Skip to content

Releases: cyanheads/osv-advisory-mcp-server

v0.1.12: Canonical OSV ecosystem set, blank-input rejection

Choose a tag to compare

@cyanheads cyanheads released this 11 Jul 20:24
v0.1.12
35055d3

Canonical OSV ecosystem set, blank-input rejection

Corrects the osv_list_ecosystems static catalog and hardens input validation across the query and lookup tools.

Changed:

  • osv_list_ecosystems now returns the canonical 50-identifier OSV set (49 named ecosystems + GIT), replacing a stale 26-entry catalog — adds Ubuntu, Azure Linux, and 23 others, removes the invalid GSD prefix (#12)

Fixed:

  • osv_query_package, osv_query_batch, osv_get_vulnerability reject blank/whitespace-only name, ecosystem, version, and id fields at the schema instead of reaching OSV.dev; a blank row in osv_query_batch now fails input validation for the whole call instead of degrading to a per-row error (#10)

93 tests pass; bun run devcheck clean.

CHANGELOG v0.1.12

v0.1.11: Affected-range data, withdrawn status, and paginated queries

Choose a tag to compare

@cyanheads cyanheads released this 11 Jul 17:45
v0.1.11
8f618eb

Affected-range data, withdrawn status, and paginated queries

Three data-fidelity fixes: complete affected-range data, withdrawn-advisory disclosure, and OSV pagination handling.

Fixed:

  • osv_get_vulnerability, osv_query_package: package-less GIT ranges no longer dropped; multi-interval ranges no longer collapse to one event (#13)
  • osv_query_package, osv_query_batch: paginated OSV results no longer reported as complete/clean; follows next_page_token up to OSV_QUERY_MAX_PAGES (#15)

Added:

  • Affected ranges gain optional repo, events[], versions[] (#13)
  • osv_get_vulnerability gains optional withdrawn timestamp + WITHDRAWN notice (#14)
  • truncated / truncatedCount fields; new OSV_QUERY_MAX_PAGES env var (default 10) (#15)

Changed:

  • osv_query_batch summary cleanCount excludes truncated rows (#15)

80 tests pass; bun run devcheck clean.

CHANGELOG v0.1.11

v0.1.10: Untrusted-summary framing, empty-case enrichment, batch error-row version

Choose a tag to compare

@cyanheads cyanheads released this 11 Jul 16:28
v0.1.10
22ae5b9

Untrusted-summary framing, empty-case enrichment, batch error-row version

Frames untrusted OSV advisory text, adds enrichment for empty/edge-case query results, and picks up mcp-ts-core ^0.10.14 plus supply-chain hardening.

Added:

  • osv_query_package / osv_query_batch — optional enrichment.notice + enrichment.effectiveQuery on empty/all-clean/all-errors paths (#9)

Changed:

  • osv_query_batchcontent[] error rows now include the queried version (#5)

Security:

  • osv_query_package, osv_query_batch, osv_get_vulnerability — advisory summary text wrapped in <advisory_summary> boundaries against prompt injection (#11)

Dependency bumps:

  • @cyanheads/mcp-ts-core ^0.10.10 → ^0.10.14
  • @biomejs/biome ^2.5.1 → ^2.5.3
  • @types/node ^26.0.1 → ^26.1.1
  • tsc-alias ^1.8.17 → ^1.9.0
  • vitest ^4.1.9 → ^4.1.10
  • Added @socketsecurity/bun-security-scanner ^1.1.2 as the install-time scanner

62 tests pass; bun run devcheck clean.

CHANGELOG v0.1.10

v0.1.9: OSV_BATCH_CONCURRENCY registry discovery parity

Choose a tag to compare

@cyanheads cyanheads released this 30 Jun 20:55
v0.1.9
2695c0a

OSV_BATCH_CONCURRENCY registry discovery parity

server.json advertises the batch-concurrency knob in both packages, matching the existing OSV_REQUEST_TIMEOUT_MS entry.

Fixed:

  • server.json now lists OSV_BATCH_CONCURRENCY (default 10) in both packages' environmentVariables — packaging metadata only, no source change.

55 tests pass; bun run devcheck clean.

v0.1.8: Bounded batch concurrency and validated env config

Choose a tag to compare

@cyanheads cyanheads released this 30 Jun 20:42
v0.1.8
e6581d1

Bounded batch concurrency and validated env config

osv_query_batch now drains through a bounded worker pool instead of fanning every package out at once; server env config is validated at startup.

Added:

  • OSV_BATCH_CONCURRENCY env var (positive integer, default 10) caps concurrent OSV.dev requests in osv_query_batch (#6)
  • Startup validation of OSV_REQUEST_TIMEOUT_MS and OSV_BATCH_CONCURRENCY via src/config/server-config.ts; invalid, zero, or negative values fail startup with a ConfigurationError naming the variable (#7)

Changed:

  • osv_query_batch runs per-package queries through a bounded worker pool (default 10 in flight) instead of up to 1000 concurrent requests; positional results and per-package partial-success unchanged (#6)

Dependencies:

  • @cyanheads/mcp-ts-core ^0.10.9 → ^0.10.10 (clears transitive js-yaml GHSA-h67p-54hq-rp68; bun audit clean)

55 tests pass; bun run devcheck clean.

v0.1.7: OSV ecosystem authority, recovery hints, content[] parity

Choose a tag to compare

@cyanheads cyanheads released this 30 Jun 20:01
v0.1.7
10aee99

OSV ecosystem authority, recovery hints, content[] parity

Four coupled DX fixes across the tool surface; tool output schemas unchanged.

