Skip to content

n24q02m/better-godot-mcp

v1.13.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

ai-agents ai-coding claude claude-code cursor docker
+7 more
gdscript godot godot-engine mcp mcp-server model-context-protocol typescript

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Sanitize signal connection parameters to prevent scene file injection.

Full changelog

v1.13.0 (2026-04-19)

Bug Fixes

  • Apply biome format across test files for CI parity (#517, bf33be0)

  • Bump mcp-core to 1.3.0 (#518, ed156b2)

  • Bump n24q02m-mcp-core to 1.4.0 (#523, f8e6b14)

  • Fix strict type checks for readdirSync mock (#490, 53a23da)

  • Refactor handleNodes into specialized handlers (#499, 0d0ba04)

  • Sanitize signal connection parameters to prevent scene file injection (#498, 97654de)

  • Trigger CI re-run after detector test fix (#517, bf33be0)

  • Untrack .jules + docs/superpowers AI traces from public repo (6556c63)

  • Update test mocks for fstatSync after chunked-scan refactor (#517, bf33be0)

  • detector: FstatSync, fix test mocks, add preview/beta binary names and paths (#487, 2d837b9)

  • detector: Skip signature heuristic for explicit paths, add overlap to chunked scan (#487, 2d837b9)

  • helpers: Refactor parseSceneContent for better maintainability (#508, 84184d9)

  • physics: [SECURITY] prevent scene file injection via physics properties (#493, 778c8cd)

  • security: Prevent argument injection in Godot CLI execution (#504, b1cd0a6)

Chores

  • deps: Lock file maintenance (#519, 8127085)

  • deps: Lock file maintenance (#515, e6210f3)

  • deps: Update actions/create-github-app-token digest to 1b10c78 (#513, d612d95)

  • deps: Update step-security/harden-runner digest to 6c3c2f2 (#514, 320d91c)

Features

  • Add MCP protocol E2E tests for stdio and HTTP transports (87404c3)

  • Add setup_* no-op actions to config tool for 7-repo parity (#517, bf33be0)

  • detector: Add head/tail fast path before full chunked scan (#487, 2d837b9)

Performance Improvements

  • Optimize split('\n') allocations in project and project-settings (#503, bfc3777)

Refactoring

  • Replace hardcoded Godot object strings with serializeGodotObject helper (#489, 9f9e168)

Testing

  • Add unit tests for launchGodotEditor and runGodotProject (#507, 3204efc)

  • godot: Add coverage for tryGetVersion and isLikelyGodotBinary (#501, 167c301)

Detailed Changes: v1.12.2...v1.13.0

Security Fixes

  • [#498] Sanitize signal connection parameters to prevent scene file injection
  • [#493] Prevent scene file injection via physics properties
  • [#504] Prevent argument injection in Godot CLI execution
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track n24q02m/better-godot-mcp

Get notified when new releases ship.

Sign up free

About n24q02m/better-godot-mcp

18 composite tools for structured Godot 4.x interaction: scenes, nodes, GDScript, shaders, animation, tilemap, physics, audio, navigation, UI, input mapping, and signals.

All releases →

Related context

Beta — feedback welcome: [email protected]