This release includes 1 security fix for security teams reviewing exposed deployments.
Published 3mo
MCP Developer Tools
✓ No known CVEs patched
This release patches 1 known CVE
Topics
mcp
mcp-framework
mcp-server
model-context-protocol
Affected surfaces
auth
crypto_tls
Summary
AI summaryFixed Group re‑parenting logic and timingSafeCompare implementation.
Full changelog
Bug Fixes (Medium #7-#11) + JWT Test Fix
Fixed
- Bug #7 —
Group.addChildGroup()now removes child from previous parent before re-parenting - Bug #8 —
timingSafeCompareremoves early return, uses constant-time XOR loop with length seeding - Bug #9 —
autoValidator()detects async validators and throws descriptive error with vendor name - Bug #10 —
mergeHookswrapResponse now returns secondary's result instead of discarding it - Bug #11 —
GroupedToolBuilder.tags()accumulates viapush()consistently with FluentToolBuilder - JWT test — Signature corruption now targets middle char to avoid base64url padding bits
Tests
- 23 new regression tests across 2 test files
- All 3363+ tests pass with 0 regressions
Security Fixes
- timingSafeCompare now uses a constant‑time XOR loop, eliminating early returns
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About vinkius-labs/mcp-fusion
A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.
Related context
Related tools
Beta — feedback welcome: [email protected]