@adobe-commerce/aio-toolkit 1.0.17 → 1.0.18

package/CHANGELOG.md

@@ -5,6 +5,66 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.18] - 2026-03-03
+
+### 🔒 Security Fixes
+
+- **CRITICAL: Removed vulnerable @modelcontextprotocol/sdk transitive dependency**
+  - Removed `@adobe-commerce/commerce-extensibility-tools` from peer dependencies
+  - Eliminates unfixable security vulnerabilities (CVE: ReDoS, DNS rebinding)
+  - Addresses user-reported security concerns from npm audit
+  - MCP Server integration feature now requires manual installation
+  - Package contained two HIGH severity vulnerabilities:
+    - **ReDoS vulnerability** (GHSA-8r9q-7v3j-jr4g): Malicious regex input can crash the application
+    - **DNS rebinding protection disabled by default** (GHSA-w48q-cv73-mx4w): Allows potential security bypass attacks
+
+- **Updated vulnerable devDependencies**
+  - `ajv`: 6.12.6 → 6.14.0, 8.17.1 → 8.18.0 (ReDoS fixes - moderate severity)
+  - `fast-xml-parser`: 5.3.5 → 5.4.2 (DoS/stack overflow fixes - high severity)
+  - `minimatch`: multiple versions updated to latest patch releases (ReDoS fixes - high severity)
+  - `rollup`: 4.57.1 → 4.59.0 (path traversal fix - high severity)
+  - Total vulnerabilities reduced from 11 to 6 (10 fixed, 1 made optional)
+  - Remaining 6 vulnerabilities are in devDependencies only (TypeScript ESLint tooling)
+
+### ⚠️ Breaking Changes
+
+- **Cursor IDE MCP Server Integration (`aio-toolkit-cursor-context`)**
+  - `@adobe-commerce/commerce-extensibility-tools` is no longer a peer dependency
+  - Users who want MCP integration must manually install the optional package:
+    ```bash
+    npm install @adobe-commerce/commerce-extensibility-tools
+    ```
+  - **Security Warning**: This package contains known vulnerabilities in `@modelcontextprotocol/sdk@0.4.0`
+  - CLI gracefully handles missing package with clear installation instructions
+  - All other toolkit features work normally without this optional dependency
+
+### 📝 Technical Details
+
+- Updated `package.json` to remove peer dependency on `@adobe-commerce/commerce-extensibility-tools`
+- Added security documentation to README with clear warnings about MCP feature
+- MCP config helper (`McpConfig` class) already handles missing package gracefully
+- No changes required to existing code - backward compatible for 90%+ of users
+- Applied automated security patches via `npm audit fix`
+
+### 💡 Migration Guide
+
+**For users NOT using Cursor IDE MCP feature:**
+```bash
+# No action required - update normally
+npm install @adobe-commerce/aio-toolkit@1.0.18
+```
+
+**For users using Cursor IDE MCP feature:**
+```bash
+# Update toolkit and install optional dependency
+npm install @adobe-commerce/aio-toolkit@1.0.18
+npm install @adobe-commerce/commerce-extensibility-tools
+```
+
+**Alternative:** Wait for upstream fix from Adobe to release a patched version of `commerce-extensibility-tools` that uses a secure `@modelcontextprotocol/sdk` version (≥1.25.2).
+
+---
+
 ## [1.0.17] - 2026-02-25
 
 ### ✨ Features

package/README.md

@@ -1495,6 +1495,23 @@ await manager.delete('your-registration-id');
 
 Command-line tool for managing Cursor IDE context files (rules and commands) in your Adobe App Builder projects. This CLI automatically sets up Cursor IDE-specific contexts and configures the Model Context Protocol (MCP) server for enhanced development experience.
 
