Skip to content

SimplyLiz/CodeMCP

v8.2.0 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 5 known CVEs

Topics

ai architecture claude cli code-analysis code-intelligence
+9 more
cursor developer-tools go llm lsp mcp mcp-server refactoring scip

Affected surfaces

deps breaking_upgrade

Summary

AI summary

Upgrade Go to version 1.26.1, which includes four stdlib CVE fixes.

Full changelog

Changelog

Features

  • daed8cf9ae0c53df6594e85051c7285aca1ca7ad feat: Add --lint-report flag to deduplicate findings against SARIF
  • 224320ac53d65732bd15042f2f22a4ab8dfba676 feat: Add LLM FP triage, PR posting, feedback learning, skill shipping
  • f5838af9bd48f57b1fa6b9189bc1c00f1cecdb2a feat: Add Large PR Intelligence — Batch 3
  • d23d36976bbd0655987e852b25d3dc63bfb63192 feat: Add code health, baselines, compliance, CI/CD formats — Batches 4-7
  • 22b3a8e80257f26c409b02fb93b6f64c94945de0 feat: Add comment-drift, format-consistency checks and enhance existing review checks
  • de69cf1d50fc58a10923b7cef53da5a141ebf617 feat: Add review engine v8.4 — HoldTheLine, bug-patterns, LLM narrative
  • f1437e40df5f9bd14375e430a1a1a9a53d16387f feat: Add unified PR review engine (ckb review) — MVP Batch 1+2
  • 08f4b01f78c12b136ecdc34047bd8a41a3fb5901 feat: Auto-resolve active repository from file paths in MCP tool params
  • a621676d34883a76f544e712817f2f531c29fde7 feat: Reduce review noise, add multi-provider LLM, compact MCP mode
  • a5e88941183c1d2b575561e5ca1facaa0ce6d0f6 feat: Wire dead-code, test-gaps, blast-radius checks and --staged/--scope into review

Bug Fixes

  • 4550ffbd8f2bcd1e0503e99455a9d414d058701c fix(deps): bump the go-deps group with 2 updates
  • be978826f9bbad2ed8b44f82b10127d217b01ad4 fix: Add missing SCORE env var in CI, omitempty on reviewers JSON field
  • 0e9fcde344d7d557345db1de420bb6231cc72af7 fix: Address review findings — health scoring, format constants, API tests
  • 1db8266a99d49183da3f41b58328265352e21948 fix: Annotate all gosec G115 integer overflow false positives
  • 1e6f48cd106194b22a0008f5c13e34856ebf774b fix: Annotate remaining gosec G304/G306 path traversal false positives
  • 148c598bdf3f7cf98f60763dc834aa720c790aad fix: Bump Go 1.26.0→1.26.1 (4 stdlib CVEs), fix download-artifact SHA
  • f1858891d71444a040c76e7ed678a82c3f4bad35 fix: Bump Go to 1.24.13 and add tests for repo resolver/engine cache
  • f13bcee9d7f9f79151f9c083eedc4e3ca01f7eaf fix: Bump Go to 1.26.0 and exclude G703 from gosec security gate
  • 0fbf748e93f1d0d18c8c6ee425a00293c4a045e4 fix: Eliminate O(N) GetHotspots/GetOwnership calls causing review hang
  • 06bdda65091d5bd10b69a0c24b991560bf7d8927 fix: Eliminate dead-code FP, show test-gap details, fix config merge
  • 471702a41560ce9b76fd6de558c104cf16bef227 fix: Fix 4 bugs found by CKB review, add marketing docs
  • fdb6503f7d00bed7f7ce795e2dbb5da1e9398ae1 fix: Fix lint errors, remove dead code, tighten file permissions
  • c256a69e4a625d16b7473b3268f5665722d0532e fix: Fix non-CGO build for v8.2.0 release
  • c28bd90ccb11d25c09b98e4bf4954295bb2aad64 fix: Harden action.yml, cap score deductions, clean up dead code
  • ecc1e49cba281caae67f319d3e84464a0123eb2d fix: Make pr-review job resilient to upstream CI failures
  • 68139c7caafcb4d92845ee0ed0c091e5ec5e799b fix: Make review output useful for large PRs (600+ files)
  • e9db780d68199a2d6ade098be7d1e64da2ab472a fix: Overhaul review formatter output and update CI workflows
  • 5b22e6342a82d6d3611b1226d959f9777c470a16 fix: Re-enable Homebrew upload, add token validation to release workflow
  • aa0a617fbc0bb88bd8cd15ce1b4008a7674db25f fix: Reduce review noise — secrets false positives, coupling CI spam, unclamped risk
  • c59409d3567b36dfbafa69b3434edaa7a9795ad5 fix: Render Top Risks in markdown review, fix null reviewers fallback
  • 33f589680e16746c4f7b8bcf1514bd62dc54c9b2 fix: Resolve remaining gosec findings (rune bugs + annotations)
  • f50f2bba155cf03fccfcd5a4922b26e2c4574e8a fix: Serialize tree-sitter checks, fix SARIF compliance, harden inputs
  • d8d3ed2d19c6131021af2a698569c6d25364deb0 fix: Skip Homebrew tap upload (token expired)
  • 019ef6e8d6d774b3b2548ef70e2463c6b56265bf fix: Sort findings by tier before budget cap, enrich reviewer routing
  • eb3a2bc71df8dd058acda615747ae18efa371da9 fix: Update index metadata after incremental refresh and ignore untracked files in repo state
  • 65f565c3bcfae260ff152872c94aae15b2d140ca fix: Use /v1/tokens endpoint for npm token validation
  • 76881904e85599827cd234940c4685ee7d884cbf fix: Use correct gosec rule IDs (G703/G122) for nosec annotations

