UPinar/contrastapi

v1.33.22 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 2d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Summary

AI summary

Fixed lean MCP outputSchema to allow null for optional fields, resolving strict client validation errors.

Changes in this release

Type	Severity	Summary	CVE
Bugfix	Medium	Lean MCP outputSchema now accepts null for optional fields across all 53 tools (223 nullable fields). Lean MCP outputSchema now accepts null for optional fields across all 53 tools (223 nullable fields). Source: llm_adapter@2026-06-01 Confidence: high	—

Full changelog

Fix: lean MCP `outputSchema` now accepts `null` for optional fields (#42)

Optional response fields (T | None) were advertised in the lean tools/list
outputSchema by their non-null type only — e.g. verdict as {"type": "object"}.
A tool returning null for such a field (where it isn't computed pre-enrichment)
then failed strict MCP client validation: -32602 ... must be object.

Fix: the null arm is preserved as a flat 2-element type array —
verdict: {"type": ["object", "null"]}, and likewise ["string","null"] /
["array","null"] / ["integer","null"] … for every other optional field.
Resolved centrally in the schema-derivation helper, so it applies to all 53
tools (223 nullable fields), not just verdict.

Stays flat — no $defs/$ref/anyOf — so strict clients (the lean-schema
consumers) keep validating cleanly.
Ambiguous / mixed-type unions stay permissive ({}).
Verified on a Draft 2020-12 validator: a null verdict now validates; a
populated object verdict still does.

Wire-compatible bug fix; no tool/arg changes. MCP surface unchanged
(53 tools · 7 Resources · 3 Prompts). Test suite green.

Reported by @0xawad — thanks for the precise repro.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.