+> **⚠️ Security Notice - MCP Server Integration**
+>
+> The MCP (Model Context Protocol) server feature requires the optional package `@adobe-commerce/commerce-extensibility-tools`. This package is **not installed by default** due to known security vulnerabilities in its dependencies.
+>
+> **If you want to use MCP integration:**
+> ```bash
+> npm install @adobe-commerce/commerce-extensibility-tools
+> ```
+>
+> **Known Vulnerabilities:**
+> - ReDoS (Regular Expression Denial of Service) vulnerability in `@modelcontextprotocol/sdk`
+> - DNS rebinding protection disabled by default in `@modelcontextprotocol/sdk`
+>
+> **Recommendation:** Only install this package if you specifically need MCP server integration for Cursor IDE. Monitor the [package repository](https://www.npmjs.com/package/@adobe-commerce/commerce-extensibility-tools) for security updates.
+>
+> All other toolkit features work normally without this optional dependency.
+
 ##### Commands
 
 ###### `check`

package/dist/aio-toolkit-onboard-events/bin/cli.js

@@ -12021,385 +12021,12 @@ var init_onboard_events = __esm({
   }
 });
 
-// node_modules/dotenv/package.json
-var require_package = __commonJS({
-  "node_modules/dotenv/package.json"(exports2, module2) {
-    module2.exports = {
-      name: "dotenv",
-      version: "16.6.1",
-      description: "Loads environment variables from .env file",
-      main: "lib/main.js",
-      types: "lib/main.d.ts",
-      exports: {
-        ".": {
-          types: "./lib/main.d.ts",
-          require: "./lib/main.js",
-          default: "./lib/main.js"
-        },
-        "./config": "./config.js",
-        "./config.js": "./config.js",
-        "./lib/env-options": "./lib/env-options.js",
-        "./lib/env-options.js": "./lib/env-options.js",
-        "./lib/cli-options": "./lib/cli-options.js",
-        "./lib/cli-options.js": "./lib/cli-options.js",
-        "./package.json": "./package.json"
-      },
-      scripts: {
-        "dts-check": "tsc --project tests/types/tsconfig.json",
-        lint: "standard",
-        pretest: "npm run lint && npm run dts-check",
-        test: "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
-        "test:coverage": "tap run --show-full-coverage --timeout=60000 --coverage-report=text --coverage-report=lcov",
-        prerelease: "npm test",
-        release: "standard-version"
-      },
-      repository: {
-        type: "git",
-        url: "git://github.com/motdotla/dotenv.git"
-      },
-      homepage: "https://github.com/motdotla/dotenv#readme",
-      funding: "https://dotenvx.com",
-      keywords: [
-        "dotenv",
-        "env",
-        ".env",
-        "environment",
-        "variables",
-        "config",
-        "settings"
-      ],
-      readmeFilename: "README.md",
-      license: "BSD-2-Clause",
-      devDependencies: {
-        "@types/node": "^18.11.3",
-        decache: "^4.6.2",
-        sinon: "^14.0.1",
-        standard: "^17.0.0",
-        "standard-version": "^9.5.0",
-        tap: "^19.2.0",
-        typescript: "^4.8.4"
-      },
-      engines: {
-        node: ">=12"
-      },
-      browser: {
-        fs: false
-      }
-    };
-  }
-});
-
-// node_modules/dotenv/lib/main.js
-var require_main = __commonJS({
-  "node_modules/dotenv/lib/main.js"(exports2, module2) {
-    "use strict";
-    var fs2 = require("fs");
-    var path2 = require("path");
-    var os = require("os");
-    var crypto2 = require("crypto");
-    var packageJson = require_package();
-    var version = packageJson.version;
-    var LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;
-    function parse2(src) {
-      const obj = {};
-      let lines = src.toString();
-      lines = lines.replace(/\r\n?/mg, "\n");
-      let match;
-      while ((match = LINE.exec(lines)) != null) {
-        const key = match[1];
-        let value = match[2] || "";
-        value = value.trim();
-        const maybeQuote = value[0];
