Skip to content

v1.8.0

Choose a tag to compare

@arikusi arikusi released this 14 Jun 18:40
dab07ed

Security release. Closes the missing-authentication report on the self-hosted HTTP transport (GHSA-72f3-6w86-7rv3) and clears the outstanding npm audit advisories.

Security

The self-hosted HTTP transport no longer ships open by default.

  1. HTTP_HOST defaults to 127.0.0.1, which also turns on the MCP SDK's DNS rebinding protection. A plain run is not reachable off the host.
  2. HTTP_AUTH_TOKEN, when set, requires Authorization: Bearer <token> on POST/GET/DELETE /mcp (timing-safe compare). /health stays open for probes.
  3. HTTP_ALLOWED_HOSTS keeps host-header validation when binding to 0.0.0.0.
  4. Binding to 0.0.0.0 without a token logs a startup security warning. The bundled docker-compose.yml publishes to 127.0.0.1 only.

Dependencies

@modelcontextprotocol/sdk to 1.29.0 and vitest / @vitest/coverage-v8 to 4.1.8. npm audit goes from 13 advisories to 0.

Breaking

Requires Node.js 20 or newer. Node 18 reached end of life in April 2025.

Full notes: https://github.com/arikusi/deepseek-mcp-server/blob/main/CHANGELOG.md#180---2026-06-14