@cyanheads/git-mcp-server 2.0.7 → 2.0.8

package/README.md

@@ -2,7 +2,7 @@
 
 [![TypeScript](https://img.shields.io/badge/TypeScript-^5.8.3-blue.svg)](https://www.typescriptlang.org/)
 [![Model Context Protocol](https://img.shields.io/badge/MCP%20SDK-^1.11.0-green.svg)](https://modelcontextprotocol.io/)
-[![Version](https://img.shields.io/badge/Version-2.0.7-blue.svg)](./CHANGELOG.md)
+[![Version](https://img.shields.io/badge/Version-2.0.8-blue.svg)](./CHANGELOG.md)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Status](https://img.shields.io/badge/Status-Stable-green.svg)](https://github.com/cyanheads/git-mcp-server/issues)
 [![GitHub](https://img.shields.io/github/stars/cyanheads/git-mcp-server?style=social)](https://github.com/cyanheads/git-mcp-server)

package/dist/mcp-server/tools/gitAdd/logic.js

@@ -44,7 +44,7 @@ export async function addGitFiles(input, context // Add getter to context
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        const sanitizedPath = sanitization.sanitizePath(targetPath);
+        const sanitizedPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized repository path', { ...context, operation, sanitizedPath });
         targetPath = sanitizedPath; // Use the sanitized path going forward
     }

package/dist/mcp-server/tools/gitBranch/logic.js

@@ -56,7 +56,7 @@ export async function gitBranchLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitCheckout/logic.js

@@ -41,7 +41,7 @@ export async function checkoutGit(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitCherryPick/logic.js

@@ -47,7 +47,7 @@ export async function gitCherryPickLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitClean/logic.js

@@ -55,7 +55,7 @@ export async function gitCleanLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitClone/logic.js

@@ -33,7 +33,7 @@ export async function gitCloneLogic(input, context) {
     let sanitizedRepoUrl;
     try {
         // Sanitize the target path (must be absolute)
-        sanitizedTargetPath = sanitization.sanitizePath(input.targetPath);
+        sanitizedTargetPath = sanitization.sanitizePath(input.targetPath, { allowAbsolute: true });
         logger.debug('Sanitized target path', { ...context, operation, sanitizedTargetPath });
         // Basic sanitization/validation for URL (Zod already checks format)
         // Further sanitization might be needed depending on how it's used in the shell command

package/dist/mcp-server/tools/gitCommit/logic.js

@@ -50,7 +50,7 @@ export async function commitGitChanges(input, context // Add getter to context
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        const sanitizedPath = sanitization.sanitizePath(targetPath);
+        const sanitizedPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath });
         targetPath = sanitizedPath; // Use the sanitized path going forward
     }

package/dist/mcp-server/tools/gitDiff/logic.js

@@ -48,7 +48,7 @@ export async function diffGitChanges(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitFetch/logic.js

@@ -41,7 +41,7 @@ export async function fetchGitRemote(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitInit/logic.js

@@ -31,7 +31,7 @@ export async function gitInitLogic(input, context) {
     let targetPath;
     try {
         // Sanitize the provided absolute path
-        targetPath = sanitization.sanitizePath(input.path);
+        targetPath = sanitization.sanitizePath(input.path, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
         // Ensure the target directory exists before trying to init inside it
         // git init creates the directory if it doesn't exist, but we might want to ensure the parent exists

package/dist/mcp-server/tools/gitInit/registration.js

@@ -55,11 +55,11 @@ export const registerGitInitTool = async (server) => {
                 let resolvedPath;
                 try {
                     if (path.isAbsolute(inputPath)) {
-                        resolvedPath = sanitization.sanitizePath(inputPath);
+                        resolvedPath = sanitization.sanitizePath(inputPath, { allowAbsolute: true });
                         logger.debug(`Using absolute path: ${resolvedPath}`, requestContext);
                     }
                     else if (sessionWorkingDirectory) {
-                        resolvedPath = sanitization.sanitizePath(path.resolve(sessionWorkingDirectory, inputPath));
+                        resolvedPath = sanitization.sanitizePath(path.resolve(sessionWorkingDirectory, inputPath), { allowAbsolute: true });
                         logger.debug(`Resolved relative path '${inputPath}' to absolute path: ${resolvedPath} using session CWD`, requestContext);
                     }
                     else {

package/dist/mcp-server/tools/gitLog/logic.js

@@ -56,7 +56,7 @@ export async function logGitHistory(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitPull/logic.js

@@ -44,7 +44,7 @@ export async function pullGitChanges(input, context) {
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitPush/logic.js

@@ -45,7 +45,7 @@ export async function pushGitChanges(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitRebase/logic.js

@@ -55,7 +55,7 @@ export async function gitRebaseLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitRemote/logic.js

@@ -42,7 +42,7 @@ export async function gitRemoteLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath); // Sanitize the final resolved path
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true }); // Sanitize the final resolved path
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitReset/logic.js

@@ -44,7 +44,7 @@ export async function resetGitState(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitSetWorkingDir/logic.js

@@ -26,9 +26,9 @@ export async function gitSetWorkingDirLogic(input, context // Assuming context p
     logger.info('Executing git_set_working_dir logic', { ...context, operation, inputPath: input.path });
     let sanitizedPath;
     try {
-        // Sanitize the path. By default, sanitizePath allows absolute paths.
+        // Sanitize the path. Must explicitly allow absolute paths for this tool.
         // It normalizes and checks for traversal issues.
-        sanitizedPath = sanitization.sanitizePath(input.path);
+        sanitizedPath = sanitization.sanitizePath(input.path, { allowAbsolute: true });
         logger.debug(`Sanitized path: ${sanitizedPath}`, { ...context, operation });
     }
     catch (error) {

package/dist/mcp-server/tools/gitShow/logic.js

@@ -41,7 +41,7 @@ export async function gitShowLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitStash/logic.js

@@ -47,7 +47,7 @@ export async function gitStashLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitStatus/logic.js

@@ -160,7 +160,7 @@ export async function getGitStatus(input, context // Add getter to context
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        const sanitizedPath = sanitization.sanitizePath(targetPath);
+        const sanitizedPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath });
         targetPath = sanitizedPath; // Use the sanitized path going forward
     }

package/dist/mcp-server/tools/gitTag/logic.js

@@ -55,7 +55,7 @@ export async function gitTagLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/git-mcp-server",
-  "version": "2.0.7",
+  "version": "2.0.8",
   "description": "An MCP (Model Context Protocol) server providing tools to interact with Git repositories. Enables LLMs and AI agents to perform Git operations like clone, commit, push, pull, branch, diff, log, status, and more via the MCP standard.",
   "type": "module",
   "license": "Apache-2.0",
@@ -38,7 +38,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@types/jsonwebtoken": "^9.0.9",
-    "@types/node": "^22.15.9",
+    "@types/node": "^22.15.15",
     "@types/sanitize-html": "^2.16.0",
     "@types/validator": "^13.15.0",
     "chrono-node": "^2.8.0",