npm - @berthojoris/mcp-mysql-server - Versions diffs - 1.42.1 → 1.42.2 - Mend

@berthojoris/mcp-mysql-server 1.42.1 → 1.42.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md +8 -0
package/DOCUMENTATIONS.md +3 -3
package/README.md +2 -2
package/dist/mcp-server.js +4 -4
package/dist/security/securityLayer.js +9 -0
package/dist/tools/queryTools.d.ts +2 -1
package/dist/tools/queryTools.js +2 -1
package/dist/tools/utilityTools.js +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,14 @@ All notable changes to the MySQL MCP Server will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.42.2] - 2026-05-25
+### Fixed
+- Blocked DELETE SQL in `execute_write_query` and `execute_in_transaction` unless the `delete` permission is explicitly enabled, closing a bypass where `execute` alone could delete data via custom SQL.
+### Changed
+- Clarified tool and permission documentation: `execute` covers INSERT/UPDATE custom SQL; DELETE requires the separate `delete` permission.
 ## [1.42.1] - 2026-05-11
 ### Changed

package/DOCUMENTATIONS.md CHANGED Viewed

@@ -111,8 +111,8 @@ For CSV exports, use `export_table_to_csv` for table-based exports and `export_q
 | `read` | Read data | `read_records`, `run_select_query` |
 | `create` | Insert records and seed data | `create_record`, `bulk_insert`, `execute_seed_plan` |
 | `update` | Update records | `update_record`, `bulk_update` |
-| `delete` | Delete records | `delete_record`, `bulk_delete` |
-| `execute` | Custom SQL | `execute_write_query` |
+| `delete` | Delete records | `delete_record`, `bulk_delete`, DELETE via `execute_write_query` (requires both `execute` and `delete`) |
+| `execute` | Custom SQL (INSERT/UPDATE; not DELETE without `delete`) | `execute_write_query` |
 | `ddl` | Schema changes | `create_table`, `alter_table` |
 | `utility` | Utility operations | `test_connection`, `analyze_table` |
 | `transaction` | Transaction management | `begin_transaction`, `commit_transaction` |
@@ -159,7 +159,7 @@ Tool enabled = (Has Permission) AND (Has Category OR No categories specified)
 ### 5. Query Management (3 tools)
 - `run_select_query` - Execute SELECT queries
-- `execute_write_query` - Execute INSERT/UPDATE/DELETE
+- `execute_write_query` - Execute INSERT/UPDATE (DELETE requires the `delete` permission)
 - `repair_query` - Diagnose and fix SQL errors
 ### 6. Schema Management (4 tools)

package/README.md CHANGED Viewed

@@ -4,7 +4,7 @@
 **A production-ready Model Context Protocol (MCP) server for MySQL database integration with AI agents**
-**Last Updated:** 2026-05-11 13:33:42
+**Last Updated:** 2026-05-25 12:00:00
 [![npm version](https://img.shields.io/npm/v/@berthojoris/mcp-mysql-server)](https://www.npmjs.com/package/@berthojoris/mcp-mysql-server)
 [![npm downloads](https://img.shields.io/npm/dm/@berthojoris/mcp-mysql-server)](https://www.npmjs.com/package/@berthojoris/mcp-mysql-server)
@@ -263,7 +263,7 @@ Control database access with a **dual-layer filtering system** that provides bot
 | `create` | INSERT new records | Data entry |
 | `update` | UPDATE existing records | Data maintenance |
 | `delete` | DELETE records | Data cleanup |
-| `execute` | Execute custom SQL (DML) + Advanced SQL | Complex operations |
+| `execute` | Execute custom INSERT/UPDATE SQL (DELETE requires `delete` permission too) | Complex write operations |
 | `ddl` | CREATE/ALTER/DROP tables | Schema management |
 | `procedure` | Stored procedures (CREATE/DROP/EXECUTE) | Procedure management |
 | `transaction` | BEGIN, COMMIT, ROLLBACK | ACID operations |

