This release adds 3 notable features for engineering teams evaluating rollout.
Published 28d
MCP Developer Tools
✓ No known CVEs patched
✓ No known CVEs patched in this version
Topics
agent-evaluation
ai-agent
claude
eval
evaluation
llm
+6 more
mcp
mcp-server
model-context-protocol
observability
security
distributed-tracing
Summary
AI summaryMinor fixes and improvements.
Full changelog
Supply-chain transparency
- SBOMs:
iris-npm-sbom.spdx.json+iris-docker-sbom.spdx.json(attached below). Both are SPDX 2.3 JSON, cover direct + transitive dependencies. - npm provenance: published with
--provenance(verifiable vianpm audit signaturesor on the package page). - Docker signature: image signed with cosign keyless (Sigstore). Verify with:
cosign verify ghcr.io/iris-eval/mcp-server:v0.4.2 \ --certificate-identity-regexp='https://github.com/iris-eval/mcp-server' \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' - Build attestation: both the npm SBOM and Docker image manifest carry GitHub-signed build-provenance attestations. Inspect with
gh attestation verifyorcosign verify-attestation.
What's Changed
- chore(release): v0.4.2 — recovery release for v0.4.1 Docker-publish failure by @irparent in https://github.com/iris-eval/mcp-server/pull/143
Full Changelog: https://github.com/iris-eval/mcp-server/compare/v0.4.1...v0.4.2
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About iris-eval/mcp-server
MCP-native agent evaluation and observability server with trace logging, output quality evaluation, cost tracking, 12 built-in eval rules, real-time dashboard, and PII detection.
Related context
Beta — feedback welcome: [email protected]