Pat-Ryan-Health

**Name of the Vulnerable Software and Affected Versions** HL7 FHIR IG publisher versions prior to 1.8.9 **Description** The HL7 FHIR IG publisher has an issue where it exposes usernames and credentials in the built Implementation Guide when using git commands to determine the URL of the originating repo in CI contexts. This occurs if the repo was cloned or set to use a repo with a username and credential-based URL. Users who clone public repos without credentials are not impacted. **Recommendations** For versions prior to 1.8.9, update to version 1.8.9 or the latest release. As a temporary workaround, ensure the IG repo being published does not have username or credentials included in the `origin` URL by running the command `git remote origin url` to verify the URL contains no username, password, or token. Alternatively, run the IG Publisher CLI with the `-repo` parameter and specify a URL that contains no username, password, or token.