This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryBumped transitive dependency qs from 6.15.0 to 6.15.2 to close a Dependabot security alert.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Bumped transitive `qs` from 6.15.0 to 6.15.2 via `npm audit fix`. Bumped transitive `qs` from 6.15.0 to 6.15.2 via `npm audit fix`. Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Security
- Bumped transitive
qs6.15.0 → 6.15.2 vianpm audit fixto close Dependabot alert #18.
qs ships with Express (pulled in by @modelcontextprotocol/sdk for the HTTP control surface). qs.stringify would crash with a TypeError on null/undefined entries inside comma-format arrays when encodeValuesOnly: true. safari-mcp does not set that option, so this was not exploitable in our code path, but the upgrade clears the alert and any downstream user that does set it. No API changes.
Full diff: https://github.com/achiya-automation/safari-mcp/compare/v2.11.5...v2.11.6
Security Fixes
- Deprecation of vulnerable qs 6.15.0 → upgrade to 6.15.2 closes Dependabot alert #18
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About achiya-automation/safari-mcp
Native Safari browser automation for AI agents with 80+ tools. No Chrome dependency, optimized for Apple Silicon with 60% less CPU overhead.
Related context
Related tools
Earlier breaking changes
- v2.10.5 npm audit gate now fails build on high or critical advisories.
Beta — feedback welcome: [email protected]