sapientpants · sapientpants · Oct 13, 2025 · Oct 12, 2025 · Oct 12, 2025 · Oct 12, 2025
diff --git a/.changeset/refactor-ci-workflows-docker-security.md b/.changeset/refactor-ci-workflows-docker-security.md
@@ -0,0 +1,48 @@
+---
+'deepsource-mcp-server': patch
+---
+
+Refactor CI/CD workflows and improve Docker security
+
+### CI/CD Improvements
+
+- **Unified Build Process**: Consolidated build into single job that creates reusable artifacts
+- **Build Artifacts**: Generated once and reused throughout workflow for consistency
+- **Build Manifest**: Added metadata tracking (SHA, timestamp, dependencies)
+- **Tag Creation**: Tags now created before building artifacts for better traceability
+- **Artifact Naming**: Include commit SHA for consistent naming across workflows
+
+### Docker Support
+
+- **Multi-Platform Builds**: Added support for linux/amd64 and linux/arm64
+- **Docker Workflow**: New reusable workflow for container image builds
+- **Configuration**: Docker releases controlled via `ENABLE_DOCKER_RELEASE` variable
+
+### Security Enhancements
+
+- **CodeQL Integration**: Added dedicated security scanning workflow
+- **Consolidated Scanning**: Unified security checks in reusable workflow
+- **Docker Security**: Container images run as non-root user (nodejs:1001)
+- **Trivy Scanning**: Automated vulnerability detection in container images
+- **Dependency Scanning**: Enhanced vulnerability reporting
+
+### Developer Experience
+
+- **Issue Templates**: Added bug report and feature request templates
+- **PR Template**: Comprehensive pull request template with checklist
+- **Workflow Documentation**: Enhanced comments for better maintainability
+- **Better Validation**: Improved changeset validation in PR workflow
+
+### Infrastructure
+
+- **NPM Packaging**: Dedicated job for package preparation with attestations
+- **SLSA Provenance**: Generate attestations for supply chain security
+- **Improved Permissions**: Updated for container registry access
+- **DeepSource Integration**: Maintained test coverage reporting
+
+### Technical Details
+
+- Removed redundant `reusable-setup.yml` (merged into other workflows)
+- Better job dependency graph for parallel execution
+- Consistent secret passing (DEEPSOURCE_DSN)
+- Enhanced artifact retention strategies
diff --git a/.changeset/silver-sheep-exist.md b/.changeset/silver-sheep-exist.md
@@ -0,0 +1,28 @@
+---
+---
+
+Updated dependencies to their latest compatible versions while keeping zod at v3:
+
+**Production Dependencies:**
+
+- @modelcontextprotocol/sdk: 1.18.1 → 1.20.0
+
+**Development Dependencies:**
+
+- @commitlint/cli: 19.8.1 → 20.1.0
+- @commitlint/config-conventional: 19.8.1 → 20.0.0
+- @cyclonedx/cdxgen: 11.8.0 → 11.9.0
+- @types/node: 24.5.2 → 24.7.2
+- @typescript-eslint/eslint-plugin: 8.44.1 → 8.46.0
+- @typescript-eslint/parser: 8.44.1 → 8.46.0
+- eslint: 9.36.0 → 9.37.0
+- eslint-plugin-jsonc: 2.20.1 → 2.21.0
+- lint-staged: 16.2.0 → 16.2.4
+- typescript: 5.9.2 → 5.9.3
+- vite: 7.1.7 → 7.1.9
+
+**Kept at v3:**
+
+- zod: 3.25.76 (v4 available but not upgraded per project requirements)
+
+All tests passing with 80%+ coverage maintained.
diff --git a/package.json b/package.json
@@ -86,35 +86,35 @@
     ]
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.18.1",
+    "@modelcontextprotocol/sdk": "^1.20.0",
     "axios": "^1.12.2",
     "zod": "^3.25.76"
   },
   "devDependencies": {
     "@changesets/cli": "^2.29.7",
-    "@commitlint/cli": "^19.8.1",
-    "@commitlint/config-conventional": "^19.8.1",
-    "@cyclonedx/cdxgen": "11.8.0",
-    "@types/node": "^24.5.2",
-    "@typescript-eslint/eslint-plugin": "^8.44.1",
-    "@typescript-eslint/parser": "^8.44.1",
+    "@commitlint/cli": "^20.1.0",
+    "@commitlint/config-conventional": "^20.0.0",
+    "@cyclonedx/cdxgen": "11.9.0",
+    "@types/node": "^24.7.2",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
+    "@typescript-eslint/parser": "^8.46.0",
     "@vitest/coverage-v8": "^3.2.4",
     "changelog-github-custom": "^1.2.5",
     "depcheck": "^1.4.7",
-    "eslint": "^9.36.0",
+    "eslint": "^9.37.0",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-jsonc": "2.20.1",
+    "eslint-plugin-jsonc": "2.21.0",
     "eslint-plugin-prettier": "^5.5.4",
     "graphql": "^16.11.0",
     "husky": "^9.1.7",
     "jsonc-eslint-parser": "2.4.1",
-    "lint-staged": "^16.2.0",
+    "lint-staged": "^16.2.4",
     "markdownlint-cli2": "0.18.1",
     "nock": "^14.0.10",
     "prettier": "^3.6.2",
     "rimraf": "^6.0.1",
-    "typescript": "^5.9.2",
-    "vite": "7.1.7",
+    "typescript": "^5.9.3",
+    "vite": "7.1.9",
     "vitest": "^3.2.4",
     "yaml-lint": "1.7.0"
   },