Releases: cyanheads/osv-advisory-mcp-server
Release list
v0.1.12: Canonical OSV ecosystem set, blank-input rejection
Canonical OSV ecosystem set, blank-input rejection
Corrects the osv_list_ecosystems static catalog and hardens input validation across the query and lookup tools.
Changed:
osv_list_ecosystemsnow returns the canonical 50-identifier OSV set (49 named ecosystems +GIT), replacing a stale 26-entry catalog — addsUbuntu,Azure Linux, and 23 others, removes the invalidGSDprefix (#12)
Fixed:
osv_query_package,osv_query_batch,osv_get_vulnerabilityreject blank/whitespace-onlyname,ecosystem,version, andidfields at the schema instead of reaching OSV.dev; a blank row inosv_query_batchnow fails input validation for the whole call instead of degrading to a per-row error (#10)
93 tests pass; bun run devcheck clean.
v0.1.11: Affected-range data, withdrawn status, and paginated queries
Affected-range data, withdrawn status, and paginated queries
Three data-fidelity fixes: complete affected-range data, withdrawn-advisory disclosure, and OSV pagination handling.
Fixed:
osv_get_vulnerability,osv_query_package: package-less GIT ranges no longer dropped; multi-interval ranges no longer collapse to one event (#13)osv_query_package,osv_query_batch: paginated OSV results no longer reported as complete/clean; followsnext_page_tokenup toOSV_QUERY_MAX_PAGES(#15)
Added:
- Affected ranges gain optional
repo,events[],versions[](#13) osv_get_vulnerabilitygains optionalwithdrawntimestamp + WITHDRAWN notice (#14)truncated/truncatedCountfields; newOSV_QUERY_MAX_PAGESenv var (default 10) (#15)
Changed:
osv_query_batchsummarycleanCountexcludes truncated rows (#15)
80 tests pass; bun run devcheck clean.
v0.1.10: Untrusted-summary framing, empty-case enrichment, batch error-row version
Untrusted-summary framing, empty-case enrichment, batch error-row version
Frames untrusted OSV advisory text, adds enrichment for empty/edge-case query results, and picks up mcp-ts-core ^0.10.14 plus supply-chain hardening.
Added:
osv_query_package/osv_query_batch— optionalenrichment.notice+enrichment.effectiveQueryon empty/all-clean/all-errors paths (#9)
Changed:
osv_query_batch—content[]error rows now include the queried version (#5)
Security:
osv_query_package,osv_query_batch,osv_get_vulnerability— advisorysummarytext wrapped in<advisory_summary>boundaries against prompt injection (#11)
Dependency bumps:
@cyanheads/mcp-ts-core^0.10.10 → ^0.10.14@biomejs/biome^2.5.1 → ^2.5.3@types/node^26.0.1 → ^26.1.1tsc-alias^1.8.17 → ^1.9.0vitest^4.1.9 → ^4.1.10- Added
@socketsecurity/bun-security-scanner^1.1.2 as the install-time scanner
62 tests pass; bun run devcheck clean.
v0.1.9: OSV_BATCH_CONCURRENCY registry discovery parity
OSV_BATCH_CONCURRENCY registry discovery parity
server.json advertises the batch-concurrency knob in both packages, matching the existing OSV_REQUEST_TIMEOUT_MS entry.
Fixed:
server.jsonnow listsOSV_BATCH_CONCURRENCY(default10) in both packages'environmentVariables— packaging metadata only, no source change.
55 tests pass; bun run devcheck clean.
v0.1.8: Bounded batch concurrency and validated env config
Bounded batch concurrency and validated env config
osv_query_batch now drains through a bounded worker pool instead of fanning every package out at once; server env config is validated at startup.
Added:
OSV_BATCH_CONCURRENCYenv var (positive integer, default 10) caps concurrent OSV.dev requests inosv_query_batch(#6)- Startup validation of
OSV_REQUEST_TIMEOUT_MSandOSV_BATCH_CONCURRENCYviasrc/config/server-config.ts; invalid, zero, or negative values fail startup with a ConfigurationError naming the variable (#7)
Changed:
osv_query_batchruns per-package queries through a bounded worker pool (default 10 in flight) instead of up to 1000 concurrent requests; positional results and per-package partial-success unchanged (#6)
Dependencies:
@cyanheads/mcp-ts-core^0.10.9 → ^0.10.10 (clears transitive js-yaml GHSA-h67p-54hq-rp68; bun audit clean)
55 tests pass; bun run devcheck clean.
v0.1.7: OSV ecosystem authority, recovery hints, content[] parity
OSV ecosystem authority, recovery hints, content[] parity
Four coupled DX fixes across the tool surface; tool output schemas unchanged.
