This release includes 3 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
Summary
AI summaryUpdates What changed, https://vinkius.com, and https://github.com/vinkius-labs/mcpfusion/blob/main/CHANGELOG.md across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Breaking | High |
All packages now published under the `@mcpfusion` npm scope. All packages now published under the `@mcpfusion` npm scope. Source: granite4.1:30b@2026-05-20-audit Confidence: low |
— |
| Breaking | Medium |
All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope. All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Breaking | Medium |
GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope. GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
`mcpfusion deploy` command ships MCP server to Vinkius Edge in one step. `mcpfusion deploy` command ships MCP server to Vinkius Edge in one step. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Refactor | Medium |
Full rebrand from Vurb to MCP Fusion across ecosystem. Full rebrand from Vurb to MCP Fusion across ecosystem. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
Full changelog
Welcome to MCP Fusion
MCP Fusion is the TypeScript framework for building secure MCP servers. Security is not bolted on as middleware — it is enforced at the architectural level, compiled into every tool handler before a single byte reaches the wire.
This release marks the official public identity under the @mcpfusion npm scope. Every package in the ecosystem ships as 4.0.0.
What changed
- Full rebrand from Vurb to MCP Fusion — All source code, documentation, CLI output, workflows, and npm packages now use the
@mcpfusionscope. - Repository renamed —
vinkius-labs/mcpfusionon GitHub,@mcpfusion/*on npm. mcpfusion deploy— Ship your MCP server to Vinkius Edge in one command.
Governance stack
| Layer | What it does |
|---|---|
| Presenters | Typed egress firewalls. Undeclared fields stripped in RAM. PII redacted via V8-optimized compiled functions. |
| FSM State Gates | Tools physically removed from tools/list when the current state forbids them. |
| Capability Lockfile | mcpfusion.lock captures the behavioral contract of every tool as SHA-256 snapshots. |
| Crypto Attestation | HMAC-SHA256 runtime verification. Fail-fast on digest drift. |
| Sandbox Engine | V8 isolate for LLM-provided JavaScript. No process, require, fs, or network. |
16 packages
@mcpfusion/core · @mcpfusion/yaml · @mcpfusion/swarm · @mcpfusion/a2a · @mcpfusion/skills · @mcpfusion/testing · @mcpfusion/inspector · @mcpfusion/vercel · @mcpfusion/cloudflare · @mcpfusion/openapi-gen · @mcpfusion/prisma-gen · @mcpfusion/n8n · @mcpfusion/aws · @mcpfusion/oauth · @mcpfusion/jwt · @mcpfusion/api-key
In production
4,000+ MCP servers on vinkius.com are built with MCP Fusion.
Full changelog: CHANGELOG.md
Breaking Changes
- All npm packages moved from the `vurb` scope to the `@mcpfusion` scope (e.g., `@mcpfusion/core` replaces previous identifiers).
- GitHub repository renamed from `vinkius-labs/vurb` to `vinkius-labs/mcpfusion`.
- CLI command `mcpfusion deploy` introduced; prior deployment workflows must be updated.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About vinkius-labs/mcp-fusion
A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.
Related context
Beta — feedback welcome: [email protected]