This release includes 1 security fix for security teams reviewing exposed deployments.
Published 2mo
MCP Developer Tools
✓ No known CVEs patched
This release patches 1 known CVE
Topics
mcp
mcp-framework
mcp-server
model-context-protocol
Affected surfaces
auth
breaking_upgrade
Summary
AI summaryFixed PII leak by throwing when compileRedactor() fails.
Full changelog
Fixed
- extractLastJson brace-in-string edge case — Replaced backward brace counting with try-parse from each bracket position. Handles braces inside JSON string values correctly.
- Exposition recompile O(N) per request — Dirty-flag cache replaces O(N) builder identity comparison. Steady-state cost is O(1).
- Consensus strategy failOpen bypass — Adapter errors in consensus mode are now implicit rejections. The ALL-must-agree contract is enforced regardless of failOpen.
- PII leak on structuredClone failure — compileRedactor() throws instead of silently returning unredacted data.
- XState import cached as permanent failure — Retries up to 3 times on failed imports instead of permanent cache.
Test Suite
- 50 new regression tests across 5 files
- 5600 tests passing across 275 files
Security Fixes
- compileRedactor() now throws on structuredClone failure, preventing PII leak
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About vinkius-labs/mcp-fusion
A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.
Related context
Related tools
Beta — feedback welcome: [email protected]