Fixed:
- osv_query_batch: drop the static ecosystem preflight — OSV now validates, and an unknown ecosystem degrades to a per-package error instead of failing the whole batch (#3)
- osv_query_package, osv_get_vulnerability: declared recovery hints reach data.recovery.hint and content[] via ctx.recoveryFor() (#4)
- format(): osv_query_batch renders a Clean Packages section; osv_get_vulnerability renders all references (was capped at the first 8) (#5)
- Stale osv_query references corrected to osv_query_package in tool/output text and docs/design.md (#8)
Dependency bumps:
- @biomejs/biome ^2.5.0 → ^2.5.1
- @types/node ^26.0.0 → ^26.0.1
43 tests pass; bun run devcheck clean.
v0.1.6: mcp-ts-core ^0.10.9 maintenance
mcp-ts-core ^0.10.9 maintenance
Framework-maintenance release — no source or behavior changes.
Added:
- check-dependency-specifiers devcheck gate — fails on floating specifiers in package.json deps and bun.lock workspaces (cyanheads/mcp-ts-core#246)
- Plugin-manifest packaging checks in lint:packaging, gated by packaging.pluginManifests (cyanheads/mcp-ts-core#240)
- .codex-plugin longDescription filled
Changed:
- Vendored devcheck scripts skip git-dependent checks on a fresh scaffold; skill-versions skips a worktree-deleted SKILL.md (cyanheads/mcp-ts-core#237, #242, #243)
- Vendored skills re-synced from 0.10.7–0.10.9 (cyanheads/mcp-ts-core#238)
Dependency bumps:
@cyanheads/mcp-ts-core^0.10.6 → ^0.10.9@types/node^25.9.3 → ^26.0.0vitest^4.1.8 → ^4.1.9
40 tests pass; bun run devcheck clean.
v0.1.5: mcp-ts-core ^0.10.6 adoption
mcp-ts-core ^0.10.6 adoption
Framework upgrade with the error-code and packaging conventions that ship in 0.10.x.
Changed:
@cyanheads/mcp-ts-core^0.9.21 → ^0.10.6osv_query_package/osv_query_batchreturn ValidationError (-32007), not InvalidParams (-32602), for invalid ecosystem strings- Explicit
name/titleincreateApp(); root-anchored.mcpbignorepatterns
Added:
- Docker HEALTHCHECK + OCI
image.versionlabel scripts/clean-mcpb.tspost-pack bundle cleaner wired intobundlecoerce-boolean-env-flagantipattern rule
Removed:
- Redundant
batch_too_largeerror contract (.max(1000)already rejects oversized batches)
Dependency bumps:
typescript^5.9.3 → ^6.0.3@biomejs/biome^2.4.16 → ^2.5.0@types/node^25.9.1 → ^25.9.3
40 tests pass; bun run devcheck clean.
v0.1.4: BREAKING: rename osv_query → osv_query_package
BREAKING: rename osv_query → osv_query_package
The osv_query tool has been renamed to osv_query_package. Callers must update to the new name — the old name no longer exists. Input and output schemas are unchanged; only the tool name changed.
Changed:
- BREAKING:
osv_queryrenamed toosv_query_package— update tool calls fromosv_querytoosv_query_package(#2) - Source file
osv-query.tool.tsrenamed toosv-query-package.tool.ts - Test file renamed accordingly; all 8 test cases updated
40 tests pass; bun run devcheck clean.
v0.1.3: Adopt @cyanheads/mcp-ts-core 0.9.21 — HTTP log context, secret-stripping, retry improvements
Adopt @cyanheads/mcp-ts-core 0.9.21 — HTTP log context, secret-stripping, retry improvements
Adopts mcp-ts-core ^0.9.16 → ^0.9.21 with targeted framework fixes and
re-synced skills, scripts, and devcheck tooling.
Changed:
@cyanheads/mcp-ts-core^0.9.16 → ^0.9.21— HTTP transport per-request log context fix (fresh request + trace/span IDs per request);fetchWithTimeoutstrips query-string secrets from error messages and logs;withRetryfail-fast on non-retryable errors;ctx.failauto-populatesretryableflag.- README client config key renamed to full package name
@cyanheads/osv-advisory-mcp-serveracross all install examples. - Added
scripts/release-github.tsandscripts/check-skill-versions.tsfrom framework sync. - New skills:
api-mirror,orchestrations(with 4 workflow files).
Dependencies:
@biomejs/biome^2.4.7 → ^2.4.16@types/node^25.6.0 → ^25.9.1tsc-alias^1.8.16 → ^1.8.17vitest^4.1.0 → ^4.1.8
40 tests pass; bun run devcheck clean.