This release fixes issues for SREs watching stability and regressions.
✓ No known CVEs patched in this version
Topics
Affected surfaces
Summary
AI summarySanitizer now correctly handles process.env in both code and string contexts, preventing deploy rejections.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Dependency | Low |
All @mcpfusion/* cross-dependencies updated to ^4.0.4. All @mcpfusion/* cross-dependencies updated to ^4.0.4. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Bugfix | Medium |
Sanitizer now replaces process.env in code and strings to prevent deploy rejections. Sanitizer now replaces process.env in code and strings to prevent deploy rejections. Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Fixed
Bundles containing process.env inside string literals were rejected by the server-side security scanner. The v4.0.3 context-aware sanitizer correctly preserved process.env inside strings to avoid JS corruption, but the server-side EdgeDeployService static analysis rejects bundles matching /\bprocess\s*\.\s*env\b/ anywhere — including string contexts. Bundles with validation messages like 'Implementation uses process.env directly' passed CLI sanitization but were rejected at deploy time.
Fix: The sanitizer now replaces process.env in ALL contexts: code → process['env'] (bracket notation); strings → process\u002Eenv (Unicode dot escape). Both CLI and runtime sanitizers are aligned.
Changed
- All
@mcpfusion/*cross-dependencies updated to^4.0.4
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About vinkius-labs/mcp-fusion
A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.
Related context
Related tools
Beta — feedback welcome: [email protected]