Skip to content

v0.4.3-rc.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 16 May 02:09
· 34 commits to main since this release
v0.4.3-rc.0
a6ac2a5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Supply-chain transparency

  • SBOMs: iris-npm-sbom.spdx.json + iris-docker-sbom.spdx.json (attached below). Both are SPDX 2.3 JSON, cover direct + transitive dependencies.
  • SBOM signatures: each SBOM has a companion .sig (cosign signature) and .pem (Sigstore-issued cert) attached to this release. Verify with: 
    cosign verify-blob \
  --certificate iris-npm-sbom.spdx.json.pem \
  --signature iris-npm-sbom.spdx.json.sig \
  --certificate-identity-regexp='https://github.com/iris-eval/mcp-server' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  iris-npm-sbom.spdx.json
  • npm provenance: published with --provenance (verifiable via npm audit signatures or on the package page).
  • Docker signature: image signed with cosign keyless (Sigstore). Verify with: 
    cosign verify ghcr.io/iris-eval/mcp-server:v0.4.3-rc.0 \
  --certificate-identity-regexp='https://github.com/iris-eval/mcp-server' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'
  • Build attestation: both the npm SBOM and Docker image manifest carry GitHub-signed build-provenance attestations. Inspect with gh attestation verify or cosign verify-attestation.

What's Changed

  • chore(security): per-advisory threat-model record + fast-uri override + CI gate by @irparent in #145
  • deps(website): bump the nextjs group across 1 directory with 2 updates by @dependabot[bot] in #151
  • ci: bump github/codeql-action from 4.35.3 to 4.35.4 by @dependabot[bot] in #147
  • ci: bump sigstore/cosign-installer from 3.9.2 to 4.1.2 by @dependabot[bot] in #148
  • ci: bump the github group across 1 directory with 3 updates by @dependabot[bot] in #106
  • deps: bump ip-address and express-rate-limit by @dependabot[bot] in #140
  • deps: bump hono from 4.12.14 to 4.12.18 by @dependabot[bot] in #142
  • deps: bump the linting group with 2 updates by @dependabot[bot] in #146
  • deps: bump the testing group with 2 updates by @dependabot[bot] in #149
  • deps: bump @types/node from 25.6.0 to 25.7.0 in the types group by @dependabot[bot] in #150
  • deps: bump @playwright/test from 1.59.1 to 1.60.0 by @dependabot[bot] in #152
  • deps(dashboard): bump typescript from 6.0.2 to 6.0.3 in /dashboard by @dependabot[bot] in #100
  • deps(dashboard): bump react-router-dom from 7.14.0 to 7.14.2 in /dashboard by @dependabot[bot] in #105
  • deps(dashboard): bump lucide-react from 1.8.0 to 1.14.0 in /dashboard by @dependabot[bot] in #129
  • deps(website): bump @types/node from 25.5.0 to 25.8.0 in /website in the types group across 1 directory by @dependabot[bot] in #76
  • deps(website): bump typescript from 6.0.2 to 6.0.3 in /website by @dependabot[bot] in #95
  • deps(website): bump @tailwindcss/postcss from 4.2.2 to 4.3.0 in /website by @dependabot[bot] in #104
  • deps(website): bump the react group across 1 directory with 2 updates by @dependabot[bot] in #82
  • deps(dashboard): bump jsdom from 26.1.0 to 29.1.1 in /dashboard by @dependabot[bot] in #128
  • chore(security): YC-grade posture hardening — encrypted-report path + close postinstall slot by @irparent in #155
  • Add Scorecard workflow for supply-chain security by @irparent in #156
  • fix(security): correct codeql-action SHA in Scorecard workflow by @irparent in #157
  • chore(security): Scorecard hardening — Token-Permissions + Signed-Releases + Branch-Protection by @irparent in #158
  • chore(security): release.yml least-privilege — Token-Permissions 0 → 10 by @irparent in #159
  • chore(release): v0.4.3-rc.0 — validate Signed-Releases workflow by @irparent in #160

Full Changelog: v0.4.2...v0.4.3-rc.0

Contributors

dependabot and irparent
Assets 8
Loading