@mangerik/wordpress-mcp 0.1.1 β†’ 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +11 -0
  2. package/README.md +6 -1
  3. package/SECURITY.md +42 -0
  4. package/package.json +5 -4
package/CHANGELOG.md CHANGED
@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [0.1.2] - 2026-05-17
9
+
10
+ ### Added
11
+ - `SECURITY.md` documenting supply chain practices and reporting policy.
12
+ - GitHub Actions workflows for CI (test on Node 18/20/22) and tag-triggered
13
+ publish with `--provenance` (npm provenance via OIDC).
14
+
15
+ ### Changed
16
+ - Documented the GitHub Actions release flow as the recommended path; local
17
+ publish is now positioned as a fallback.
18
+
8
19
  ## [0.1.1] - 2026-05-17
9
20
 
10
21
  ### Added
package/README.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # WordPress MCP Server
2
2
 
3
+ <p align="center">
4
+ <img src="https://raw.githubusercontent.com/mangerik/WordPress-MCP/main/assets/cover.jpg" alt="WordPress MCP Server" width="100%" />
5
+ </p>
6
+
3
7
  A [Model Context Protocol](https://modelcontextprotocol.io) server that lets any MCP-compatible AI client (Claude Desktop, Kiro, Cursor, Continue, etc.) read and manage a WordPress site through the official REST API.
4
8
 
5
9
  ## Features
@@ -37,7 +41,7 @@ npx -y @mangerik/wordpress-mcp
37
41
  ### From source
38
42
 
39
43
  ```bash
40
- git clone https://github.com/mangerik/wordpress-mcp.git
44
+ git clone https://github.com/mangerik/WordPress-MCP.git
41
45
  cd wordpress-mcp
42
46
  npm install
43
47
  npm run build
@@ -229,6 +233,7 @@ Both plugins store SEO data in post meta with different keys; one uniform tool r
229
233
 
230
234
  - πŸ“– **[USAGE.md](docs/USAGE.md)** β€” Real-world prompt examples (Indonesian + English): authoring, audit, WooCommerce, SEO, batch, multisite, etc.
231
235
  - πŸ“š **[TOOLS.md](docs/TOOLS.md)** β€” Full reference for all 96 tools with arguments, types, and hints. Auto-generated from the running server.
236
+ - πŸ”’ **[SECURITY.md](SECURITY.md)** β€” Supply chain practices (npm provenance, no install scripts, 2FA) and how to report vulnerabilities.
232
237
 
233
238
  ## Notes & gotchas
234
239
 
package/SECURITY.md ADDED
@@ -0,0 +1,42 @@
1
+ # Security Policy
2
+
3
+ ## Reporting a vulnerability
4
+
5
+ If you discover a security issue, **please do not open a public GitHub issue**.
6
+ Instead, email the maintainer directly:
7
+
8
+ πŸ“§ erikhidayatullah23@gmail.com
9
+
10
+ We aim to respond within 7 days and disclose responsibly once a fix is shipped.
11
+
12
+ ## Supply chain practices
13
+
14
+ This package follows these supply chain security measures:
15
+
16
+ - **npm provenance** β€” every release is signed via [npm's provenance feature](https://docs.npmjs.com/generating-provenance-statements)
17
+ using GitHub Actions OIDC, so consumers can cryptographically verify each
18
+ tarball was built from a specific commit in the public repo.
19
+ - **No install / postinstall scripts** β€” the package never executes code on
20
+ install.
21
+ - **No native bindings** β€” pure TypeScript / JavaScript, easy to audit.
22
+ - **2FA on npm publish** β€” the maintainer's npm account requires two-factor
23
+ authentication for write actions.
24
+ - **Pinned dependencies** β€” runtime deps are kept to four well-known packages
25
+ (`@modelcontextprotocol/sdk`, `axios`, `form-data`, `zod`). No transitive
26
+ surprises from one-letter abandoned modules.
27
+ - **Reproducible builds** β€” `npm pack --dry-run` produces a deterministic
28
+ list; CI runs `typecheck β†’ build β†’ smoke β†’ docs` before every publish.
29
+
30
+ ## Verifying a published version
31
+
32
+ ```bash
33
+ # Inspect the provenance attestation:
34
+ npm audit signatures
35
+
36
+ # Or for a specific install:
37
+ npm install @mangerik/wordpress-mcp
38
+ npx @npmcli/get-provenance @mangerik/wordpress-mcp
39
+ ```
40
+
41
+ If `npm audit signatures` reports anything other than β€œverified”, do not
42
+ trust that install β€” please report to the email above.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mangerik/wordpress-mcp",
3
- "version": "0.1.1",
3
+ "version": "0.1.2",
4
4
  "description": "MCP Server for WordPress REST API β€” connect AI agents to WordPress (posts, pages, media, users, custom post types, WooCommerce, Yoast / Rank Math, block themes, multisite, batch).",
5
5
  "main": "dist/index.js",
6
6
  "type": "module",
@@ -14,6 +14,7 @@
14
14
  "README.md",
15
15
  "LICENSE",
16
16
  "CHANGELOG.md",
17
+ "SECURITY.md",
17
18
  ".env.example"
18
19
  ],
19
20
  "scripts": {
@@ -54,13 +55,13 @@
54
55
  "kiro",
55
56
  "llm"
56
57
  ],
57
- "homepage": "https://github.com/mangerik/wordpress-mcp#readme",
58
+ "homepage": "https://github.com/mangerik/WordPress-MCP#readme",
58
59
  "repository": {
59
60
  "type": "git",
60
- "url": "git+https://github.com/mangerik/wordpress-mcp.git"
61
+ "url": "git+https://github.com/mangerik/WordPress-MCP.git"
61
62
  },
62
63
  "bugs": {
63
- "url": "https://github.com/mangerik/wordpress-mcp/issues"
64
+ "url": "https://github.com/mangerik/WordPress-MCP/issues"
64
65
  },
65
66
  "publishConfig": {
66
67
  "access": "public"