v0.7.1 — Security + GitLab EE schema fix

nalyk released this 18 May 08:01

· 46 commits to main since this release

dae7f38

Security + schema-correctness release.

Highlights

Closes all 6 open Dependabot alerts: 2× HIGH fast-uri (path traversal + host confusion), 3× hono (CSS injection JSX SSR, Cache Vary leak, JWT NumericDate), 1× medium ip-address (XSS in Address6).
Fixes production-breaker for GitLab EE users (#74): author.avatar_url, assignees[].avatar_url, and notes[].author.avatar_url now accept null. Three tools (GetMergeRequestChanges, list_merge_request_notes, list_merge_request_discussions) previously threw on every call against GitLab EE 17.5.5.

Security

fast-uri 3.1.0 → 3.1.2 (#65) — closes GHSA-q3j6-qgpj-74h6 and GHSA-v39h-62p7-jpjc.
hono 4.12.16 → 4.12.18 (#66) — closes GHSA-qp7p-654g-cw7p, GHSA-p77w-8qqv-26rm, GHSA-hm8q-7f3q-5f36.
Override ip-address to 10.1.1 (#78) — closes GHSA-v2v4-37r5-5v8g. The package is pulled transitively via @modelcontextprotocol/sdk → express-rate-limit; Dependabot cannot auto-fix it until express-rate-limit re-pins.

Fixed

GitLab EE avatar_url nullability (#74, #77) — GitLabUserSchema and GitLabMemberSchema now accept null for avatar_url. Regression tests cover null/string/undefined paths.
Revert accidental mempalace.yaml (#76) — personal plugin state that leaked at 165ea06. Release-driven publish (#43) prevented npm pollution. Plugin patterns added to .gitignore to prevent recurrence.

Changed

CI: hadolint/hadolint-action 3.1.0 → 3.3.0 (#68)
Dev deps: @types/node 20.19.39 → 20.19.41, vitest 4.1.5 → 4.1.6 (#75)

Verification

npm audit reports 0 vulnerabilities post-release.
79 tests pass (75 existing + 4 new).
Test count growth reflects new code paths, not test theater.

Credits to @dMikhalchev for reporting #74 with a clean reproducer and verbatim stderr.

Assets 2