vinkius-labs/mcp-fusion

v4.0.3 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 8d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

breaking_upgrade

Summary

AI summary

Fixed corrupting of string literals containing process.env in sanitizeBundleForEdge().

Changes in this release

Type	Severity	Summary	CVE
Dependency	Low	All @mcpfusion/* packages bumped to version 4.0.3. All @mcpfusion/* packages bumped to version 4.0.3. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes corrupted string literals in sanitizeBundleForEdge causing SyntaxError on V8 compile. Fixes corrupted string literals in sanitizeBundleForEdge causing SyntaxError on V8 compile. Source: llm_adapter@2026-05-26 Confidence: low	—
Bugfix	Medium	Fixes corrupted string literals in `sanitizeBundleForEdge()` caused by improper `process.env` replacement. Fixes corrupted string literals in `sanitizeBundleForEdge()` caused by improper `process.env` replacement. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—

Full changelog

Fixed

`@mcpfusion/core` — Edge Sanitizer: Context-Aware `process.env` Replacement

sanitizeBundleForEdge() corrupted string literals containing process.env — The process.env → process["env"] regex replacement was applied globally across the minified bundle without distinguishing between real code references and occurrences inside string literals. This caused SyntaxError: missing ) after argument list at V8 Isolate compile time (<isolated-vm>:173:7641), making MCP servers fail to initialize on Vinkius Edge with Internal Server Error.
Fix — Replaced the global regex with a context-aware callback that counts unescaped double quotes before the match position to detect string boundaries. Applied to both deploy.ts (CLI) and sanitizer.ts (runtime).

Changed

All @mcpfusion/* packages bumped to 4.0.3.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Related tools

Earlier breaking changes

v4.0.0 All packages now published under the `@mcpfusion` npm scope.
v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.