@adobe-commerce/aio-toolkit 1.0.17 → 1.1.0

package/CHANGELOG.md

@@ -5,6 +5,129 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2026-03-27
+
+### ⚠️ Breaking Changes
+
+- **Peer dependency restructuring to resolve duplicate module conflicts**
+  - The following packages have been moved from `dependencies` to `peerDependencies`:
+    - `@adobe/aio-sdk` (>=5.0.0) — required peer
+    - `graphql` (>=16.0.0) — required peer
+    - `@adobe/aio-lib-ims` (>=7.0.0) — optional peer
+    - `@adobe/aio-lib-telemetry` (>=1.0.0) — optional peer
+    - `cloudevents` (>=8.0.0) — optional peer
+    - `dotenv` (>=16.0.0) — optional peer
+    - `node-fetch` (>=2.6.0) — optional peer
+    - `openwhisk` (>=3.0.0) — optional peer
+    - `@opentelemetry/resources` (>=1.0.0) — optional peer
+  - App Builder projects already have these packages installed — no additional installs required for the vast majority of users
+  - If you get `Cannot find module` errors after upgrading, install the missing package directly in your project
+
+### 🐛 Bug Fixes
+
+- **Fixed missing `yaml` dependency**
+  - `yaml` was used at runtime in `OnboardConfig` (YAML config file parsing) but was not declared in `package.json`
+  - This was relying on a transitive install which is fragile and unreliable across package managers
+  - `yaml: ^2.0.0` is now a proper direct `dependency`
+
+### 🔧 Dependency Changes
+
+| Package | Before | After | Reason |
+|---|---|---|---|
+| `@adobe/aio-sdk` | `dependencies` | `peerDependencies` | Singleton services break with duplicate instances |
+| `@adobe/aio-lib-ims` | `dependencies` | `peerDependencies` (optional) | Shared auth token context |
+| `@adobe/aio-lib-telemetry` | `dependencies` | `peerDependencies` (optional) | Shared telemetry pipeline |
+| `graphql` | `dependencies` | `peerDependencies` | Schema singleton — two copies cause type incompatibility |
+| `cloudevents` | `dependencies` | `peerDependencies` (optional) | App Builder I/O Events projects always install this |
+| `dotenv` | `dependencies` | `peerDependencies` (optional) | Every App Builder project loads `.env` files |
+| `node-fetch` | `dependencies` | `peerDependencies` (optional) | Common fetch polyfill; v2/v3 split causes conflicts |
+| `openwhisk` | `dependencies` | `peerDependencies` (optional) | App Builder Runtime projects always install this |
+| `@opentelemetry/resources` | *(missing)* | `peerDependencies` (optional) | Runtime import in telemetry code; provided by `aio-lib-telemetry` |
+| `yaml` | *(missing)* | `dependencies` | Runtime import in `OnboardConfig` — was undeclared |
+| `got` | `dependencies` | `dependencies` | Internal HTTP client — kept as direct dep |
+| `oauth-1.0a` | `dependencies` | `dependencies` | Internal OAuth signing — kept as direct dep |
+| `uuid` | `dependencies` | `dependencies` | Stateless, no conflict risk — kept as direct dep |
+
+### 💡 Migration Guide
+
+Most App Builder projects already have all moved packages installed and **require no changes**:
+
+```bash
+# Standard upgrade — works for most users
+npm install @adobe-commerce/aio-toolkit@1.1.0
+```
+
+If you encounter `Cannot find module` errors for any of the optional peer dependencies, install them explicitly:
+
+```bash
+# Install only the ones you use
+npm install @adobe/aio-sdk graphql dotenv
+npm install cloudevents node-fetch openwhisk   # if used
+npm install @adobe/aio-lib-ims @adobe/aio-lib-telemetry  # if used
+```
+
+---
+
+## [1.0.18] - 2026-03-03
+
+### 🔒 Security Fixes
+
+- **CRITICAL: Removed vulnerable @modelcontextprotocol/sdk transitive dependency**
+  - Removed `@adobe-commerce/commerce-extensibility-tools` from peer dependencies
+  - Eliminates unfixable security vulnerabilities (CVE: ReDoS, DNS rebinding)
+  - Addresses user-reported security concerns from npm audit
+  - MCP Server integration feature now requires manual installation
+  - Package contained two HIGH severity vulnerabilities:
+    - **ReDoS vulnerability** (GHSA-8r9q-7v3j-jr4g): Malicious regex input can crash the application
+    - **DNS rebinding protection disabled by default** (GHSA-w48q-cv73-mx4w): Allows potential security bypass attacks
+
+- **Updated vulnerable devDependencies**
+  - `ajv`: 6.12.6 → 6.14.0, 8.17.1 → 8.18.0 (ReDoS fixes - moderate severity)
+  - `fast-xml-parser`: 5.3.5 → 5.4.2 (DoS/stack overflow fixes - high severity)
+  - `minimatch`: multiple versions updated to latest patch releases (ReDoS fixes - high severity)
+  - `rollup`: 4.57.1 → 4.59.0 (path traversal fix - high severity)
+  - Total vulnerabilities reduced from 11 to 6 (10 fixed, 1 made optional)
+  - Remaining 6 vulnerabilities are in devDependencies only (TypeScript ESLint tooling)
+
+### ⚠️ Breaking Changes
+
+- **Cursor IDE MCP Server Integration (`aio-toolkit-cursor-context`)**
+  - `@adobe-commerce/commerce-extensibility-tools` is no longer a peer dependency
+  - Users who want MCP integration must manually install the optional package:
+    ```bash
+    npm install @adobe-commerce/commerce-extensibility-tools
+    ```
+  - **Security Warning**: This package contains known vulnerabilities in `@modelcontextprotocol/sdk@0.4.0`
+  - CLI gracefully handles missing package with clear installation instructions
+  - All other toolkit features work normally without this optional dependency
+
+### 📝 Technical Details
+
+- Updated `package.json` to remove peer dependency on `@adobe-commerce/commerce-extensibility-tools`
+- Added security documentation to README with clear warnings about MCP feature
+- MCP config helper (`McpConfig` class) already handles missing package gracefully
+- No changes required to existing code - backward compatible for 90%+ of users
+- Applied automated security patches via `npm audit fix`
+
+### 💡 Migration Guide
+
+**For users NOT using Cursor IDE MCP feature:**
+```bash
+# No action required - update normally
+npm install @adobe-commerce/aio-toolkit@1.0.18
+```
+
+**For users using Cursor IDE MCP feature:**
+```bash
+# Update toolkit and install optional dependency
+npm install @adobe-commerce/aio-toolkit@1.0.18
+npm install @adobe-commerce/commerce-extensibility-tools
+```
+
+**Alternative:** Wait for upstream fix from Adobe to release a patched version of `commerce-extensibility-tools` that uses a secure `@modelcontextprotocol/sdk` version (≥1.25.2).
+
+---
+
 ## [1.0.17] - 2026-02-25
 
