@dollhousemcp/mcp-server 1.9.13 → 1.9.15

package/CHANGELOG.md

@@ -1,5 +1,53 @@
 # Changelog
 
+## [1.9.15] - 2025-10-01
+
+Security patch: Zero-width Unicode bypass vulnerability + SonarCloud cleanup
+
+SECURITY FIX [HIGH]:
+- Block zero-width Unicode characters in metadata validation (#1228, #1229)
+- Prevents steganography and homograph attacks
+
+CODE QUALITY:
+- 228+ SonarCloud issues resolved (#1220-1224)
+- 199 security hotspots evaluated (all safe)
+- Number.parseInt modernization, String.replaceAll updates
+
+All production security concerns resolved.
+
+## [1.9.14] - 2025-09-30
+
+### Fixed
+- **ElementFormatter Security Scanner False Positives (Issue #1211, PR #1212)**
+  - Fixed SecureYamlParser ignoring `validateContent: false` option
+  - Pre-parse security validation now properly respects validation flag
+  - ElementFormatter now uses `validateContent: false` for all YAML parsing (5 locations)
+  - Allows local trusted files to bypass content scanning while maintaining security for untrusted sources
+  - Improved memory name generation: derives names from filenames instead of auto-generated IDs
+  - Example: `sonarcloud-rules-reference` instead of `mem_1759077319164_w9m9fk56y`
+
+- **Portfolio Search File Extension Display (Issue #1213, PR #1215)**
+  - Portfolio search now displays correct file extensions based on element type
+  - Memories show `.yaml` extension, other elements show `.md` extension
+  - Added `getFileExtension()` public method to PortfolioManager
+  - Fixed hardcoded `.md` extension in search result formatting
+  - No breaking changes, display-only fix
+
+### Code Quality
+- Fixed SonarCloud issues in Docker test files:
+  - S7018: Sorted apt packages alphabetically in Dockerfile.test-enhanced
+  - S7031: Merged consecutive RUN instructions in Dockerfile.test-enhanced
+  - S7772: Added `node:` prefix for built-in module imports (4 occurrences)
+  - S2486: Added proper error logging for JSON parse exceptions
+  - S7780: Used String.raw for grep regex patterns (2 occurrences)
+- Added comprehensive test coverage for portfolio search file extensions
+- 2,277 tests passing with >96% coverage
+
+### Documentation
+- Added SESSION_NOTES_2025-09-30-AFTERNOON-PR1215-SONARCLOUD-PROCEDURE.md
+- Added SONARCLOUD_QUERY_PROCEDURE.md - Critical guide for querying SonarCloud correctly
+- Updated CLAUDE.md with naming conventions and style guide for session notes and memories
+
 ## [1.9.13] - 2025-09-29
 
 ### Fixed

package/README.github.md

@@ -873,6 +873,60 @@ For detailed guidelines, see [CONTRIBUTING.md](CONTRIBUTING.md).
 
 ## 🏷️ Version History
 
+### v1.9.15 - October 1, 2025
+
+**Security Patch**: Zero-width Unicode bypass vulnerability + SonarCloud cleanup
+
+#### 🔒 Security Fix [HIGH]
+- **Zero-width Unicode bypass vulnerability** - Restored Unicode security validation (#1228, #1229)
+  - Blocks zero-width characters (U+200B-U+200F, U+FEFF) in metadata validation
+  - Prevents steganography and homograph attacks
+  - Fixed `validateContent` bypass in DefaultElementProvider
+  - Restored security validation chain through ContentValidator and UnicodeValidator
+
+#### 🧹 Code Quality
+- **228+ SonarCloud issues resolved** across 5 issues (#1220-1224):
+  - S7773: Modernized Number parsing methods (90 issues) - `parseInt()` → `Number.parseInt()`
+  - S7781: String.replaceAll modernization (134 issues) - `.replace(/g)` → `.replaceAll()`
+  - MEDIUM severity fixes (4 issues) - Object literals, loop counters, Promise types
+  - False positives marked (11 issues) - Test-only patterns properly categorized
+- **199 security hotspots evaluated** - All marked SAFE, zero production concerns (#1219)
+  - Math.random(), MD5, PATH usage validated for non-security contexts
+  - Comprehensive documentation of safe patterns
+
+#### 📊 Impact
+- ✅ 1 HIGH severity security vulnerability fixed
+- ✅ All production security concerns resolved
+- ✅ Test coverage maintained at >96%
+
+### v1.9.14 - September 30, 2025
+
+**Bug Fixes**: ElementFormatter and portfolio search improvements
+
+#### 🔧 Fixed
+- **ElementFormatter Security Scanner False Positives** - Fixed validation option being ignored (#1211, #1212)
+  - SecureYamlParser now properly respects `validateContent: false` option
+  - ElementFormatter uses `validateContent: false` for all YAML parsing (5 locations)
+  - Local trusted files can bypass content scanning while maintaining security for untrusted sources
+
+- **Portfolio Search File Extension Display** - Fixed incorrect extension display (#1213, #1215)
+  - Portfolio search now shows correct file extensions based on element type
+  - Memories display `.yaml` extension, other elements show `.md` extension
+
+#### 📚 Documentation
+- Added SONARCLOUD_QUERY_PROCEDURE.md - Critical guide for querying SonarCloud correctly
+- Updated CLAUDE.md with naming conventions and style guide for session notes
+- Added session notes documentation for PR #1215
+
+#### 📊 Statistics
+- 2 Bug fixes merged (PR #1212, #1215)
+- 10 Code quality issues resolved
+- 2,277 tests passing with >96% coverage
+- Quality Gate: PASSING
+- Test Coverage: >96% maintained
+
+---
+
 ### v1.9.13 - September 29, 2025
 
 **Memory System Critical Fixes**: Security scanner improvements and enhanced error reporting