Gathering detailed insights and metrics for @openmrs/esm-module-config
Gathering detailed insights and metrics for @openmrs/esm-module-config
The core modules of the OpenMRS 3.0 Frontend system
Installations
npm install @openmrs/esm-module-configDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
12.16.1
NPM Version
6.13.4
Releases
58
Languages
7
TypeScript
SCSS
JavaScript
Shell
EJS
Dockerfile
CSS
TypeScript (90.59%)
SCSS (5.67%)
JavaScript (3.05%)
Shell (0.36%)
EJS (0.27%)
Dockerfile (0.06%)
Developer
openmrs
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
NOASSERTION License
73 Stars
1,745 Commits
248 Forks
59 Watchers
20 Branches
192 Contributors
Updated on Jul 12, 2025
Maintainers
11
Package Meta Information
Latest Version
0.2.0
Package Id
@openmrs/esm-module-config@0.2.0
Size
56.47 kB
NPM Version
6.13.4
Node Version
12.16.1
Published on
Sep 30, 2020
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
openmrs-esm-module-config
What is this?
This is the configuration library for OpenMRS Microfrontends. It makes configurability easier for developers and configuring easier for implementers.
Contents
- What does an OpenMRS frontend configuration file look like?
- How do I configure my OpenMRS implementation?
- I'm developing an ESM module. How do I make it configurable?
- API
- Contributing & Development
What does an OpenMRS frontend configuration file look like?
OpenMRS frontend configuration files are JSON files containing module names as top-level elements. All configuration elements are optional. The available configuration elements for each module should be documented in the module's wiki page.
Here's an example!
1{ 2 "@openmrs/esm-login-app": { 3 "logo": { 4 "src": "https://pbs.twimg.com/media/C1w_czvWgAAWONL.jpg" 5 } 6 }, 7 "@openmrs/esm-home-app": { 8 "buttons": { 9 "enabled": false 10 } 11 } 12}
Alternatively you can provide your config file as a Javascript file. It will look just about the same, but with some magic words at the beginning:
1exports = {}; 2exports.default = { 3 "@openmrs/esm-login-app": { 4 logo: { 5 src: "https://pbs.twimg.com/media/C1w_czvWgAAWONL.jpg" 6 } 7 }, 8 "@openmrs/esm-home-app": { 9 buttons: { 10 enabled: false 11 } 12 } 13}
How do I configure my OpenMRS implementation?
There are two methods for doing so.
The Simple Way
Upload your configuration file and add its URL to
your import map as a module named config-file. If you are serving your
microfrontends from your OpenMRS server, you can simply add your config
file to your server's frontend/ directory. Your import map will then look like
1{ 2 "imports": { 3 "config-file": "/openmrs/frontend/config.js[on]" 4 } 5}
The Flexible Way (under construction)
Due to RFC-26 this method will not work as described with openmrs-module-spa after 1.0.6. Please hang tight while we work out how to support hierarchal config files in the new architecture.
This method requires you have an esm-root-config override. This allows you to have multiple configuration files, which will be merged together in an order that you specify. You add your configuration files to your root override module, import them, and provide them to esm-module-config. All this must happen before you register your applications.
Example code:
1import { provide } from "@openmrs/esm-module-config"; 2 3import pihConfig from "./pih-config.json"; 4import pihMexicoConfig from "./pih-mexico-config.json"; 5 6provide(pihConfig); 7provide(pihMexicoConfig);
All provided configs will be merged, with elements provided by later calls
to provide taking priority. The import map config file, config-file, will
also be merged, and will take the lowest priority. In the above example,
configuration elements in pih-mexico-config.json will take priority over
those in pih-config.json.
You can break up your configuration files into hierarchies, or per module, or per groups of modules.
I'm developing an ESM module. How do I make it configurable?
You should use this module, esm-module-config, to make your modules configurable.
Start by npm install --save @openmrs/esm-module-config. This is a runtime
dependency, so it should be included in your webpack externals.
The main task is to create a config schema for your module. The config schema
is what tells esm-module-config what configuration files should look like,
including defaults and validations.
Designing a schema
You'll probably start with some idea of what you want configs for your module to look like. Try and put yourself in the implementer's shoes an imagine what features they will expect to be configurable, and what they might expect the configuration property to be called. Assume they don't know anything about the internal workings of your module.
