Skip to content

ianaleck/harvest-mcp-server

v0.1.8 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

harvest harvest-api-v2 mcp model-context-protocol time-tracking

Affected surfaces

deps

Summary

AI summary

Security fixes and dependency upgrades addressing ReDoS, data leaks, DNS rebinding, DoS issues.

Full changelog

Security

  • Upgrade @modelcontextprotocol/sdk to ^1.27.1 (fixes ReDoS, cross-client data leak, DNS rebinding vulnerabilities)
  • Upgrade axios to ^1.13.6 (fixes DoS via proto in mergeConfig)
  • Upgrade express to ^5.2.1 (fixes qs/body-parser DoS chain)
  • Remove exactOptionalPropertyTypes from tsconfig to resolve SDK type incompatibility

Security Fixes

  • Upgrade @modelcontextprotocol/sdk to ^1.27.1 – fixes ReDoS, cross-client data leak, DNS rebinding vulnerabilities
  • Upgrade axios to ^1.13.6 – fixes DoS via __proto__ in mergeConfig
  • Upgrade express to ^5.2.1 – fixes qs/body-parser DoS chain
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ianaleck/harvest-mcp-server

Get notified when new releases ship.

Sign up free

About ianaleck/harvest-mcp-server

Harvest time tracking integration with 40+ tools for managing time entries, projects, clients, tasks, and generating time reports via the Harvest API v2

All releases →

Related context

Beta — feedback welcome: [email protected]