Skip to content

fix: resolve vulnerabilities in 11.0.0 #3519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eablack merged 9 commits into from
Feb 9, 2026
Merged

fix: resolve vulnerabilities in 11.0.0 #3519

eablack merged 9 commits into from
Feb 9, 2026

Conversation

@eablack
Copy link
Contributor

@eablack eablack commented Feb 6, 2026
edited
Loading

Summary

this targets specific updates to address vulnerabilities in the v11.0.0 found in npm audit. also stops running the sudo install part of test-release.

Type of Change

Breaking Changes (major semver update)

  • Add a ! after your change type to denote a change that breaks current behavior

Feature Additions (minor semver update)

  • feat: Introduces a new feature to the codebase

Patch Updates (patch semver update)

  • fix: Bug fix
  • deps: Dependency upgrade
  • revert: Revert a previous commit
  • chore: Change that does not affect production code
  • refactor: Refactoring existing code without changing behavior
  • test: Add/update/remove tests

@eablack
fix: update @modelcontextprotocol/sdk to resolve cross-client data le…
e5f3348 
…ak vulnerability

Updates @modelcontextprotocol/sdk to version >=1.26.0 to address GHSA-345p-7cg4-v4c7,
which prevented cross-client data leaks via shared server/transport instance reuse.
@eablack
fix: update brace-expansion to resolve ReDoS vulnerability
0b7f860 
Updates brace-expansion to version >=2.0.2 to address GHSA-v6h2-p8h4-qcjw,
which fixes a Regular Expression Denial of Service vulnerability.
@eablack
fix: update dependencies to resolve fast-xml-parser and js-yaml vulne…
6db5d33 
…rabilities

Runs npm audit fix to automatically update fast-xml-parser (>=5.3.4) to address
GHSA-37qj-frw5-hhjh (RangeError DoS) and js-yaml (>=4.1.1) to address
GHSA-mh29-5h37-fv8m (prototype pollution in merge).
@eablack
fix: update sinon to v21 to resolve diff DoS vulnerability
c73eb2c 
Updates sinon from v19 to v21 which includes diff v9, addressing GHSA-73rr-hh4g-fpgx
(Denial of Service vulnerability in parsePatch and applyPatch).
@eablack
fix issue with pathing
4b9b8ad
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:05 — with GitHub Actions Inactive
@eablack
fix: update mcp:start to work with @modelcontextprotocol/sdk v1.26+
3420c6d 
The @heroku/mcp-server package's exports field doesn't define a main entry,
causing import.meta.resolve to fail. Updated to use a direct path to the
bin file instead. Also updated the corresponding test to match.
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 6, 2026 23:07 — with GitHub Actions Inactive
@eablack eablack changed the title Eb/resolve vulnerabilities in 11.0.0 deps: resolve vulnerabilities in 11.0.0 Feb 6, 2026
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 16:55 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 17:30 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 17:30 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 17:30 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 17:30 — with GitHub Actions Inactive
@eablack eablack changed the title deps: resolve vulnerabilities in 11.0.0 fix: resolve vulnerabilities in 11.0.0 Feb 9, 2026
@eablack eablack marked this pull request as ready for review February 9, 2026 17:42
@eablack eablack requested a review from a team as a code owner February 9, 2026 17:42
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 18:26 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 18:26 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 18:26 — with GitHub Actions Inactive
@eablack eablack temporarily deployed to AcceptanceTests February 9, 2026 18:26 — with GitHub Actions Inactive
sbosio
sbosio approved these changes Feb 9, 2026
View reviewed changes
Copy link
Contributor

@sbosio sbosio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@eablack eablack merged commit 2af5d0a into v11.0.0 Feb 9, 2026
13 checks passed
@eablack eablack deleted the eb/resolve-vulnerabilities-in-11.0.0 branch February 9, 2026 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbosio sbosio sbosio approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eablack @sbosio