release: 2.3.2-rc.2

[stainless-app]

Automated Release PR

2.3.2-rc.2 (2025-09-30)

Full Changelog: v2.3.2-rc.1...v2.3.2-rc.2

Features

• api: manual updates (be9e40e)
• api: manual updates (05fefe8)

Performance Improvements

• faster formatting (06ae198)

Chores

• configure new SDK language (5776514)
• do not install brew dependencies in ./scripts/bootstrap by default (b35ef28)
• internal: codegen related update (8a14d99)
• internal: fix incremental formatting in some cases (fb5aa47)
• internal: ignore .eslintcache (670ff6e)
• internal: remove deprecated compilerOptions.baseUrl from tsconfig.json (8c0e44e)

Documentation

• api: updates to API spec (de1f80a)

---

This pull request is managed by Stainless's GitHub App.

The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.

For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.

🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions

[pullrequest]

HackerOne Code Security Review

🟢 Scan Complete: 27 Issue(s)
🟢 Validation Complete: Any Issues detected were validated by one of our engineers. None were determined to require immediate action.

Here's how the code changes were interpreted and info about the tools used for scanning.

ℹ️ Issues Detected

NOTE: These may not require action!

Below are unvalidated results from the Analysis Tools that ran during the latest scan for transparency. We investigate each of these for accuracy and relevance before surfacing them as a potential problem.

How will I know if something is a problem?
When validation completes, any concerns that warrant attention prior to merge will be posted as inline comments. These will show up in 2 ways:

• Expert review (most cases): Issues will be posted by experts who manually reviewed and validated them. These are real HackerOne engineers (not bots) reviewing through an integrated IDE-like tool. You can communicate with them like any other reviewer. They'll stay assigned and get notified with commit & comment updates.
• Automatically: In cases where our validation checks have highest confidence the problem is legitimate and urgent. These will include a description of contextual reasoning why & actionable next steps.

