Skip to content

v0.2.1 — dependency security fixes

Choose a tag to compare

View all tags
@lcj-claude-coder lcj-claude-coder released this 10 Jun 18:30
v0.2.1
508321a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Patch release — dependency security fixes. No API changes: the 48-tool surface from v0.2.0 is unchanged.

Security (consumer-facing)

  • hono 4.12.20 → 4.12.25 (transitive, via @modelcontextprotocol/sdk) — clears 4 moderate advisories: IPv6 deny-rule bypass, Set-Cookie injection, JWT auth-scheme, and mount-prefix routing.
  • qs → 6.15.2 — clears a stringify DoS.
  • npm audit --omit=dev is now clean (0 vulnerabilities).

Maintenance (dev / CI — not shipped in the tarball)

  • vitest 2 → 4, clearing a dev-only critical advisory and the vite/esbuild chain (all-scope audit now clean).
  • GitHub Actions bumped off the deprecated Node 20 runtime (checkout v6, setup-node v6, upload-artifact v7), SHA-pinned.

Validated by a full L4 agent-eval rerun on Kimi (the hono swap sits on the SSE transport path).

Install

npm install -g cdp-mcp@0.2.1

Published from CI via GitHub Actions OIDC trusted publishing, with SLSA build provenance.

Full changelog: v0.2.0...v0.2.1

Assets 2
Loading