Skip to content

Release v2.60.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 24 Jun 20:02
v2.60.0
3e76ea4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release v2.60.0

Generating release notes from v2.59.4 to HEAD

πŸ› Bug Fixes

  • Keep code node primitive return checks scoped (8ef4de2)

πŸ“š Documentation

  • Address review β€” unique cache path per client, keep DISABLE_CONSOLE_OUTPUT (ab4c174)
  • Add DISABLED_TOOL_OPERATIONS deployment guidance and env var reference - Add Read-Only Deployment section to README.md under Available MCP Tools - Add Read-Only Deployment Recipe section to docs/HTTP_DEPLOYMENT.md under Security Best Practices for n8n API - Add DISABLED_TOOL_OPERATIONS block to .env.example after DISABLED_TOOLS with format, eligible tools, operations, and the read-only recipe example (9a8b35a)
  • Scope undefined-as-deletion note to in-process callers (c3a7a2b)
  • Note npm_config_cache workaround for multiple npx MCP clients (958660a)

πŸ§ͺ Testing

  • Update get-node-unified TTL assertion to seconds (86400) (0ccb931)
  • Cover large Code node return validation (47b88b0)
  • Cover Code node return scanner edge cases (908e442)

πŸ“ Other Changes

  • docs(changelog): correct Google Sheets #730 scope (Copilot review) (62e2de0)
  • chore(release): v2.60.0 (afe85d5)
  • deps-dev(ui)(deps-dev): bump typescript from 5.9.3 to 6.0.3 in /ui-apps (56c5bba)
  • deps-dev(ui)(deps-dev): bump @vitejs/plugin-react in /ui-apps (144f8ee)
  • deps-dev(ui)(deps-dev): bump vite from 6.4.3 to 8.1.0 in /ui-apps (6a32b5e)
  • fix(validator): division after string literal; comment before helper brace (d2ed1b5)
  • chore(deps): address Copilot review on dependabot hardening (9465f25)
  • fix(validator): bound function-head scan; require boundary after primitive keywords (572bff4)
  • chore(deps): align rebase-strategy across blocks; clarify runtime note (e96700e)
  • chore(deps): harden Dependabot config (ignore n8n pkgs, cover ui-apps) (047f2cb)
  • fix(validator): exclude for-await from function detection; strip comment/string returns (7fd6c3a)
  • fix(cache): pass version-summary TTL in seconds, not ms (374b639)
  • ci(deps): bump actions/setup-node from 4 to 6 (8299115)
  • ci(deps): bump actions/checkout from 4 to 7 (6c9fb1a)
  • ci(deps): bump actions/download-artifact from 4 to 8 (1c57158)
  • ci(deps): bump actions/upload-artifact from 4 to 7 (b990da9)
  • ci(deps): bump docker/login-action from 3 to 4 (6323142)
  • fix(mcp): recompute tool annotations when all destructive ops are disabled (e09bd07)
  • fix(validator): don't accept columns mapping for Google Sheets read (ed7e3c3)
  • fix(validator): handle nested parens in Code helper detection (b003d79)
  • chore(security): add Dependabot config for npm, Actions, and Docker (9c686c4)
  • fix(mcp): remove non-existent truncate mode; harden DISABLED_TOOL_OPERATIONS (202ebdc)
  • fix(mcp): make buildFilteredToolDefinitions enum filter case-insensitive (8da8a32)
  • fix(mcp): harden DISABLED_TOOL_OPERATIONS against case mismatches and all-ops-disabled misconfiguration - Normalise operation names to lowercase at parse time (env var entries) and at comparison time (both the CallToolRequestSchema guard and the executeTool defense-in-depth guard), closing a bypass where a client sending action:"DELETE" would slip past an n8n_executions:delete rule. - Emit logger.warn inside buildFilteredToolDefinitions when the filtered enum is empty (all operations disabled), directing the operator to add the tool to DISABLED_TOOLS instead. Three new tests added (33 total, all passing): - parser normalises uppercase env var entries to lowercase - dispatch guard blocks uppercase client-sent operation values - buildFilteredToolDefinitions warns on empty enum (9d1a0dc)
  • fix(mcp): move operation guard after arg normalization and add isError flag (68469a4)
  • feat(mcp): add per-operation tool filtering via DISABLED_TOOL_OPERATIONS (3eda33d)
  • fix(validator): detect methods, generators and regex literals in Code scanner (c14b99c)
  • fix(diff-engine): accept undefined as property-removal marker (#292) (702c806)
  • fix(validator): align Google Sheets columns checks; fix leftover read test (3889e11)
  • fix(validator): accept columns resourceMapper for Google Sheets read/update (d438b15)

Release Statistics:

  • 38 commits
  • 7 contributors

Installation

NPM Package

# Install globally
npm install -g n8n-mcp

# Or run directly
npx n8n-mcp

Docker

# Standard image
docker run -p 3000:3000 ghcr.io/czlonkowski/n8n-mcp:v2.60.0

# Railway optimized
docker run -p 3000:3000 ghcr.io/czlonkowski/n8n-mcp-railway:v2.60.0

Documentation

πŸ€– Generated with Claude Code

Assets 3
Loading