rps321321/obsidian-mcp-pro

Deeper-dive audit pass on top of 1.8.1. Concurrency, correctness, and info-leak hardening; 11 audit findings fixed; npm audit now clean.

Concurrency / correctness

• rename_tag (and other vault-wide bulk writers) now hold the same rewrite lock as move_note / delete_note. Closes a cross-tool TOCTOU where running tag-rename concurrently with a move could surface "content changed during move" failures and leave stale links. Lock key is exported so future bulk writers can serialize against the rewrite path. Regression test runs both tools in parallel and asserts no failed referrers.
• applyRewrites retries failed edits via content search. When bytes shift between plan and apply (Obsidian sync, text editor, concurrent rename_tag), the apply step searches the current content for the planned expected substring. If it appears exactly once, the edit splices at the new position. If missing or ambiguous, the failure is still surfaced rather than corrupting the file.
• planMoveRewrites and planDeleteRewrites now read each note exactly once. Previous two-pass implementation doubled I/O on rename / delete operations across large vaults.
• CommonMark fenced-code indentation now matches the spec (max 3 spaces). The previous regex used line.trimStart(), accepting arbitrary leading whitespace before a closing fence. A note with 4-space-indented backticks inside a code block could prematurely close the fence and expose subsequent content (containing wikilinks) to rewriting.

Info-leak / hardening

• /health no longer leaks the live session count to unauthenticated callers when a Bearer token is configured. Status + version stay public for monitoring; sessions is dropped in authenticated deployments. Local-only setups (no token) still see sessions.
• constantTimeEqual is fully length-safe. Both inputs are padded to a fixed comparison width before timingSafeEqual, so the call duration is the same whether or not lengths match. The length check is recorded separately and combined with the byte compare without an early exit, closing the timing-side-channel that previously leaked the expected token's length.
• runInstall.vaultName is validated for control characters. The CLI path was safe; the public API used to accept null bytes / newlines that could corrupt the downstream Claude Desktop / Cursor JSON env handling.

Smaller fixes

• resolveWikilink path-suffix match applies the same proximity tie-break as basename match. When two notes shared a path-suffix (case-only collision or symlinked subtree), the previous implementation returned whichever appeared first in listNotes order rather than the one nearest the linking note.
• extractMarkdownLinkSpans matches CommonMark-escaped ] in link labels. A hand-edited link like [foo\]bar](x.md) was previously skipped during a move rewrite.
• canvasesToRewrite is built from mapConcurrent's return value instead of a shared mutable array. Currently safe (Node is single-threaded), but a latent footgun if the helper ever moves to worker_threads.
• runInstall surfaces the backup path when writeConfig fails, so users no longer have to hunt for the .bak.<timestamp> file themselves.

Tooling

• npm audit clean. Resolved 4 moderate-severity advisories in transitive devDependencies (hono, postcss, ip-address, express-rate-limit, all reached through vitest). Production deps were already clean.

Tests

• 449 passing (was 444). New regression coverage for the rename_tag concurrency lock, /health bearer-mode session-count omission, and the bytes-shifted retry path in applyRewrites.

Install or upgrade

npx -y [email protected] install

Or pin in your MCP client config:

{
  "mcpServers": {
    "obsidian": {
      "command": "npx",
      "args": ["-y", "[email protected]"]
    }
  }
}

Full changelog: CHANGELOG.md