Skip to content

r33drichards/mcp-js

v0.5.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

javascript mcp mcp-server

Affected surfaces

rce_ssrf

Summary

AI summary

Fixes a critical security bypass in the op_print operation.

Full changelog

What's Changed

  • Add local Rego policy evaluation and policy chain composition by @r33drichards in https://github.com/r33drichards/mcp-js/pull/81
  • Refactor execute_stateless/execute_stateful to use ExecutionConfig builder by @r33drichards in https://github.com/r33drichards/mcp-js/pull/84
  • Add OPA/Rego-gated filesystem access by @r33drichards in https://github.com/r33drichards/mcp-js/pull/85
  • Add policy-gated filesystem access with Rego policy evaluation by @r33drichards in https://github.com/r33drichards/mcp-js/pull/87
  • Add comprehensive fuzzing targets for filesystem, fetch, and module operations by @r33drichards in https://github.com/r33drichards/mcp-js/pull/90
  • Support top-level await in JavaScript execution by @r33drichards in https://github.com/r33drichards/mcp-js/pull/89
  • Neutralize dangerous deno_core ops (op_panic, print) by @r33drichards in https://github.com/r33drichards/mcp-js/pull/92
  • Add MCP client support for programmatic tool calling from JS by @r33drichards in https://github.com/r33drichards/mcp-js/pull/93
  • Fix sandbox_ops tests for module-only execution by @r33drichards in https://github.com/r33drichards/mcp-js/pull/94
  • Add OPA policy support for MCP tool calls by @r33drichards in https://github.com/r33drichards/mcp-js/pull/95
  • Fix critical op_print neutralization bypass via prototype chain by @r33drichards in https://github.com/r33drichards/mcp-js/pull/97

Full Changelog: https://github.com/r33drichards/mcp-js/compare/v0.4.0...v0.5.0

Security Fixes

  • Fix critical op_print neutralization bypass via prototype chain
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track r33drichards/mcp-js

Get notified when new releases ship.

Sign up free

About r33drichards/mcp-js

A Javascript code execution sandbox that uses v8 to isolate code to run AI generated javascript locally without fear. Supports heap snapshotting for persistent sessions.

All releases →

Related context

Earlier breaking changes

  • v0.11.0 Switch license from ISC to GNU Affero General Public License v3

Beta — feedback welcome: [email protected]