-        value = value.replace(/^(['"`])([\s\S]*)\1$/mg, "$2");
-        if (maybeQuote === '"') {
-          value = value.replace(/\\n/g, "\n");
-          value = value.replace(/\\r/g, "\r");
-        }
-        obj[key] = value;
-      }
-      return obj;
-    }
-    __name(parse2, "parse");
-    function _parseVault(options) {
-      options = options || {};
-      const vaultPath = _vaultPath(options);
-      options.path = vaultPath;
-      const result = DotenvModule.configDotenv(options);
-      if (!result.parsed) {
-        const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`);
-        err.code = "MISSING_DATA";
-        throw err;
-      }
-      const keys = _dotenvKey(options).split(",");
-      const length = keys.length;
-      let decrypted;
-      for (let i = 0; i < length; i++) {
-        try {
-          const key = keys[i].trim();
-          const attrs = _instructions(result, key);
-          decrypted = DotenvModule.decrypt(attrs.ciphertext, attrs.key);
-          break;
-        } catch (error) {
-          if (i + 1 >= length) {
-            throw error;
-          }
-        }
-      }
-      return DotenvModule.parse(decrypted);
-    }
-    __name(_parseVault, "_parseVault");
-    function _warn(message) {
-      console.log(`[dotenv@${version}][WARN] ${message}`);
-    }
-    __name(_warn, "_warn");
-    function _debug(message) {
-      console.log(`[dotenv@${version}][DEBUG] ${message}`);
-    }
-    __name(_debug, "_debug");
-    function _log(message) {
-      console.log(`[dotenv@${version}] ${message}`);
-    }
-    __name(_log, "_log");
-    function _dotenvKey(options) {
-      if (options && options.DOTENV_KEY && options.DOTENV_KEY.length > 0) {
-        return options.DOTENV_KEY;
-      }
-      if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
-        return process.env.DOTENV_KEY;
-      }
-      return "";
-    }
-    __name(_dotenvKey, "_dotenvKey");
-    function _instructions(result, dotenvKey) {
-      let uri;
-      try {
-        uri = new URL(dotenvKey);
-      } catch (error) {
-        if (error.code === "ERR_INVALID_URL") {
-          const err = new Error("INVALID_DOTENV_KEY: Wrong format. Must be in valid uri format like dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development");
-          err.code = "INVALID_DOTENV_KEY";
-          throw err;
-        }
-        throw error;
-      }
-      const key = uri.password;
-      if (!key) {
-        const err = new Error("INVALID_DOTENV_KEY: Missing key part");
-        err.code = "INVALID_DOTENV_KEY";
-        throw err;
-      }
-      const environment = uri.searchParams.get("environment");
-      if (!environment) {
-        const err = new Error("INVALID_DOTENV_KEY: Missing environment part");
-        err.code = "INVALID_DOTENV_KEY";
-        throw err;
-      }
-      const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`;
-      const ciphertext = result.parsed[environmentKey];
-      if (!ciphertext) {
-        const err = new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment ${environmentKey} in your .env.vault file.`);
-        err.code = "NOT_FOUND_DOTENV_ENVIRONMENT";
-        throw err;
-      }
-      return { ciphertext, key };
-    }
-    __name(_instructions, "_instructions");
-    function _vaultPath(options) {
-      let possibleVaultPath = null;
-      if (options && options.path && options.path.length > 0) {
-        if (Array.isArray(options.path)) {
-          for (const filepath of options.path) {
-            if (fs2.existsSync(filepath)) {
-              possibleVaultPath = filepath.endsWith(".vault") ? filepath : `${filepath}.vault`;
-            }
-          }
-        } else {
-          possibleVaultPath = options.path.endsWith(".vault") ? options.path : `${options.path}.vault`;
-        }
-      } else {
-        possibleVaultPath = path2.resolve(process.cwd(), ".env.vault");
-      }
-      if (fs2.existsSync(possibleVaultPath)) {
