Skip to content

overpod/mcp-telegram

v1.36.2 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 24d MCP SaaS Integrations
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 5 known CVEs

Topics

ai-tools claude gramjs mcp mcp-server model-context-protocol
+4 more
mtproto telegram typescript userbot

Affected surfaces

deps

Summary

AI summary

Security patches applied to transitive dependencies, addressing multiple advisories.

Full changelog

What's Changed

Dependency Updates (no behavioral changes, no API surface changes)

  • @biomejs/biome ^2.4.14^2.4.15 (devDep, lint/format only)
  • biome.json schema bumped to 2.4.15 via biome migrate --write

Security — Transitive Patch Wave

npm audit fix resolved 9 of 12 advisories pulled in via the @modelcontextprotocol/sdk dependency tree:

| Package | From | To | Advisory |
|---|---|---|---|
| hono | 4.12.9 | 4.12.18 | CSS injection in JSX SSR, JWT NumericDate, Cache Vary header, body-limit bypass, IPv4-mapped IPv6 in ipRestriction() |
| fast-uri | 3.1.0 | 3.1.2 | Host confusion via percent-encoded authority delimiters; path traversal via percent-encoded dot segments |
| ip-address | 10.1.0 | 10.2.0 | XSS in Address6 HTML-emitting methods |
| @hono/node-server | 1.19.11 | 1.19.14 | Middleware bypass via repeated slashes in serveStatic |
| express-rate-limit | 8.3.1 | 8.5.1 | Bumped alongside ip-address |

The 3 remaining moderate advisories live in vitepress → vite → esbuild (docs site only, devDependency) with no upstream fix available.

Quality Gates

  • biome check src/
  • tsc --noEmit
  • 505/505 tests ✅

Compatibility

  • No code changes
  • No API surface changes
  • @overpod/mcp-telegram/manifest and @overpod/mcp-telegram/service exports unchanged
  • 181 tools · tier breakdown unchanged

Full Changelog: https://github.com/mcp-telegram/mcp-telegram/compare/v1.36.1...v1.36.2

Security Fixes

  • hono 4.12.9 → 4.12.18 — fixes CSS injection, JWT NumericDate handling, Cache Vary header misuse, body‑limit bypass, and IPv4‑mapped IPv6 issue in ipRestriction().
  • fast-uri 3.1.0 → 3.1.2 — resolves host confusion via percent‑encoded authority delimiters and path traversal via percent‑encoded dot segments.
  • ip-address 10.1.0 → 10.2.0 — patches XSS in Address6 HTML‑emitting methods.
  • hono/node-server 1.19.11 → 1.19.14 — prevents middleware bypass caused by repeated slashes in serveStatic.
  • express-rate-limit 8.3.1 → 8.5.1 — updated as a dependency of ip-address.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track overpod/mcp-telegram

Get notified when new releases ship.

Sign up free

About overpod/mcp-telegram

Telegram MCP server via MTProto/GramJS — 20 tools for reading chats, searching messages, downloading media, managing contacts. QR code login, npx zero-install. Hosted version at mcp-telegram.com.

All releases →

Related context

Beta — feedback welcome: [email protected]