By way of example, let's say we're building a module for a virtual provider functionality at a very futuristic hospital. Maybe we want an implementer to be able to write the following in their config file:
1"@openmrs/esm-hologram-doctor": { 2 "hologram": { 3 "color": true 4 }, 5 "virtualProvider": { 6 "name": { 7 "given": ["Qui", "Gon"] 8 } 9 }, 10 "robots": [ 11 { "name": "R2-D2", "homeworld": "Naboo" }, 12 { "name": "BB-8", "homeworld": "Hosnian Prime" } 13 ] 14}
In the following section, we'll see how to write a config schema that supports these config elements.
Defining a schema
We'll start with just that first nested config element from above, hologram.color. We must provide defaults for all of the values—in OpenMRS Microfrontends, all configuration is optional.
1import { defineConfigSchema, validators, validator } from "@openmrs/esm-module-config" 2 3defineConfigSchema("@openmrs/esm-hologram-doctor", { 4 hologram: { 5 color: { 6 default: false, 7 validators: [validators.isBoolean], 8 description: "Whether the cologram supports color display." 9 } 10 } 11}
Note that each configuration element should have an object for a value, and that this object must define the default for that element. Do not do this:
1❌ // This is wrong!
2❌ defineConfigSchema("@openmrs/esm-hologram-doctor",
3❌ hologram: {
4❌ salutation: "Some friendly default salutation! ? this is wrong!"
5❌ })The following names are reserved and cannot be used as config keys:
default, validators, description, and arrayElements. Doing so
will result in undefined behavior. Do not do this:
1❌ // Don't do this! 2❌ defineConfigSchema("@openmrs/esm-hologram-doctor", 3❌ hologram: { 4❌ salutation: { 5❌ default: { 6❌ default: "Greetings ? this is bad don't do it" 7❌ }}})
Validators
You should provide validators for your configuration elements wherever possible. This reduces the probability that implementers using your module will have hard-to-debug runtime errors. It gives you, the module developer, the opportunity to provide implementers with very helpful explanations about why their configuration on't work.
1robot: { 2 name: { 3 default: "R2D2", 4 validators: [ 5 validators.isString, 6 validator(n => /\d/.test(n), "Robots must have numbers in their names") 7 ] 8 } 9}
(Note that this piece of schema is not part of our above example. It only supports a single robot, whereas we need to allow the implementer to provide an array of robots).
A validator can be created using the validator function, as above.
The first argument is a function that takes the config value as its only argument. If the function returns something truthy, validation passes. If the function returns something falsy, an error is thrown with the second argument as an explanation.
You can even validate nested objects:
1colorPicker: { 2 options: { default: ["black", "red"] } 3 initial: { default: "black" }, 4 validators: [ 5 validator(o => o.options.includes(o.initial), 6 "initial must be one of the options") 7 ] 8}
For convenience, some common validators are provided out of the box. See the API / validators.
Arrays
You can accept and validate arrays, and arrays containing objects, in your
configuration schema. This is configured with the arrayElements parameter. For
example, a schema which would accept an array of strings:
1virtualProvider: { 2 name: { 3 given: { 4 default: ["Obi", "Wan"] 5 arrayElements: { 6 validators: [validators.isString] 7 } 8 } 9 } 10}
Here is an example of a schema that expects an array of objects structured in a particular way.
1robots: { 2 default: [ 3 { name: "R2-D2", homeworld: "Naboo" }, 4 { name: "C-3PO", homeworld: "Tatooine" } 5 ], 6 arrayElements: { 7 name: { validators: [robotNameValidator] }, 8 homeworld: { 9 default: null // not required 10 validators: [validators.isString] 11 } 12 } 13}
This schema will require that any objects in the robots array must only have
the keys name and homeworld.
Freeform objects
In unusual scenarios you might want to accept an object without validating its keys. To do this, you can specify the config element like a normal non-object element.