-        return possibleVaultPath;
-      }
-      return null;
-    }
-    __name(_vaultPath, "_vaultPath");
-    function _resolveHome(envPath) {
-      return envPath[0] === "~" ? path2.join(os.homedir(), envPath.slice(1)) : envPath;
-    }
-    __name(_resolveHome, "_resolveHome");
-    function _configVault(options) {
-      const debug = Boolean(options && options.debug);
-      const quiet = options && "quiet" in options ? options.quiet : true;
-      if (debug || !quiet) {
-        _log("Loading env from encrypted .env.vault");
-      }
-      const parsed = DotenvModule._parseVault(options);
-      let processEnv = process.env;
-      if (options && options.processEnv != null) {
-        processEnv = options.processEnv;
-      }
-      DotenvModule.populate(processEnv, parsed, options);
-      return { parsed };
-    }
-    __name(_configVault, "_configVault");
-    function configDotenv(options) {
-      const dotenvPath = path2.resolve(process.cwd(), ".env");
-      let encoding = "utf8";
-      const debug = Boolean(options && options.debug);
-      const quiet = options && "quiet" in options ? options.quiet : true;
-      if (options && options.encoding) {
-        encoding = options.encoding;
-      } else {
-        if (debug) {
-          _debug("No encoding is specified. UTF-8 is used by default");
-        }
-      }
-      let optionPaths = [dotenvPath];
-      if (options && options.path) {
-        if (!Array.isArray(options.path)) {
-          optionPaths = [_resolveHome(options.path)];
-        } else {
-          optionPaths = [];
-          for (const filepath of options.path) {
-            optionPaths.push(_resolveHome(filepath));
-          }
-        }
-      }
-      let lastError;
-      const parsedAll = {};
-      for (const path3 of optionPaths) {
-        try {
-          const parsed = DotenvModule.parse(fs2.readFileSync(path3, { encoding }));
-          DotenvModule.populate(parsedAll, parsed, options);
-        } catch (e) {
-          if (debug) {
-            _debug(`Failed to load ${path3} ${e.message}`);
-          }
-          lastError = e;
-        }
-      }
-      let processEnv = process.env;
-      if (options && options.processEnv != null) {
-        processEnv = options.processEnv;
-      }
-      DotenvModule.populate(processEnv, parsedAll, options);
-      if (debug || !quiet) {
-        const keysCount = Object.keys(parsedAll).length;
-        const shortPaths = [];
-        for (const filePath of optionPaths) {
-          try {
-            const relative = path2.relative(process.cwd(), filePath);
-            shortPaths.push(relative);
-          } catch (e) {
-            if (debug) {
-              _debug(`Failed to load ${filePath} ${e.message}`);
-            }
-            lastError = e;
-          }
-        }
-        _log(`injecting env (${keysCount}) from ${shortPaths.join(",")}`);
-      }
-      if (lastError) {
-        return { parsed: parsedAll, error: lastError };
-      } else {
-        return { parsed: parsedAll };
-      }
-    }
-    __name(configDotenv, "configDotenv");
-    function config5(options) {
-      if (_dotenvKey(options).length === 0) {
-        return DotenvModule.configDotenv(options);
-      }
-      const vaultPath = _vaultPath(options);
-      if (!vaultPath) {
-        _warn(`You set DOTENV_KEY but you are missing a .env.vault file at ${vaultPath}. Did you forget to build it?`);
-        return DotenvModule.configDotenv(options);
-      }
-      return DotenvModule._configVault(options);
-    }
-    __name(config5, "config");
-    function decrypt(encrypted, keyStr) {
-      const key = Buffer.from(keyStr.slice(-64), "hex");
-      let ciphertext = Buffer.from(encrypted, "base64");
-      const nonce = ciphertext.subarray(0, 12);
-      const authTag = ciphertext.subarray(-16);
-      ciphertext = ciphertext.subarray(12, -16);
-      try {
-        const aesgcm = crypto2.createDecipheriv("aes-256-gcm", key, nonce);