package/dist/mcp-server.js CHANGED Viewed

@@ -18,7 +18,7 @@ const toolArgumentValidation_js_1 = require("./tools/toolArgumentValidation.js")
 const permissions = process.env.MCP_PERMISSIONS || process.env.MCP_CONFIG || "";
 const categories = process.env.MCP_CATEGORIES || "";
 const SERVER_NAME = "mysql-mcp-server";
-const SERVER_VERSION = "1.42.1";
+const SERVER_VERSION = "1.42.2";
 // Declare the MySQL MCP instance (will be initialized in main())
 let mysqlMCP;
 // Define all available tools with their schemas
@@ -695,7 +695,7 @@ const TOOLS = [
     },
     {
         name: "run_select_query",
-        description: "⚡ PRIMARY TOOL FOR SELECT QUERIES. Executes read-only SELECT statements with parameterization, optimizer hints, query caching, and dry-run mode. Supports complex queries with JOINs, subqueries, and aggregations. ⚠️ ONLY for SELECT - use execute_write_query for INSERT/UPDATE/DELETE, use execute_ddl for CREATE/ALTER/DROP.",
+        description: "⚡ PRIMARY TOOL FOR SELECT QUERIES. Executes read-only SELECT statements with parameterization, optimizer hints, query caching, and dry-run mode. Supports complex queries with JOINs, subqueries, and aggregations. ⚠️ ONLY for SELECT - use execute_write_query for INSERT/UPDATE, use execute_ddl for CREATE/ALTER/DROP.",
         inputSchema: {
             type: "object",
             properties: {
@@ -762,13 +762,13 @@ const TOOLS = [
     },
     {
         name: "execute_write_query",
-        description: '⚡ PRIMARY TOOL FOR INSERT/UPDATE/DELETE QUERIES. Executes data modification statements with parameterization support. Returns affected row count and execution details. ⚠️ NOT for SELECT (use run_select_query), NOT for DDL (use execute_ddl for CREATE/ALTER/DROP/TRUNCATE/RENAME).',
+        description: '⚡ PRIMARY TOOL FOR INSERT/UPDATE QUERIES. Executes data modification statements with parameterization support. Returns affected row count and execution details. DELETE SQL requires the separate "delete" permission in addition to "execute". ⚠️ NOT for SELECT (use run_select_query), NOT for DDL (use execute_ddl for CREATE/ALTER/DROP/TRUNCATE/RENAME).',
         inputSchema: {
             type: "object",
             properties: {
                 query: {
                     type: "string",
-                    description: "SQL query to execute (INSERT, UPDATE, DELETE, or DDL if permitted)",
+                    description: "SQL query to execute (INSERT or UPDATE; DELETE requires the delete permission)",
                 },
                 params: {
                     type: "array",

package/dist/security/securityLayer.js CHANGED Viewed

@@ -273,6 +273,15 @@ class SecurityLayer {
                         };
                     }
                 }
+                // DELETE requires explicit delete permission (execute alone is not sufficient)
+                if (type === "DELETE") {
+                    if (!this.featureConfig.isCategoryEnabled(featureConfig_js_1.ToolCategory.DELETE)) {
+                        return {
+                            valid: false,
+                            error: "DELETE operation requires 'delete' permission. Add 'delete' to your permissions configuration, or use delete_record / bulk_delete.",
+                        };
+                    }
+                }
                 return { valid: true, queryType: type };
             }
         }

package/dist/tools/queryTools.d.ts CHANGED Viewed

@@ -33,7 +33,8 @@ export declare class QueryTools {
      */
     getSuggestedHints(goal: "SPEED" | "MEMORY" | "STABILITY"): QueryHints;
     /**
-     * Execute write operations (INSERT, UPDATE, DELETE) with validation
+     * Execute write operations (INSERT, UPDATE) with validation.
+     * DELETE requires the separate delete permission and is validated in the security layer.
      * Note: DDL operations are blocked by the security layer for safety
      */
     executeWriteQuery(queryParams: {

package/dist/tools/queryTools.js CHANGED Viewed

@@ -118,7 +118,8 @@ class QueryTools {
         return this.optimizer.getSuggestedHints(goal);
     }
     /**
-     * Execute write operations (INSERT, UPDATE, DELETE) with validation
+     * Execute write operations (INSERT, UPDATE) with validation.
+     * DELETE requires the separate delete permission and is validated in the security layer.
      * Note: DDL operations are blocked by the security layer for safety
      */
     async executeWriteQuery(queryParams) {

package/dist/tools/utilityTools.js CHANGED Viewed

@@ -377,7 +377,7 @@ class UtilityTools {
                         selection_rules: [
                             "Use get_schema_rag_context before generating SQL to reduce token usage.",
                             "Use run_select_query only for SELECT statements.",
-                            "Use execute_write_query for INSERT, UPDATE, and DELETE.",
+                            "Use execute_write_query for INSERT and UPDATE. DELETE requires the delete permission.",
                             "Use execute_ddl only for CREATE, ALTER, DROP, TRUNCATE, and RENAME.",
                             "Use seed_operations for relational dummy data instead of manually chaining bulk_insert across foreign keys.",
                             "Prefer structured tools over raw SQL when possible.",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@berthojoris/mcp-mysql-server",
-  "version": "1.42.1",
+  "version": "1.42.2",
   "description": "Model Context Protocol server for MySQL database integration with dynamic per-project permissions",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",