Skip to content

vinkius-labs/mcp-fusion

v3.1.31 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 3mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

rce_ssrf

Summary

AI summary

Fixed sandbox behavior to reject eval and new Function calls.

Full changelog

Fixed

  • Bug #139: SandboxGuard now rejects eval() and new Function() at fail-fast level
  • Bug #140: getSandboxConfig() JSDoc documents metadata-only nature
  • Bug #141: f.sandbox() tracks dispose via FinalizationRegistry, warns on leaked engines
  • Bug #142: Abort handler releases per-request Context for faster cancellation in concurrent mode

Breaking Changes

  • SandboxGuard now fails fast when encountering eval() or new Function()
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]