Skip to content

iris-eval/mcp-server

v0.4.4 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 12h MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agent-evaluation ai-agent claude eval evaluation llm
+6 more
mcp mcp-server model-context-protocol observability security distributed-tracing

ReleasePort's take

Light signal
editorial:auto 10h

Version v0.4.4 restores npm publishing that was blocked in v0.4.3 due to an expired NPM_TOKEN, and deprecates `cosign-installer` flags used in SBOM signing.

Why it matters: Restoring npm publish enables distribution of the package; deprecating --output-signature/--output-certificate breaks existing SBOM workflows requiring immediate adjustment.

Summary

AI summary

v0.4.4 completes v0.4.3's distribution across npm, Docker, and MCP Registry.

Changes in this release

Dependency Low

Deprecates `cosign-installer` v4 flags `--output-signature` and `--output-certificate`, breaking SBOM signing step.

Deprecates `cosign-installer` v4 flags `--output-signature` and `--output-certificate`, breaking SBOM signing step.

Source: llm_adapter@2026-06-13

Confidence: high
Bugfix Medium

Restores npm publishing after failed v0.4.3 publish due to expired NPM_TOKEN.

Restores npm publishing after failed v0.4.3 publish due to expired NPM_TOKEN.

Source: llm_adapter@2026-06-13

Confidence: high
Full changelog

Recovery release completing v0.4.3's distribution. v0.4.3 shipped to Docker + the GitHub Release, but its npm publish silently failed (expired NPM_TOKEN → E404, swallowed by the pre-#176 step), so npm + the MCP Registry stalled at 0.4.2. v0.4.4 carries all v0.4.3 runtime content forward — no runtime code changes vs 0.4.3 — and is published over the new OIDC Trusted Publishing path (no NPM_TOKEN). See CHANGELOG.

  • npm: @iris-eval/[email protected] (@latest), provenance-attested via OIDC Trusted Publishing.
  • Docker: ghcr.io/iris-eval/mcp-server:0.4.4 + :latest, cosign keyless-signed.
  • MCP Registry: io.github.iris-eval/[email protected] (isLatest).
  • SBOMs: npm + Docker SPDX attached below.

Note: the SBOM cosign sign-blob .sig/.pem companions are absent on this release — the cosign-installer v4 bump deprecated the --output-signature/--output-certificate flags, breaking the signing step. Fix tracked separately; restored in the next release. The Docker image signature and npm provenance attestation are unaffected.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track iris-eval/mcp-server

Get notified when new releases ship.

Sign up free

About iris-eval/mcp-server

MCP-native agent evaluation and observability server with trace logging, output quality evaluation, cost tracking, 12 built-in eval rules, real-time dashboard, and PII detection.

All releases →

Related context

Beta — feedback welcome: [email protected]