Skip to content

v1.3.2

Choose a tag to compare

@github-actions github-actions released this 03 Jul 11:17

Documentation

  • Docs site: a Releases page generated from GitHub Releases at build time (notes rendered from
    each release, plus direct .mcpb/.nupkg download buttons), a new Claude Desktop (1-click)
    install tab, and a note that RoselineMCP is listed in the official MCP Registry. The Astro build
    fetches the Releases API (authenticated in CI to avoid rate limits) and degrades to a GitHub
    link-out if the fetch fails.

Added

  • One-click install for Claude Desktop (MCPB bundle). A mcpb/manifest.json (MCPB spec 0.3)
    describes RoselineMCP as a dnx-launched server; the release now builds and attaches a
    RoselineMCP.mcpb to each GitHub Release, so users can install with a dialog instead of editing
    JSON config. The bundle only wraps the dnx RoselineMCP launch (the .NET 10 SDK is still
    required, since analysis loads projects through MSBuild), so it stays tiny and platform-agnostic.
  • Automated MCP Registry publishing. publish-nuget.yml now has a publish-registry job that,
    after a successful NuGet publish, waits for the version to index, then authenticates via GitHub
    OIDC (mcp-publisher login github-oidc, no secret) and publishes .mcp/server.json to the
    official registry (registry.modelcontextprotocol.io) — so the server is discoverable by any
    client/aggregator that reads the registry. Ownership is proven by an mcp-name: marker added to
    the packed README.md, which the registry cross-checks against the NuGet package. The manifest
    $schema was migrated from the deprecated 2025-10-17 to the current 2025-12-11 (a URL-only
    change; the format is unchanged for stdio package servers). Takes effect on the next tagged release.

Security

  • Pinned Microsoft.Bcl.Memory to 10.0.9 (aligned with the net10.0 TFM) in
    RoselineMCP.TokenBenchmark to override the 9.0.4
    that Microsoft.ML.Tokenizers 2.0.0 pulled in transitively, which was vulnerable to
    CVE-2026-26127 (GHSA-73j8-2gch-69rq, high severity — Base64Url out-of-bounds-read DoS). The
    benchmark harness is never packaged and is not referenced by the shipped RoselineMCP package,
    so published users were never exposed; this clears the NU1903 restore warning. Remove the pin
    once Microsoft.ML.Tokenizers references a patched build.