1beepsPerRobot: { 2 default: { 3 "R2-D2": 4, 4 "C-3P0": 0 5 }, 6 validators: [ // you can (and should) still run validators 7 validators.isObject, 8 validator(o => Object.values(o).every(Number.isInteger), 9 "robot beeps must be integers") 10 ] 11}
Using config values
The generic way
The config is fetched asynchronously using getConfig(moduleName). Continuing the
above example, we would have something like
1import { getConfig } from "@openmrs/esm-module-config" 2 3async function doctorGreeting() { 4 const config = await getConfig("@openmrs/esm-hologram-doctor") 5 return "Hello, my name is Dr. " + config.virtualProvider.name.family 6}
The content of config will be pulled from the config files, falling back to the defaults for configuration elements for which no values have been provided.
React support
A React Hook is provided to hide the asynchronicity of config loading. The
moduleNameprovided to the
openmrs react root decorator
is used to look up the configuration elsewhere in the application.
1export default openmrsRootDecorator({ 2 featureName: "hologram doctor", 3 moduleName: "@openmrs/esm-hologram-doctor" 4})(Root)
You can then get the config tree as an object using the useConfig React hook.
1import { useConfig } from "@openmrs/esm-module-config" 2 3export default function DoctorGreeting() { 4 const config = useConfig() 5 const greeting = "Hello, my name is Dr. " + config.virtualProvider.name.family 6 return <div>{greeting}</div> 7}
The content of config will be pulled from the config files, falling back to the defaults for configuration elements for which no values have been provided.
Support in other frameworks (Angular, Vue, Svelte, etc.)
This hasn't been implemented yet, but we would like to implement it! See "Contributing"
API
Variables
Navigation Functions
Other Functions
Object literals
Variables
Const ModuleNameContext
• ModuleNameContext: Context‹null | string› = React.createContext<string | null>(null)
Defined in react-hook/react-hook.tsx:4
Navigation Functions
ConfigurableLink
▸ ConfigurableLink(__namedParameters: object): Element‹›
Defined in navigation/react-configurable-link.tsx:13
A React link component which calls navigate when clicked
Parameters:
▪ __namedParameters: object
| Name | Type | Description |
|---|---|---|
children | any | Inline elements within the link |
otherProps | otherProps | Any other valid props for an tag except href and onClick |
to | string | The target path or URL. Supports interpolation. See navigate |
Returns: Element‹›
interpolateString
▸ interpolateString(template: string, params: object): string
Defined in navigation/interpolate-string.ts:38
Interpolates values of params into the template string.
Useful for additional template parameters in URLs.
Example usage:
1navigate({
2 to: interpolateString(
3 config.links.patientChart,
4 { patientUuid: patient.uuid }
5 )
6});Parameters:
| Name | Type | Description |
|---|---|---|
template | string | With optional params wrapped in ${ } |
params | object | Values to interpolate into the string template |
Returns: string
navigate
▸ navigate(__namedParameters: object): void
Defined in navigation/navigate.ts:24
Calls location.assign for non-SPA paths and navigateToUrl for SPA paths
Example usage:
1const config = getConfig(); 2const submitHandler = () => { 3 navigate({ to: config.links.submitSuccess }); 4};
Parameters:
▪ __namedParameters: object
| Name | Type | Description |
|---|---|---|
to | string | The target path or URL. Supports templating with 'openmrsBase' and 'openmrsSpaBase'. For example, ${openmrsSpaBase}/home will resolve to /openmrs/spa/home for implementations using the standard OpenMRS and SPA base paths. |
Returns: void
Other Functions
defineConfigSchema
▸ defineConfigSchema(moduleName: string, schema: ConfigSchema): void
Defined in module-config/module-config.ts:20
Parameters:
| Name | Type |
|---|---|
moduleName | string |
schema | ConfigSchema |
Returns: void
getConfig
▸ getConfig(moduleName: string): Promise‹ConfigObject›
Defined in module-config/module-config.ts:29
Parameters:
| Name | Type |
|---|---|
moduleName | string |
Returns: Promise‹ConfigObject›
processConfig
▸ processConfig(schema: ConfigSchema, providedConfig: ConfigObject, keyPathContext: string): Config
Defined in module-config/module-config.ts:42
Validate and interpolate defaults for providedConfig according to schema
Parameters:
| Name | Type | Description |
|---|---|---|
schema | ConfigSchema | a configuration schema |
providedConfig | ConfigObject | an object of config values (without the top-level module name) |
keyPathContext | string | a dot-deparated string which helps the user figure out where the provided config came from |
Returns: Config
provide
▸ provide(config: Config, sourceName: string): void
Defined in module-config/module-config.ts:25
Parameters:
| Name | Type | Default |
|---|---|---|
config | Config | - |
sourceName | string | "provided" |
Returns: void
useConfig
▸ useConfig(): any
Defined in react-hook/react-hook.tsx:8
Returns: any
validator
▸ validator(validationFunction: ValidatorFunction, message: string): Validator
Defined in validators/validator.ts:1
Parameters:
| Name | Type |
|---|---|
validationFunction | ValidatorFunction |
message | string |
Returns: Validator
Object literals
Const validators
