v1.0.1 — CWE-78 security release

v1.0.1 — Security release

Published to npm: https://www.npmjs.com/package/mcp-server-semgrep/v/1.0.1

Security

• Fixed CWE-78 OS command injection across MCP tool handlers. Reported by BruceJin / @BruceJqs in #12.
• Replaced shell command construction with execFile() argument arrays.
• Replaced shell cat / echo > file with fs.promises.readFile / writeFile.
• Added defense-in-depth validateNoShellMetacharacters at path/config validation boundaries.
• Hardened create_rule against YAML injection with allowlists for id, language, severity and YAML-safe scalar rendering for pattern / message.
• Redacts SEMGREP_APP_TOKEN in logs and raises semgrep output buffer to 50 MiB.

Packaging

• Published npm package mcp-server-semgrep@1.0.1.
• Runtime npm audit: 0 vulnerabilities.
• Package tarball: 12 files, 27.6 kB, sha512-Bp+7j3rDGaYwX3G3fABFXCMA/jrdQSACFb1GpWDlMDUp1umSi+aYnrSiXRic2k/bRjQQRj5odHT7YZZm9RXL6A==.
• @modelcontextprotocol/sdk is now a runtime dependency.
• Removed unused axios dependency and stale generated/package noise.

Verification

• npm audit → 0 vulnerabilities
• npm audit --omit=dev → 0 vulnerabilities
• npm run lint → pass
• npm test → 33/33 pass
• Registry cold smoke from npm install mcp-server-semgrep@1.0.1 → MCP stdio boots, lists 7 tools, analyze_results works, workspace boundary blocks outside paths

Acknowledgements

• @BruceJqs — original vulnerability report and reproduction.
• @karthikeyansundaram2 — CWE-78 fix foundation in #14.
• @xyaz1313 — defense-in-depth shell metacharacter validation idea in #12 discussion.
• @m-szymanska — maintainer review and release support.
• Gemini Code Assist — review signal for token redaction and YAML injection follow-up.

Upgrade recommended for every user of 1.0.0.