v1.8.0
Security release. Closes the missing-authentication report on the self-hosted HTTP transport (GHSA-72f3-6w86-7rv3) and clears the outstanding npm audit advisories.
Security
The self-hosted HTTP transport no longer ships open by default.
HTTP_HOSTdefaults to127.0.0.1, which also turns on the MCP SDK's DNS rebinding protection. A plain run is not reachable off the host.HTTP_AUTH_TOKEN, when set, requiresAuthorization: Bearer <token>onPOST/GET/DELETE /mcp(timing-safe compare)./healthstays open for probes.HTTP_ALLOWED_HOSTSkeeps host-header validation when binding to0.0.0.0.- Binding to
0.0.0.0without a token logs a startup security warning. The bundleddocker-compose.ymlpublishes to127.0.0.1only.
Dependencies
@modelcontextprotocol/sdk to 1.29.0 and vitest / @vitest/coverage-v8 to 4.1.8. npm audit goes from 13 advisories to 0.
Breaking
Requires Node.js 20 or newer. Node 18 reached end of life in April 2025.
Full notes: https://github.com/arikusi/deepseek-mcp-server/blob/main/CHANGELOG.md#180---2026-06-14