FHIR NPM Package Spec

From HL7Wiki
Jump to: navigation, search

A FHIR package groups a coherent collection of conformance resources, like StructureDefinitions and ValueSets into an easily distributed NPM package. FHIR packages use a subset of the features used by npm packages.

All FHIR Implementation Guides are published as NPM packages, one package for each IG. Additional packages containing subsets of a package information can be created.

Package name

Each package has a canonical name (a globally unique identifier). A package name consists of one or more namespaces separated by a dot. Each namespace starts with an lowercase alphabet character followed by a lowercase alphanumeric character or a dash.

The first part of the namespace should identify the author, the authoring organization, or region. The second part of the namespace should identify the functional scope or purpose of the package.


 hl7.fhir.core (main build)


A fhir package should not contain an npm scope. Packages published by HL7 or the FHIR foundation SHALL not contain a scope.

Note: Npm packages can [contain a scope](https://docs.npmjs.com/misc/scope). Scopes are a way of grouping related packages together. A scope is usually the owner, and was introduced relatively late in the npm standard. Only the user can add packages to his/her scope. It's a way to identify the official packages from organizations. In Nuget that same logic is enabled with the package prefix, which is cleaner and more readable. A npm scope, starts with at (@) and ends with a slash '/'. It makes both the client and the server more complex to implement. And we want easy and broad adoption.

Name Management

Names under hl7.fhir. or fhir. are assigned by the FHIR Product Director - contact fhir-director@hl7.org for assistance. Implementers may (of course) use any names they wish in other namespaces, but should be careful to preserve global uniqueness.

For Packages published by HL7, when implementers create a subset of the package, implementers are pre-approved to use the following suffixes:

.terminology .conformance .[type]

e.g. hl7.fhir.us.core.structuredefinition - creating packages with names like this does not require approval. Other combinations - use a name in a different namespace, or ask for approval.


All packages have a mandatory version. [SemVer](https://semver.org/) SHOULD be used (and SHALL be used for packages published by HL7 or the FHIR Foundation)

When comparing two versions that start with a digit (0..9), they SHALL not be interpreted as a string, but as a structured numerical version reference. Package generators SHALL ensure that versions starting with a digit have more recent versions with higher numbers.

Version references

When packages point to dependencies they should refer to the whole package version number and not use wildcards, except for the patch version in a semver version reference:

 "hl7.fhir.core" : "3.0.x"

This x here means that it should a package resolver should accept the package with the highest found patch number.

Note: Npm has elaborate logic package version references. It allows version forwarding, ranges, wildcards, etc. The FHIR package standard does not allow this. The only ranges that are allowed are wildcards (x) for the patch version as described here. Most of the matured package managing tools, have acknowledged that having advanced version references would create instability and more confusion than help. Fhir packages also need to be consumed by non technical users. Installing package dependencies should not need a manual.

Version selection strategy

Dependencies with mismatching versions One of the main problems that a package managing standard has to solve is how to resolve deep dependency collision. Dependencies that each have their own dependency on a different version of the same package.

There are several strategies in play with most packaging standards.

1. The owner of the deep dependency should strictly follow the semver rules, and not introduce breaking changes 2. The owner of the consuming dependencies can play loose and fast with their dependency range 3. The client package tool can apply a set of algorithms to upgrade one deep dependency, downgrade the other, or keep multiple dependencies. This can cause type mismatches if the consuming tool lets the shallow dependencies interact. See also [this analysis](https://research.swtch.com/vgo-import) of go packaging.

For FHIR we still need to define more precisely how a project that consumes different versions of the same package should resolve these issues. This is part of a bigger versioning discussion in FHIR.


A FHIR package is a tarball (tar in gzip). The package contains

  • a subfolder named 'package'
  • a package manifest (package/package.json)
  • A set of conformance resource files, also in the package subfolder
  • It MAY contain additional content, like example resources or documentation:
    • such files SHALL not be in the package subfolder
    • this may include XML schemas in an "xml" subfolder
    • this may include openAPI files in an "openapi" subfolder
    • this may include turtle RDF representations in an rdf folder
    • Package consumers SHALL ignore content in other subfolders that they do not use (and most consumers will only use the resources in /package)

Tarballs SHALL be in the original tarball format (e.g. a 99 character file name length limit).

Note: discussion on this - see [[1]]

Package manifest

A package manifest is a json file called 'package.json'. It conforms to the npm package.json format, but contains only a subset of properties. Other properties are allowed, but should be ignored by a FHIR package consumer.

 "name": "hl7.fhir.us.acme",
 "version" : "0.1.0",  
 "canonical" : "http://hl7.org/fhir/us/acme",
 "web" : "http://hl7.org/fhir/us/acme/Draft1",
 "title" : "ACME project IG",
 "description": "Describes how the ACME project uses FHIR for it's primary API",
 "dependencies": {
    "hl7.fhir.core": "3.0.0",
    "hl7.fhir.us.core": "1.1.0",
 "keywords": [
   "United States",
 "author": "hl7",
 "maintainers": [
     "name": "US Steering Committee",
     "email": "ussc@lists.hl7.com"
 "license": "CC0-1.0"

Package Manifest Properties

  • name - mandatory - the globally unique identifier of the package as described above = ImplementationGuide.packageId
  • version - mandatory - SHOULD use [SemVer](https://semver.org/) - note: Semver SHALL be used for packages published by HL7 or the FHIR Foundation = ImplementationGuide.version
  • canonical - optional (but required for IGs) = canonical URL for the IG. = ImplementationGuide.url
  • url - optional (but required for IGs) = where information about the package can be found on the web. = ImplementationGuide.manifest.rendering
  • title - optional short description for the package (= ImplementationGuide.title)
  • description - mandatory = ImplementationGuide.description
  • dependencies - at least one to fhir core (from ImplementationGuide.dependsOn)
  • keywords - optional
  • author - mandatory = ImplementationGuide.publisher
  • maintainers - optional = ImplementationGuide.contacts
  • license - optional. Follow the [spdx naming convention](https://spdx.org/licenses/) = ImplementationGuide.license (mandatory for packages published by HL7 or the FHIR Foundation)

Other properties (e.g. from base NPM spec) are ignored if present


A fhir package may have dependencies. It SHALL always have at least one dependency to hl7.fhir.core which specifies the FHIR version. Package consumers should be aware of these dependencies and resolve them by downloading and installing each dependency recursively.

Package Content

A package contains a set of FHIR conformance resources in the JSON format for the specified FHIR version. Each conformance resource is saved in a separate .JSON file. All conformance resource files are saved in the 'package' directly under the root.

Meta packages

Packages MAY instead of having content only reference other packages. This is called a meta package. Its purpose is to group certain packages and their use case together.

Example: acme.api

Containing only references to acme.api.terminology acme.api.extensions acme.api.profiles

Copyright © Health Level Seven International ® ALL RIGHTS RESERVED. The reproduction of this material in any form is strictly forbidden without the written permission of the publisher.