Skip to content

zhangpanda/gomcp

v1.3.0 Bugfix

This release fixes issues for SREs watching stability and regressions.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai claude cursor gin go grpc
+5 more
kiro mcp mcp-server model-context-protocol openapi

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Fixed gRPC adapter deserialization bug causing all calls to return wrong or empty results.

Full changelog

Bug Fix Release — 19 bugs resolved

Critical

  • gRPC adapter used input descriptor for response deserialization — all gRPC calls returned wrong/empty results

High (7)

  • Prompt handler called under RLock — deadlock risk
  • OpenAPI query params not URL-encoded; body fields always sent as strings
  • Self-referential structs caused infinite recursion in schema generator
  • []Struct slices generated wrong item schema
  • SetMaxConcurrentTasks orphaned in-flight tasks
  • AsyncToolFunc corrupted existing sync tools with matching base name

Medium (10)

  • notifyFn data race between notify() and Handler()
  • Completed async tasks never evicted (memory leak)
  • HTTP transport silently truncated oversized bodies
  • stdio transport append could mutate handler's returned slice
  • mcptest.Client panicked on nil returns / missing map keys
  • ToolFunc didn't validate function signature types
  • Handler returning (nil, nil) produced protocol-violating null result
  • watchDir goroutine leaked on shutdown
  • Deleted YAML files left zombie tools registered
  • provider.go HTTP client had no timeout

Low (1)

  • Multiple Handler() calls overwrote notification function

Full Changelog: https://github.com/zhangpanda/gomcp/compare/v1.2.0...v1.3.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track zhangpanda/gomcp

Get notified when new releases ship.

Sign up free

About zhangpanda/gomcp

A Gin-like framework for building MCP servers in Go. Struct-tag auto schema, middleware chain, auth, tool groups, adapters for Gin/OpenAPI/gRPC, async tasks, Inspector UI.

All releases →

Related context

Beta — feedback welcome: [email protected]