Fixed:

  • osv_query_batch: drop the static ecosystem preflight — OSV now validates, and an unknown ecosystem degrades to a per-package error instead of failing the whole batch (#3)
  • osv_query_package, osv_get_vulnerability: declared recovery hints reach data.recovery.hint and content[] via ctx.recoveryFor() (#4)
  • format(): osv_query_batch renders a Clean Packages section; osv_get_vulnerability renders all references (was capped at the first 8) (#5)
  • Stale osv_query references corrected to osv_query_package in tool/output text and docs/design.md (#8)

Dependency bumps:

  • @biomejs/biome ^2.5.0 → ^2.5.1
  • @types/node ^26.0.0 → ^26.0.1

43 tests pass; bun run devcheck clean.

v0.1.6: mcp-ts-core ^0.10.9 maintenance

Choose a tag to compare

@cyanheads cyanheads released this 20 Jun 17:53
v0.1.6
c01c03a

mcp-ts-core ^0.10.9 maintenance

Framework-maintenance release — no source or behavior changes.

Added:

  • check-dependency-specifiers devcheck gate — fails on floating specifiers in package.json deps and bun.lock workspaces (cyanheads/mcp-ts-core#246)
  • Plugin-manifest packaging checks in lint:packaging, gated by packaging.pluginManifests (cyanheads/mcp-ts-core#240)
  • .codex-plugin longDescription filled

Changed:

Dependency bumps:

  • @cyanheads/mcp-ts-core ^0.10.6 → ^0.10.9
  • @types/node ^25.9.3 → ^26.0.0
  • vitest ^4.1.8 → ^4.1.9

40 tests pass; bun run devcheck clean.

v0.1.5: mcp-ts-core ^0.10.6 adoption

Choose a tag to compare

@cyanheads cyanheads released this 13 Jun 03:35
v0.1.5
348c581

mcp-ts-core ^0.10.6 adoption

Framework upgrade with the error-code and packaging conventions that ship in 0.10.x.

Changed:

  • @cyanheads/mcp-ts-core ^0.9.21 → ^0.10.6
  • osv_query_package / osv_query_batch return ValidationError (-32007), not InvalidParams (-32602), for invalid ecosystem strings
  • Explicit name / title in createApp(); root-anchored .mcpbignore patterns

Added:

  • Docker HEALTHCHECK + OCI image.version label
  • scripts/clean-mcpb.ts post-pack bundle cleaner wired into bundle
  • coerce-boolean-env-flag antipattern rule

Removed:

  • Redundant batch_too_large error contract (.max(1000) already rejects oversized batches)

Dependency bumps:

  • typescript ^5.9.3 → ^6.0.3
  • @biomejs/biome ^2.4.16 → ^2.5.0
  • @types/node ^25.9.1 → ^25.9.3

40 tests pass; bun run devcheck clean.

v0.1.4: BREAKING: rename osv_query → osv_query_package

Choose a tag to compare

@cyanheads cyanheads released this 04 Jun 09:41
v0.1.4
869215b

BREAKING: rename osv_query → osv_query_package

The osv_query tool has been renamed to osv_query_package. Callers must update to the new name — the old name no longer exists. Input and output schemas are unchanged; only the tool name changed.

Changed:

  • BREAKING: osv_query renamed to osv_query_package — update tool calls from osv_query to osv_query_package (#2)
  • Source file osv-query.tool.ts renamed to osv-query-package.tool.ts
  • Test file renamed accordingly; all 8 test cases updated

40 tests pass; bun run devcheck clean.

v0.1.3: Adopt @cyanheads/mcp-ts-core 0.9.21 — HTTP log context, secret-stripping, retry improvements

Choose a tag to compare

@cyanheads cyanheads released this 02 Jun 14:50
v0.1.3
d1f2000

Adopt @cyanheads/mcp-ts-core 0.9.21 — HTTP log context, secret-stripping, retry improvements

Adopts mcp-ts-core ^0.9.16 → ^0.9.21 with targeted framework fixes and
re-synced skills, scripts, and devcheck tooling.

Changed:

  • @cyanheads/mcp-ts-core ^0.9.16 → ^0.9.21 — HTTP transport per-request log context fix (fresh request + trace/span IDs per request); fetchWithTimeout strips query-string secrets from error messages and logs; withRetry fail-fast on non-retryable errors; ctx.fail auto-populates retryable flag.
  • README client config key renamed to full package name @cyanheads/osv-advisory-mcp-server across all install examples.
  • Added scripts/release-github.ts and scripts/check-skill-versions.ts from framework sync.
  • New skills: api-mirror, orchestrations (with 4 workflow files).

Dependencies:

  • @biomejs/biome ^2.4.7 → ^2.4.16
  • @types/node ^25.6.0 → ^25.9.1
  • tsc-alias ^1.8.16 → ^1.8.17
  • vitest ^4.1.0 → ^4.1.8

40 tests pass; bun run devcheck clean.