Documentation

  • 3c10ef71197f0cc851f148a6589f636ba63bbf77 docs: Add review architecture SVG, update CLAUDE.md for 17 checks
  • 88cb5d1b244920165e9debc7a21a8347233dfb08 docs: Add v8.2.0 changelog
  • 3155d992483f89507d451e191966a6d50b6b7889 docs: Update CLAUDE.md and fix reviewPR tool description, reuse analyzer

Others

  • f271bb8d713edbc7c9b12fcaa3edd146d57fc031 ci(deps): bump the actions group across 1 directory with 7 updates
  • e5e2f0e467dbdce420a237313c2e16393636b48c ci: Add PR review to CI pipeline, add example workflow
  • 11b2765f8ead08bd156393aff8a0403173ad83c7 ci: Add review engine test job to CI pipeline
  • 616184c31a37f6c5d35ee2b559acba778b628055 perf: Break tree-sitter serialization, batch git ops, cache hotspot scores
  • 0d654a1d1b212bb280be371da0e7fb442fbf9ad9 perf: Cut health check subprocess calls by ~60%, add cancellation
  • 8d7c179826888fcbf90d94c2c2f46f8c3fabdcc9 security: Reject path traversal in repo IDs, sanitize error responses
  • cef1a49e90a84f165cd45c53375e1d986d58a6ed security: Scope PR permissions, fix cancel-in-progress, pin action SHA
  • 8d915b414313404953019a87cdae4a9b32036017 security: Upgrade docker/cli (CVE-2025-15558) and otel/sdk (CVE-2026-24051)

Security Fixes

  • dep: Go stdlib – four CVEs fixed in upgrade from 1.26.0 to 1.26.1
  • Reject path traversal in repo IDs and sanitize error responses (internal hardening)
  • Upgrade docker/cli (CVE‑2025‑15558) and otel/sdk (CVE‑2026‑24051)
  • CVE-2025-15558
  • CVE-2026-24051
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track SimplyLiz/CodeMCP

Get notified when new releases ship.

Sign up free

About SimplyLiz/CodeMCP

Code intelligence MCP server with 80+ tools for semantic code search, impact analysis, call graphs, ownership detection, and architectural understanding. Supports Go, TypeScript, Python, Rust, Java via SCIP indexing.

All releases →

Related context

Beta — feedback welcome: [email protected]