-        aesgcm.setAuthTag(authTag);
-        return `${aesgcm.update(ciphertext)}${aesgcm.final()}`;
-      } catch (error) {
-        const isRange = error instanceof RangeError;
-        const invalidKeyLength = error.message === "Invalid key length";
-        const decryptionFailed = error.message === "Unsupported state or unable to authenticate data";
-        if (isRange || invalidKeyLength) {
-          const err = new Error("INVALID_DOTENV_KEY: It must be 64 characters long (or more)");
-          err.code = "INVALID_DOTENV_KEY";
-          throw err;
-        } else if (decryptionFailed) {
-          const err = new Error("DECRYPTION_FAILED: Please check your DOTENV_KEY");
-          err.code = "DECRYPTION_FAILED";
-          throw err;
-        } else {
-          throw error;
-        }
-      }
-    }
-    __name(decrypt, "decrypt");
-    function populate(processEnv, parsed, options = {}) {
-      const debug = Boolean(options && options.debug);
-      const override = Boolean(options && options.override);
-      if (typeof parsed !== "object") {
-        const err = new Error("OBJECT_REQUIRED: Please check the processEnv argument being passed to populate");
-        err.code = "OBJECT_REQUIRED";
-        throw err;
-      }
-      for (const key of Object.keys(parsed)) {
-        if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
-          if (override === true) {
-            processEnv[key] = parsed[key];
-          }
-          if (debug) {
-            if (override === true) {
-              _debug(`"${key}" is already defined and WAS overwritten`);
-            } else {
-              _debug(`"${key}" is already defined and was NOT overwritten`);
-            }
-          }
-        } else {
-          processEnv[key] = parsed[key];
-        }
-      }
-    }
-    __name(populate, "populate");
-    var DotenvModule = {
-      configDotenv,
-      _configVault,
-      _parseVault,
-      config: config5,
-      decrypt,
-      parse: parse2,
-      populate
-    };
-    module2.exports.configDotenv = DotenvModule.configDotenv;
-    module2.exports._configVault = DotenvModule._configVault;
-    module2.exports._parseVault = DotenvModule._parseVault;
-    module2.exports.config = DotenvModule.config;
-    module2.exports.decrypt = DotenvModule.decrypt;
-    module2.exports.parse = DotenvModule.parse;
-    module2.exports.populate = DotenvModule.populate;
-    module2.exports = DotenvModule;
-  }
-});
-
 // src/commands/framework/helpers/io-environment/index.ts
 var dotenv, _IOEnvironmentLoader, IOEnvironmentLoader;
 var init_io_environment = __esm({
   "src/commands/framework/helpers/io-environment/index.ts"() {
     "use strict";
-    dotenv = __toESM(require_main());
+    dotenv = __toESM(require("dotenv"));
     dotenv.config();
     _IOEnvironmentLoader = class _IOEnvironmentLoader {
       /**
@@ -12717,7 +12344,7 @@ var init_io_events2 = __esm({
     init_onboard_events();
     init_io_environment();
     init_adobe_auth_token();
-    dotenv2 = __toESM(require_main());
+    dotenv2 = __toESM(require("dotenv"));
     dotenv2.config();
     _ExecuteIOEvents = class _ExecuteIOEvents {
       constructor(applicationName, ioEventsConfig) {
@@ -13912,7 +13539,7 @@ var init_commerce2 = __esm({
     init_onboard_commerce();
     init_commerce_environment();
     init_adobe_commerce_client2();
-    dotenv3 = __toESM(require_main());
+    dotenv3 = __toESM(require("dotenv"));
     dotenv3.config();
     _ExecuteCommerce = class _ExecuteCommerce {
       constructor(commerceAuthType, commerceProvider, commerceEventsConfig, isPaaSInstance, logger) {
@@ -14088,7 +13715,7 @@ var init_io_events3 = __esm({
     init_registration();
     init_io_environment();
     init_adobe_auth_token();
-    dotenv4 = __toESM(require_main());
+    dotenv4 = __toESM(require("dotenv"));
     dotenv4.config();
     _CleanupIOEvents = class _CleanupIOEvents {
       /**