Skip to content

n24q02m/better-godot-mcp

v1.2.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

ai-agents ai-coding claude claude-code cursor docker
+7 more
gdscript godot godot-engine mcp mcp-server model-context-protocol typescript

Affected surfaces

rce_ssrf

Summary

AI summary

Prevent command injection in headless execution.

Full changelog

v1.2.1 (2026-03-01)

Bug Fixes

  • Add coverage tests for config, navigation, tilemap, editor, scripts, input-map, ui (9048c28)

  • Add missing godotVersion to GodotConfig in benchmark script (f573321)

  • Delete .vscode directory (7753e73)

  • Regex injection in scene parser node renaming (fff1889)

  • Remove stray package-lock.json (project uses bun) (c1ded6c)

  • Replace catch(error: any) with unknown + type guard in shader and signals (f7f24b4)

  • Resolve TS2345 error in scenes tool validation (d6a0c95)

  • Use bun run test (vitest) instead of bun test (bun native runner) (3c17fd0)

  • deps: Update non-major dependencies (ecdfcd4)

  • input-map: Sanitize action_name to prevent configuration injection (2b1dd09)

  • security: Prevent command injection in headless execution (ced96b6)

  • security: Prevent command injection in headless execution (e60a041)

  • windows: Replace bunx with bun x for cross-platform compatibility (189996b)

Chores

  • Fix biome lint warnings (0d7ef92)

  • Remove helper scripts (ea67cbd)

  • config: Migrate config renovate.json (8ea1fa4)

  • deps: Pin dependencies (9a49fd3)

  • deps: Update actions/checkout action to v6 (9c96c46)

Performance Improvements

  • Make editor process check async (non-blocking) (066fbb3)

  • Optimize findScriptFiles recursion to reduce allocations (d8325d0)

  • Optimize resource listing by reusing stat results (d18aea1)

  • Optimize scene parser by avoiding split and regex per line (cbd5a86)

  • Replace blocking readFileSync with async readFile in parseTscnFile (0658435)

  • Use async file I/O for project settings and project tool (516146b)

  • shader: Async file ops & optimize traversal (b890957)

Refactoring

  • Consolidate argument validation in scenes tool (ef37944)

  • Use shared scene-parser in nodes tool (eb250b1)

Testing

  • Add project tool tests (85656bf)

  • Add project tool tests (6420371)

  • Add tests for handleHelp tool (d81aca6)

  • Add tests for handleHelp tool (c36ed3a)

  • Add tests for physics tool (22bdbcc)

  • Add unit tests for security.ts wrapToolResult (b3e4052)

  • Add unit tests for security.ts wrapToolResult (df52f80)

  • Improve error handling coverage for node removal (805f08b)

  • composite: Add integration tests for handleAnimation tool (76af0c9)

Detailed Changes: v1.2.0...v1.2.1

Security Fixes

  • Prevent command injection in headless execution (addressed by commits ced96b6 and e60a041)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track n24q02m/better-godot-mcp

Get notified when new releases ship.

Sign up free

About n24q02m/better-godot-mcp

18 composite tools for structured Godot 4.x interaction: scenes, nodes, GDScript, shaders, animation, tilemap, physics, audio, navigation, UI, input mapping, and signals.

All releases →

Related context

Beta — feedback welcome: [email protected]