 ### ✨ Features

package/README.md

@@ -1495,6 +1495,23 @@ await manager.delete('your-registration-id');
 
 Command-line tool for managing Cursor IDE context files (rules and commands) in your Adobe App Builder projects. This CLI automatically sets up Cursor IDE-specific contexts and configures the Model Context Protocol (MCP) server for enhanced development experience.
 
+> **⚠️ Security Notice - MCP Server Integration**
+>
+> The MCP (Model Context Protocol) server feature requires the optional package `@adobe-commerce/commerce-extensibility-tools`. This package is **not installed by default** due to known security vulnerabilities in its dependencies.
+>
+> **If you want to use MCP integration:**
+> ```bash
+> npm install @adobe-commerce/commerce-extensibility-tools
+> ```
+>
+> **Known Vulnerabilities:**
+> - ReDoS (Regular Expression Denial of Service) vulnerability in `@modelcontextprotocol/sdk`
+> - DNS rebinding protection disabled by default in `@modelcontextprotocol/sdk`
+>
+> **Recommendation:** Only install this package if you specifically need MCP server integration for Cursor IDE. Monitor the [package repository](https://www.npmjs.com/package/@adobe-commerce/commerce-extensibility-tools) for security updates.
+>
+> All other toolkit features work normally without this optional dependency.
+
 ##### Commands
 
 ###### `check`