Skip to content

vinkius-labs/mcp-fusion

v3.6.3 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth rce_ssrf

Summary

AI summary

Fixed FSM session leak, zombie generator handlers on slow I/O, and RedactEngine lazy-import race condition.

Full changelog

Fixed

  • FSM session leak via static keyextractSessionId() fallback changed from shared '__default__' to per-attachment crypto.randomUUID(). Multiple stdio clients no longer share FSM state. Prevents state inheritance between connections.

  • Zombie generator handlers on slow I/OdrainGenerator() now uses Promise.race([gen.next(), abortPromise]) for real-time AbortSignal cancellation during each yield. Generators blocked on slow I/O (DB, network) are no longer zombies after client disconnect.

  • RedactEngine lazy-import race conditionloadFastRedact() now uses a _loadPromise gate to serialize concurrent callers during boot. Prevents duplicate import('fast-redact') calls and non-deterministic overwrites.

Test Suite

  • 30 new regression tests across 3 test files:
    • FsmSessionLeak-bug3.test.ts — 11 tests: session collision, UUID isolation, per-attachment consistency
    • DrainGeneratorZombie-bug4.test.ts — 9 tests: real-time cancellation during slow I/O, pre-aborted signals, error propagation
    • RedactEngineRace-bug5.test.ts — 10 tests: concurrent import serialization, error handling, integration
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]