Skip to content

vinkius-labs/mcp-fusion

v3.1.9 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth rbac

Summary

AI summary

Fixed a race condition in CursorCodec.ensureSecret that could generate inconsistent ephemeral keys.

Full changelog

v3.1.9 — Medium Bugs #17–#22

Fixed

  • CursorCodec.ensureSecret() race condition: concurrent encode() calls could generate different ephemeral keys. Fixed with promise-based lock (_secretPromise).
  • IntrospectionResource passed undefined as TContext to RBAC filter when no contextFactory. Filter is now skipped; full manifest returned.
  • SemanticProbe.evaluateProbes() used Promise.all — one probe failure rejected the entire batch. Replaced with Promise.allSettled; failed probes produce graceful fallback results.
  • systemRulesFingerprint hashed schema keys instead of actual rules. Added getStaticRuleStrings() to Presenter, presenterStaticRules to ActionMetadata. Fingerprint now hashes real rule strings.
  • Duplicate prompt names in lockfile generateLockfile() produced inflated integrity digests. Fixed with Map-based deduplication (last-wins).
  • ** injectLoopbackDispatcher mutated ctx directly (failed with frozen/shared contexts). Now returns a prototype-based proxy via Object.create(ctx).

Tests

  • 15 new regression tests in MediumBugs-17-18-19-20-21-22.test.ts
  • 2 existing IntrospectionIntegration tests updated
  • 1 ManifestCompiler test helper updated
  • 4419 tests passing across 166 files (0 failures)

Security Fixes

  • CursorCodec.ensureSecret() race condition fixed to prevent inconsistent ephemeral keys
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]