jhomen368/overseerr-mcp

v2.2.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3h MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 1h

v2.2.0 replaces the legacy SSE transport with a Streamable HTTP transport and updates several dependencies to address moderate security vulnerabilities.

Why it matters: The new Streamable HTTP transport modernizes the API surface, while dependency bumps patch moderate CVEs (severity 70) in @commitlint/cli, @commitlint/config-conventional, @types/node, and hono; operators should upgrade before end‑of‑support deadlines.

Summary

AI summary

Updates 2.2.0] - 2026-06-05, deps-dev, and transitive across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	Replaced legacy SSE transport with Streamable HTTP transport Replaced legacy SSE transport with Streamable HTTP transport Source: llm_adapter@2026-06-05 Confidence: high	—
Dependency	High	Bumped `@commitlint/cli` to 21.0.2, `@commitlint/config-conventional` to 21.0.2, `@types/node` to 25.9.1, and patched `hono` to 4.12.23 for moderate security vulnerabilities Bumped `@commitlint/cli` to 21.0.2, `@commitlint/config-conventional` to 21.0.2, `@types/node` to 25.9.1, and patched `hono` to 4.12.23 for moderate security vulnerabilities Source: llm_adapter@2026-06-05 Confidence: low	—
Dependency	Medium	Bumped several dev dependencies and patched `hono` 4.12.23 to address moderate security vulnerabilities Bumped several dev dependencies and patched `hono` 4.12.23 to address moderate security vulnerabilities Source: granite4.1:30b@2026-06-05-audit Confidence: low	—
Bugfix	Medium	Fixed `pageInfo` always returning `undefined` in `manage_media_requests` list responses due to casing mismatch Fixed `pageInfo` always returning `undefined` in `manage_media_requests` list responses due to casing mismatch Source: llm_adapter@2026-06-05 Confidence: high	—
Bugfix	Medium	Session management now returns 404 for unknown session IDs and 400 for missing session IDs Session management now returns 404 for unknown session IDs and 400 for missing session IDs Source: llm_adapter@2026-06-05 Confidence: low	—

Full changelog

[2.2.0] - 2026-06-05

Added

Streamable HTTP transport: Replaced legacy SSE transport with the MCP Streamable HTTP transport, enabling proper multi-session support and broader client compatibility

Fixed

Session management: Hardened HTTP session handling — unknown session IDs now return 404, requests without a session ID return 400
Pagination metadata: Fixed pageInfo always returning undefined in manage_media_requests list responses due to a casing mismatch (PageInfo → pageInfo)

Changed

Dependencies: Bumped @commitlint/cli to 21.0.2, @commitlint/config-conventional to 21.0.2, @types/node to 25.9.1, qs (transitive); patched hono to 4.12.23 to resolve moderate security vulnerabilities (IP restriction bypass, cookie injection, JWT scheme validation, path routing)

What's Changed

feat(http): replace SSE with Streamable HTTP transport by @jhomen368 in https://github.com/jhomen368/overseerr-mcp/pull/109
npm(deps): bump qs from 6.14.2 to 6.15.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/jhomen368/overseerr-mcp/pull/104
npm(deps-dev): bump @types/node from 25.9.0 to 25.9.1 by @dependabot[bot] in https://github.com/jhomen368/overseerr-mcp/pull/105
npm(deps-dev): bump @commitlint/cli from 21.0.1 to 21.0.2 by @dependabot[bot] in https://github.com/jhomen368/overseerr-mcp/pull/107
npm(deps-dev): bump @commitlint/config-conventional from 21.0.1 to 21.0.2 by @dependabot[bot] in https://github.com/jhomen368/overseerr-mcp/pull/108
release: v2.2.0 by @jhomen368 in https://github.com/jhomen368/overseerr-mcp/pull/110

Full Changelog: https://github.com/jhomen368/overseerr-mcp/compare/v2.1.3...v2.2.0

Breaking Changes

Legacy SSE transport removed; all clients must use Streamable HTTP transport.

Security Fixes

hono patched to 4.12.23 – fixes moderate vulnerabilities (IP restriction bypass, cookie injection, JWT validation, path routing).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track jhomen368/overseerr-mcp

Get notified when new releases ship.

About jhomen368/overseerr-mcp

Integrate AI assistants with Overseerr and the Seerr (the unified successor) for automated media discovery, requests, and management in Plex, Jellyfin, and Emby ecosystems.

All releases →