cameronrye/openzim-mcp

v2.0.0b6 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 12d MCP Data & Storage

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

kiwix mcp mcp-server openzim zim

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 12d

The release bumps starlette from 1.0.0 to 1.0.1, fixing CVE PYSEC-2026-161.

Why it matters: Patching starlette to 1.0.1 resolves the CVE with severity 50; all users of mcp[cli] and sse-starlette must update immediately.

Summary

AI summary

Security update patches a new starlette CVE by bumping to version 1.0.1.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Bump starlette from 1.0.0 to 1.0.1 fixing CVE PYSEC-2026-161. Bump starlette from 1.0.0 to 1.0.1 fixing CVE PYSEC-2026-161. Source: llm_adapter@2026-05-23 Confidence: high	—

Full changelog

Lockfile-only release re-rolling v2.0.0b5 after the release workflow's
pip-audit security gate caught a new starlette CVE that landed
between the v2.0.0b4 release and the v2.0.0b5 attempted publish.

Vulnerability

PYSEC-2026-161 — starlette 1.0.0 → fix in 1.0.1. Transitive
dependency via mcp[cli] and sse-starlette. Bumped via
uv lock --upgrade-package starlette.

Behavior changes

None. Code under openzim_mcp/ and tests/ is unchanged from the
v2.0.0b5 attempt. The full post-b4 sweep (FOUR defects + 1 latent +
2 audit defects, see v2.0.0b5 section below) ships in this release.

Methodology note

Release workflow's pip-audit step at the start of "Test before
release" is doing its job — caught a fresh CVE that landed between
PR-time CI (which doesn't run pip-audit) and release-time publish.
Pattern matches prior CVE-driven lockfile bumps (post-a19 idna
PR #151, post-a24 pyjwt PR #160). The v2.0.0b5 git tag exists on the
repo at the aborted merge commit (385f72d); v2.0.0b6 is the
released artifact.

Security Fixes

PYSEC-2026-161 — starlette 1.0.0 vulnerable; fixed in 1.0.1 (transitive dependency via `mcp[cli]` and `sse-starlette`).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cameronrye/openzim-mcp

Get notified when new releases ship.

About cameronrye/openzim-mcp

Modern, secure MCP server for accessing ZIM format knowledge bases offline. Enables AI models to search and navigate Wikipedia, educational content, and other compressed knowledge archives with smart retrieval, caching, and comprehensive API.

All releases →

Related context

Related tools

Earlier breaking changes

v2.0.0a15 _attribute_sections falls back to first section when no section brackets located passage
v2.0.0a13 canonical‑splice gate tightened to require exact path equality, fixing H2/H3 surface end‑to‑end behavior across all shapes.
v2.0.0a11 Exposed `content_offset` as top-level `zim_query` parameter, validated >=0, threaded through options.
v2.0.0a10 `get article M/<key>` now returns ZIM metadata entry rather than aliased C-namespace article body.
v2.0.0a10 `metadata for <file>` returns concise metadata strings instead of full article bodies for new-scheme archives.