▪ validators: object
Defined in validators/validators.ts:66
isBoolean
• isBoolean: function
Defined in validators/validators.ts:69
Type declaration:
▸ (value: any): void | string
Parameters:
| Name | Type |
|---|---|
value | any |
isNumber
• isNumber: function
Defined in validators/validators.ts:68
Type declaration:
▸ (value: any): void | string
Parameters:
| Name | Type |
|---|---|
value | any |
isObject
• isObject: function
Defined in validators/validators.ts:71
Type declaration:
▸ (value: any): void | string
Parameters:
| Name | Type |
|---|---|
value | any |
isString
• isString: function
Defined in validators/validators.ts:67
Type declaration:
▸ (value: any): void | string
Parameters:
| Name | Type |
|---|---|
value | any |
isUrl
• isUrl: function
Defined in validators/validators.ts:72
Type declaration:
▸ (value: any): void | string
Parameters:
| Name | Type |
|---|---|
value | any |
isUrlWithTemplateParameters
• isUrlWithTemplateParameters: isUrlWithTemplateParameters
Defined in validators/validators.ts:73
isUuid
• isUuid: function
Defined in validators/validators.ts:70
Type declaration:
▸ (value: any): void | string
Parameters:
| Name | Type |
|---|---|
value | any |
Contributing & Development
PRs welcome! See OpenMRS Microfrontends RFC-20 for guidelines about contributing.
Setup local development environment for OpenMRS SPA.
Maintainer: Brandon Istenes (bistenes@pih.org)
No vulnerabilities found.
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yml:55
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (27) are checked with a SAST tool
Reason
Found 27/30 approved changesets -- score normalized to 9
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/ci.yml:22
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/e2e.yml:20
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/tx-pull.yml:15
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/tx-push.yml:14
- Warn: no topLevel permission defined: .github/workflows/bundle-size.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/code-ql.yml:25
- Warn: topLevel 'security-events' permission set to 'write': .github/workflows/code-ql.yml:26
- Info: topLevel 'actions' permission set to 'read': .github/workflows/code-ql.yml:24
- Warn: no topLevel permission defined: .github/workflows/docs.yml:1
- Warn: no topLevel permission defined: .github/workflows/e2e.yml:1
- Warn: no topLevel permission defined: .github/workflows/tx-pull.yml:1
- Warn: no topLevel permission defined: .github/workflows/tx-push.yml:1
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundle-size.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/bundle-size.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bundle-size.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/bundle-size.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bundle-size.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/bundle-size.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:154: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-ql.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/code-ql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-ql.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/code-ql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-ql.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/code-ql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-ql.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/code-ql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/docs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/docs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:139: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:185: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:211: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:216: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/e2e.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tx-pull.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/tx-pull.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/tx-pull.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/tx-pull.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/tx-pull.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/tx-pull.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tx-push.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/tx-push.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/tx-push.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/openmrs/openmrs-esm-core/tx-push.yml/main?enable=pin
- Warn: containerImage not pinned by hash: e2e/support/bamboo/playwright.Dockerfile:1: pin your Docker image by updating mcr.microsoft.com/playwright:v1.50.1-jammy to mcr.microsoft.com/playwright:v1.50.1-jammy@sha256:8845c40cdade98fd7a6cd32df75bfc234cd52b3278f9cd1f9fe8d6291e48ea03
- Warn: containerImage not pinned by hash: e2e/support/github/Dockerfile:2
- Warn: containerImage not pinned by hash: e2e/support/github/Dockerfile:17
- Info: 0 out of 32 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 13 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 containerImage dependencies pinned
Reason
24 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-qrmc-fj45-qfc2
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
5.7
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More