File & Line	Issue
packages/mcp-server/src/tools/completions/create-completions.ts Line 67	The stream parameter in the input schema is defined as a string type with enum [false] (lines 67-71) and [true] (lines 97-102), but it should be a boolean type. Using a string type with boolean enum values could lead to type confusion and potential validation issues when processing the parameter.
packages/mcp-server/src/compat.ts Line 100	The JSONSchema type definition on line 100 uses [key: string]: any which allows arbitrary properties to be added to the schema. This could potentially lead to prototype pollution or other injection attacks if untrusted data is used to construct schemas. Consider using a more restrictive type or implementing validation to ensure only expected properties are present.
packages/mcp-server/tests/compat.test.ts Line 1	This is a test file that doesn't contain production code. While it tests security-related functionality like schema transformations, the tests themselves don't introduce security vulnerabilities.
packages/mcp-server/src/code-tool-worker.ts Line 25	The code uses eval() to execute arbitrary code provided in the input. This is a critical security vulnerability as it allows for remote code execution. An attacker could provide malicious code that could access the system, steal data, or perform other harmful actions. The code is executed in the same context as the application, giving it full access to the application's resources.
src/resources/tools/tools.ts Line 17	The code is marking several API methods as deprecated without providing a clear migration path or timeline. While this is not a direct security vulnerability, it could lead to security issues if users continue to rely on deprecated functionality that may not receive security updates. The deprecation notices point to documentation at dev.writer.com but don't specify if the deprecated methods have known security issues that prompted the deprecation.
packages/mcp-server/src/dynamic-tools.ts Line 148	The invoke_api_endpoint tool allows arbitrary execution of any API endpoint with user-provided arguments. While there is some validation with Cabidela, this creates a powerful generic tool that could be abused if access control isn't properly implemented. An attacker could potentially use this to access endpoints they shouldn't have permission to use.
packages/mcp-server/src/compat.ts Line 74	The parseEmbeddedJSON function (lines 67-91) attempts to parse string values into JSON objects without proper validation. It blindly attempts to parse any string value and only checks if the result is an object after parsing. This could lead to prototype pollution or other injection vulnerabilities if malicious JSON is provided. The function should validate the input against a schema before parsing or after parsing but before using the parsed object.
packages/mcp-server/src/code-tool.ts Line 68	The code execution tool allows running arbitrary TypeScript code in a container. While some security measures are in place (like restricting network access), the tool still presents a significant security risk. An attacker could potentially use this to execute malicious code that could compromise the system or access sensitive data.
src/resources/shared.ts Line 135	The new GraphData.References.Web interface includes a 'url' field that contains URLs from web sources accessed during queries. There is no validation or sanitization mechanism defined for these URLs, which could potentially lead to security issues if these URLs are later used in unsafe contexts (like being directly inserted into HTML or used in redirects). URLs from external sources should always be validated before use.
packages/mcp-server/tests/dynamic-tools.test.ts Line 5	The test uses fakeClient (line 5) which is typed as any, bypassing type checking. When this client is passed to handlers (e.g., line 24), it could potentially lead to runtime errors if the handlers expect specific methods or properties that aren't present on the fake client. This is especially concerning for security testing since it might not properly validate authentication or authorization behaviors.
packages/mcp-server/src/server.ts Line 187	The parseEmbeddedJSON function is used to parse potentially untrusted JSON input without proper validation. This could lead to prototype pollution or other JSON-based attacks if the input is maliciously crafted.
CHANGELOG.md Line 3	This is a changelog file that documents changes to the software. It contains no security vulnerabilities in the changed lines. The file only contains documentation of features, bug fixes, and other changes made to the software.
packages/mcp-server/src/options.ts Line 40	In the parseCapabilityValue function, there's a potential issue with user input validation. When parsing the 'tool-name-length' capability (lines 37-46), the code uses the non-null assertion operator (parts[1]!) without first checking if the array has a second element. While the length check on line 39 should prevent this, it's better to avoid non-null assertions with user input. Additionally, the parseInt operation could be exploited if very large numbers are provided, potentially causing memory issues when the server tries to process tool names later.
packages/mcp-server/src/headers.ts Line 12	The code doesn't properly handle the case where the authorization header exists but doesn't contain a valid scheme or value. If the header doesn't contain a space, the split operation will return an array with just the original string, making scheme potentially the entire header value, which could lead to unexpected behavior.
packages/mcp-server/src/tools/files/upload-files.ts Line 45	The file upload tool doesn't validate the file content or Content-Disposition header before processing. This could allow an attacker to upload malicious files or manipulate the Content-Disposition header to potentially execute arbitrary code or cause unexpected behavior. The tool should implement proper validation of file content and headers.
packages/mcp-server/src/tools/chat/chat-chat.ts Line 932	The handler function accepts user input (args) and passes it directly to the client.chat.chat() method without any validation or sanitization. This could allow an attacker to inject malicious data that might be processed by the underlying API. The code should validate the input against the defined schema before passing it to the API.
packages/mcp-server/src/tools/graphs/question-graphs.ts Line 85	Similar to the create-completions.ts issue, the stream parameter is defined as a string type with enum [false] (lines 85-90) and [true] (lines 112-117), but it should be a boolean type. This type mismatch could lead to validation issues or unexpected behavior when processing the parameter.
packages/mcp-server/src/options.ts Line 308	The parseQueryOptions function directly parses untrusted query parameters without proper validation before using them. In line 308, it uses QueryOptions.parse(queryObject) where queryObject could be from user input. While Zod provides some validation, the function doesn't handle potential parsing errors that could occur if malicious input is provided. This could lead to unhandled exceptions or unexpected behavior when processing query parameters from HTTP requests. The function should implement proper error handling around the Zod parsing to prevent potential denial of service through malformed requests.
packages/mcp-server/tests/options.test.ts Line 411	The parseEmbeddedJSON function attempts to parse string values as JSON objects without proper validation against a schema. This could lead to unexpected type conversions or code execution if malicious JSON is provided. While this is a test file, it reveals that the actual implementation in ../src/compat.js may have this vulnerability. The function only checks if the parsed result is an object but doesn't validate its structure against an expected schema before using it.
packages/mcp-server/README.md Line 12	The README contains example code that shows API keys being hardcoded in configuration files and environment variables. Lines 12, 30, and 148 demonstrate hardcoded API keys in examples ("My API Key" and "<auth value>"). While these are just placeholders in documentation, they can lead users to follow bad security practices by copying the examples directly without replacing the placeholders with proper secret management.
packages/mcp-server/src/filtering.ts Line 6	The function maybeFilter accepts an arbitrary JQ filter string from an untrusted source and applies it to a response object. This could lead to potential injection vulnerabilities if the JQ filter contains malicious expressions. The code should validate or sanitize the jqFilter input before passing it to the jq function.
packages/mcp-server/src/headers.ts Line 8	The code doesn't properly validate the authorization header before using it. Line 8 assumes the header always contains a space character, and line 9 doesn't check if the value exists before using it. This could lead to potential crashes or unexpected behavior if malformed authorization headers are provided.
.github/workflows/publish-npm.yml Line 35	Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
packages/mcp-server/src/tools/index.ts Line 121	RegExp() called with a { type, value }: Filter function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
packages/mcp-server/scripts/copy-bundle-files.cjs Line 11	Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

🧰 Analysis tools

- [ ✅ ] [HackerOne AI Code Analysis](https://www.pullrequest.com/blog/harnessing-ai-to-pinpoint-security-hotspots-in-code-review-a-deep-dive/) - [ ✅ ] [HackerOne AI Code Validation](https://www.hackerone.com/blog/ai-triage-code-validation-security) - [ ✅ ] [semgrep](https://semgrep.dev?&utm_source=hackerone&utm_campaign=pullrequest) - [ ✅ ] rubocop

⏱️ Latest scan covered changes up to commit 18958f3 (latest)

[pullrequest]

✅ Graham C reviewed all the included code changes and associated automation findings and determined that there were no immediately actionable security flaws. Note that they will continue to be notified of any new commits or comments and follow up as needed throughout the duration of this pull request's lifecycle.

Graham C

---

Reviewed with ❤️ by PullRequest

[stainless-app]

Release version edited manually

The Pull Request version has been manually set to 2.3.2-rc.2 and will be used for the release.

If you instead want to use the version number 2.4.0-rc.1 generated from conventional commits, just remove the label autorelease: custom version from this Pull Request.

[stainless-app]

🤖 Release is at https://github.com/writer/writer-node/releases/tag/v2.3.2-rc.2 🌻