bulk Export now supports Patient- and Group- based exports
• Auto-created reference target placeholder resources now include an extension and an identifier if one is known
• A profiling effort led to improvements in performance when processing large FHIR Transaction bundles
• Resources imported into a repository via NPM Packages will now attempt to preserve the resource ID defined in the source package.

JPA Server Performance Changes

• Searches with only a single search parameter now generate a more streamlined SQL expression (one unnecessary JOIN was removed), improving performance.
• A new header X-Upsert-Extistence-Check (note there is a typo in the name, this will be addressed in the next release of HAPI FHIR! Please be aware if you are planning on using this feature) can be added which avoids existence checks when using client assigned IDs to create new records. This can speed up performance.

JPA Server Partitioning Changes

• Resource Reindexing is now supported on partitioned servers.
• FHIR Bulk Export is now supported on partitioned servers (note that this operation is run at the system level and includes data from all partitions. Future enhancements may allow for more nuanced exports on partitioned servers.)

Terminology Server and Validation Changes

• ValueSet expansion can now optionally return codes in the same hierarchy that they are defined in their source CodeSystem.
• Validation can now be configured to return only a warning when a code is found from a CodeSystem that is unknown/unavailable to the validator.

JPA Server MDM Enhancements

• A new search mdm-expansion syntax has been added to FHIR searches on MDM-enabled servers. For example Observation?patient:mdm=Patient/123 can be used to search for Observation resources belonging to Patient/123 but also to other MDM-linked patient records.
• MDM matching rules can now use FHIRPath expressions as selection criteria.
• A new syntax has been added to Group Bulk Export that allows MDM matching to be used to include matches in the group to export.
• MDM matching rules can now match on extensions, checking the URL and Value for equality.
• A new NUMERIC matcher has been added, allowing matching using numeric values.

It's August, so it's time for our next quarterly relese: HAPI FHIR 5.2.0 (Codename: Numbat).

Security Notice:

• Security Issue CVE-2020-24301: An XSS vulnerability has been fixed in the testpage overlay project. This issue affects only the testpage overlay module, but users of this module should upgrade immediately. Note that this issue is addressed in HAPI FHIR 5.1.0 (as well as 5.2.0+) so users who have already upgraded to HAPI FHIR 5.1.0 do not need to upgrade again to resolve this issue. It is listed here as we experienced a delay in obtaining a CVE number.

Major New Features:

• The JPA SearchBuilder (which turns FHIR searches into SQL statements to be executed by the database) has been completely rewritten to not use Hibernate. This allows for much more efficient SQL to be generated in some cases. For some specific queries on a very large test repository running on Postgresql this new search builder performed 10x faster. Note that this new module is enabled by default in HAPI FHIR 5.2.0 but can be disabled via a DaoConfig setting. It is disabled by default in Smile CDR 2020.11.R01 but will be enabled by default in the next major release.

• Support for RDF Turtle encoding has been added, finally bringing native support for the 3rd official FHIR encoding to HAPI FHIR. This support was contributed by Josh Collins and Eric Prud'hommeaux of the company Janeiro Digital. We greatly appreciate the contribution! To see an example of the RDF encoding: hapi.fhir.org/baseR4/Patient?_format=rdf

Terminology Enhancements:

• Integration with remote terminology services has been improved so that required bindings to closed valuesets are no longer delegated to the remote terminology server. This improves performance since there is no need for remote services in this case.

• The CodeSystem/$validate-code operation has been implemented for R4+ JPA servers.

• The JPA Terminology Server is now version aware, meaning that multiple versions of a single CodeSystem can now be stored in a single FHIR terminology server repository. ValueSet expansion, CodeSystem lookup, and ConceptMap translation are all now fully version aware. Note that implementing support for fully versioned terminology is mostly complete, but some validation operations may still not work. This should be completed by our next major release.

• ValueSet expansion with filtering (e.g. using the filter parameter on the $expand operation) has now been implemented in such a way that it fully supports filtering on pre-expanded ValueSets, including using offsets and counts. This is a major improvement for people building picker UIs leveraging the $expand operation.

EMPI Improvements:

• Identifier matchers have been added, providing native FHIR support for matching on resource identifiers

• The $empi-clear operation performance has been greatly improved

Other Notable Improvements:

• A new combined "delete+expunge" mode has been added to the DELETE operation in the JPA server. This mode deletes resources and expunges (physically deletes) them in a single fast operation. Note that with this mode must be enabled, and completely bypasses interceptor hooks notifying registered listeners that data is being deletes and expunged. It is several orders of magnitude faster when deleting large sets of data, and is generally intended for test scenarios.

• The Package Server module now supports installing non-conformance resources from packages.

• The _typeFilter parameter has been implemented for the $bulk-export module.

As always, see the changelog for a full list of changes.

Thanks to everyone who contributed to this release!

It's August, so it's time for our next quarterly relese: HAPI FHIR 5.2.0 (Codename: Manticore).

Notable changes in this release include:

• An XSS vulnerability has been fixed in the testpage overlay project. This issue affects only the testpage overlay module, but users of this module should upgrade immediately. A CVE number for this issue has been requested and will be updated here when it is assigned.

• Support for the new FHIR NPM Package spec has been added. Currently this support is limited to JPA servers, and support should be added to plain servers in the next release. Packages can be imported on startup, either by supplying NPM files locally or by downloading them automatically from an NPM server such as packages.fhir.org. Package contents (the StructureDefinition, CodeSystem, ValueSet, etc. resources in the package) can be installed into the repository, or can be stored in a dedicated set of tables and made available to the validator without actually being installed in the repository.

• Support for the Observation/$lastn operation has been implemented thanks to a partnership with LHNCBC/NIH. This operation uses ElasticSearch to support querying for recent Observations over a set of test codes for one or more patients in a very efficient way.

• The FHIR PATCH operation now supports FHIRPatch in addition to the already supported XML and JSON Patch specs. FHIRPatch is a very expressive mechanism for creating patches and can be used to supply very precise patches.

• A new operatiion called $diff has been added. Diff can be used too generate a FHIRPatch diff between two resrouces, or between two versions of the same resource. For example: http://hapi.fhir.org/baseR4/Patient/example/$diff

• Several performance problems and occasional failures in the resource expunge operation have been corrected

• The memory use for Subscription delivery queues has been reduced

• Snapshot generaton now uses a single snapshot generator codebase for generating snapshots across all versions of FHIR. This makes ongoing maintenance much easier and fixes a number of version specific bugs.

• The maximum cascade depth for cascading deletes is now configurable.

• AuthorizationInterceptor can now fully authorize GraphQL calls, including allowing/blocking individual resources returned by the graph.

• GraphQL now supports POST form (thanks to Kholilul Islam!)

• The LOINC uploader now supports LOINC 2.68

• A new batch job framework has been introduced, leveraging the Spring Batch library. Initial jobs to use this new framework are the Bulk Export and EMPI modules, but eventually all long processes will be adapted to use this new framework.

• TThe HAPI FHIR built-in Terminology Server now includes support for validating UCUM (units of measure), BCP-13 (mimetypes), ISO 4217 (currencies), ISO 3166 (countries), and USPS State Codes.

• It is now possible to disable referential integrity for delete operations for speciific reference paths.

• A regression has been fixed that significantly degraded validation performance in the JPA server for validation of large numbers of resources.

• Unit tests have been migrated to JUnit 5. This change has no user visible impacts, but will help us continue to improve ongoing maintenance of our test suites.

As always, see the changelog for a full list of changes.

Thanks to everyone who contributed to this release!