DigiCatalyst-Systems/dep-diff-mcp

v0.1.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

changelog cve dependabot dependency-management mcp model-context-protocol

+4 more

npm pypi security typescript

Affected surfaces

auth

Summary

AI summary

GitHub CLI fallback for GITHUB_TOKEN and fixed repo URL extraction with dots/dashes.

Full changelog

Added

GITHUB_TOKEN resolution falls back to gh auth token when the env var is unset. Users with the GitHub CLI authenticated get full API rate limits without a plaintext token in their MCP config. Stderr log line indicates which source was used (env, gh, or anonymous).
Broader breaking-change detection. In addition to ## Breaking Changes section excerpts, the analyzer now surfaces strong bullet patterns anywhere in release bodies: - Removed X, - No longer Y, - Now requires Z, - Dropped support for…, - Deprecated…, - Renamed…, - Changed behavior of…, - Minimum Node/Python version…. Breaking-change output is tagged (section) or (bullets) for source transparency.
releaseExcerpts field. When a major or minor bump has no detected breaking changes, the response now includes up to five excerpts (title + first 500 chars of body) from the most recent releases in the range. Gives the LLM raw material when release notes are thin.
Direct-tag release lookup for the target version. If the toVersion release isn't in the recent 500 releases (common for fast-moving projects like Next.js that publish 50+ canaries monthly), the analyzer falls back to /releases/tags/{tag} with common tag-format candidates (v1.2.3, 1.2.3, {repo}-1.2.3).
Claude Code install section in README covering claude mcp add scopes and the --env flag placement.

Fixed

GitHub repo URL extraction for packages whose repo names contain dots or dashes (e.g. vercel/next.js, nodejs/node, lodash-es). Previously the regex stopped at the first dot and emitted vercel/next instead of vercel/next.js.

Changed

Package description updated to match the tagline "translates a lockfile diff into a human-readable upgrade plan."
README documents least-privilege token scope (fine-grained, public repo read only), rotation guidance, and an explicit warning against pasting tokens into AI chats.

Security

Recommends gh CLI over plaintext config tokens where possible.
Clarifies the server never writes the token to stdout/stderr or the response payload.

Security Fixes

Recommends using GitHub CLI (`gh`) over plaintext GITHUB_TOKEN configuration to reduce exposure

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track DigiCatalyst-Systems/dep-diff-mcp

Get notified when new releases ship.

About DigiCatalyst-Systems/dep-diff-mcp

Translates a lockfile diff (npm, PyPI) into a human-readable upgrade plan. Point it at a Dependabot PR and get back semver classification, breaking changes from GitHub release notes, CVEs fixed in range, migration links, and a per-package recommendation. Bulk tool ranks up to 50 changes by risk (security > caution > review > likely-safe > safe)

All releases →