vinkius-labs/mcp-fusion

v3.1.20 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

rce_ssrf

Summary

AI summary

Fixed unhandled rejection crash in SSE server template.

Full changelog

Fixed

SSE server template now wraps the async HTTP handler body in try/catch - prevents unhandled rejection crash
scaffold() now cleans up the target directory on partial write failure - prevents orphaned broken project files
fusion deploy now prompts before auto-installing esbuild - no longer silently modifies package.json
fusion deploy validates serverId format and applies encodeURIComponent - prevents path traversal
FusionClient accepts a discriminatorKey option (defaults to action) - supports custom server discriminators

Security Fixes

`fusion deploy` validates `serverId` format and applies `encodeURIComponent` – prevents path traversal

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Related tools

Earlier breaking changes

v4.0.0 All packages now published under the `@mcpfusion` npm scope.
v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.