fix(mcp server): do not pass the whole query in requests#1548
Merged
Conversation
Scra3
approved these changes
Apr 13, 2026
…xtra params The previous fix removed ...query entirely, which also dropped extra params like segmentQuery and connectionName that Segment passes through. Now destructure only the fields we reformat (fields, sort, filters, shouldSearchInRelation, pagination) and spread the rest. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…pread List all known params explicitly (search, sort, filters, pagination, fields, segmentQuery, connectionName) instead of using ...rest spread which could leak unknown fields into the query string. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Coverage Impact This PR will not change total coverage. Modified Files with Diff Coverage (1)
🛟 Help
|
…ns type Remove unsafe Record<string, unknown> cast by adding the segment fields to the type definition. TypeScript now validates these fields at compile time. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…erialize No need for conditional spread — undefined values are ignored by the query string builder. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forest-bot
added a commit
that referenced
this pull request
Apr 14, 2026
## @forestadmin/agent-client [1.4.23](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/agent-client@1.4.22...@forestadmin/agent-client@1.4.23) (2026-04-14) ### Bug Fixes * **mcp server:** do not pass the whole query in requests ([#1548](#1548)) ([ca4810f](ca4810f))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Definition of Done
General
Security
Note
Fix
QuerySerializer.serializeto exclude arbitrary query properties from requestsPreviously,
serializespread all input query properties into the output, which caused unintended fields to be forwarded in requests. The method now emits only an explicit set of known keys (search,sort,filters,searchExtended,page[size],page[number],fields). Risk: any callers relying on arbitrary query properties being forwarded will no longer receive them.Changes since #1548 opened
QuerySerializer.serializemethod to forward all additional query properties [7e67658]QuerySerializer.serializemethod in theagent-clientpackage to explicitly control forwarded query properties [76396e4]QuerySerializer.serializemethod to explicitly destructuresegmentQueryandconnectionNamefrom query object and added corresponding optional fields toSelectOptionstype [1787757]QuerySerializer.serializemethod to always includesegmentQueryandconnectionNameas top-level properties in the serialized output [a91b14d]Macroscope summarized bef5acf.