npm - @neverinfamous/mysql-mcp - Versions diffs - 2.3.0 → 2.3.1 - Mend

@neverinfamous/mysql-mcp 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/.github/workflows/codeql.yml +0 -8
package/.github/workflows/docker-publish.yml +10 -8
package/CHANGELOG.md +11 -0
package/DOCKER_README.md +19 -225
package/Dockerfile +5 -0
package/README.md +37 -13
package/VERSION +1 -1
package/package.json +1 -1
package/releases/v2.3.0-release-notes.md +20 -20
package/releases/v2.3.1-release-notes.md +34 -0

package/.github/workflows/codeql.yml CHANGED Viewed

@@ -13,14 +13,6 @@ on:
       - "package.json"
   pull_request:
     branches: ["master"]
-    paths:
-      - "**.js"
-      - "**.jsx"
-      - "**.ts"
-      - "**.tsx"
-      - "**.mjs"
-      - "**.cjs"
-      - "package.json"
   schedule:
     - cron: "0 0 * * 1"
   workflow_dispatch:

package/.github/workflows/docker-publish.yml CHANGED Viewed

@@ -213,16 +213,18 @@ jobs:
           curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
           docker images local-scan:latest
           echo "🔍 Running Docker Scout security scan"
-          if timeout 480 docker scout cves local-scan:latest > scout_output.txt 2>&1; then
-            echo "📊 Scan completed successfully"
-            cat scout_output.txt
-            if grep -E "(CRITICAL|HIGH)" scout_output.txt | grep -v "0  " > /dev/null; then
-              echo "⚠️ Critical or high severity vulnerabilities detected (informational)"
+          if timeout 480 docker scout cves local-scan:latest --only-fixed --exit-code 2>&1 | tee scout_output.txt; then
+            echo "✅ No fixable vulnerabilities detected"
+          else
+            SCOUT_EXIT=$?
+            if [ "$SCOUT_EXIT" -eq 2 ]; then
+              echo "❌ Fixable vulnerabilities detected — blocking deployment"
+              cat scout_output.txt
+              exit 1
             else
-              echo "✅ No critical/high severity vulnerabilities"
+              echo "⚠️ Docker Scout scan failed or timed out (exit code: $SCOUT_EXIT)"
+              cat scout_output.txt
             fi
-          else
-            echo "⚠️ Docker Scout scan timed out or failed"
           fi
   # Merge platform images into multi-arch manifest

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [2.3.1] - 2026-02-18
+### Security
+- **CVE Fix: `tar` Path Traversal (CVE-2026-26960)** — Patched npm's bundled `tar` (< 7.5.8) in the Dockerfile runtime stage to fix a high-severity path traversal vulnerability that allowed arbitrary file read/write via crafted hardlinks.
+### Changed
+- **Docker Scout Security Gate Hardened** — Docker Scout scan in `docker-publish.yml` now **blocks deployments** on any fixable CVE (any severity) using `--only-fixed --exit-code`. Unfixable zero-day CVEs are allowed through. Previously the scan was informational only and never failed the workflow.
+- **CodeQL Workflow PR Trigger** — Removed `paths` filter from `pull_request` trigger in `codeql.yml` so the `analyze (javascript-typescript)` required check always runs on PRs. The existing `check-files` step handles skipping analysis for non-code PRs.
 ## [2.3.0] - 2026-02-18
 ### Fixed

package/DOCKER_README.md CHANGED Viewed

@@ -50,13 +50,18 @@
 #### NPM (Recommended)
 ```bash
-# Install globally
 npm install -g @neverinfamous/mysql-mcp
+```
+Run the server:
-# Run
+```bash
 mysql-mcp --transport stdio --mysql mysql://user:password@localhost:3306/database
+```
+Or use npx without installing:
-# Or use npx without installing
+```bash
 npx @neverinfamous/mysql-mcp --transport stdio --mysql mysql://user:password@localhost:3306/database
 ```
@@ -116,11 +121,15 @@ mysql-mcp --mysql mysql://root:pass@localhost/db \
 **Start the HTTP server:**
+Local installation:
 ```bash
-# Local installation
 node dist/cli.js --transport http --port 3000 --server-host 0.0.0.0 --mysql mysql://user:password@localhost:3306/database
+```
+Docker (expose port 3000):
-# Docker (expose port 3000)
+```bash
 docker run -p 3000:3000 writenotenow/mysql-mcp \
   --transport http \
   --port 3000 \
@@ -191,43 +200,6 @@ docker run -p 3000:3000 writenotenow/mysql-mcp \
 | **MySQL in Docker**       | Container name or network | `mysql://user:pass@mysql-container:3306/db`      |
 | **Remote/Cloud MySQL**    | Hostname or IP            | `mysql://user:pass@db.example.com:3306/db`       |
-### MySQL on Host Machine
-If MySQL is installed directly on your computer (via installer, Homebrew, etc.):
-```json
-"--mysql", "mysql://user:password@host.docker.internal:3306/database"
-```
-### MySQL in Another Docker Container
-Add both containers to the same Docker network, then use the container name:
-```bash
-# Create network and run MySQL
-docker network create mynet
-docker run -d --name mysql-db --network mynet -e MYSQL_ROOT_PASSWORD=pass mysql:8
-# Run MCP server on same network
-docker run -i --rm --network mynet writenotenow/mysql-mcp:latest \
-  --transport stdio --mysql mysql://root:pass@mysql-db:3306/mysql
-```
-### Remote/Cloud MySQL (RDS, Cloud SQL, etc.)
-Use the remote hostname directly:
-```json
-"--mysql", "mysql://user:password@your-instance.region.rds.amazonaws.com:3306/database"
-```
-| Provider         | Example Hostname                                 |
-| ---------------- | ------------------------------------------------ |
-| AWS RDS          | `your-instance.xxxx.us-east-1.rds.amazonaws.com` |
-| Google Cloud SQL | `project:region:instance` (via Cloud SQL Proxy)  |
-| Azure MySQL      | `your-server.mysql.database.azure.com`           |
-| PlanetScale      | `aws.connect.psdb.cloud` (SSL required)          |
-| DigitalOcean     | `your-cluster-do-user-xxx.db.ondigitalocean.com` |
 > **Tip:** For remote connections, ensure your MySQL server allows connections from Docker's IP range and that firewalls/security groups permit port 3306.
 ---
@@ -312,128 +284,7 @@ The `--tool-filter` argument accepts **shortcuts**, **groups**, or **tool names*
 ---
-### Quick Start: Recommended IDE Configuration
-Add one of these configurations to your IDE's MCP settings file (e.g., `cline_mcp_settings.json`, `.cursorrules`, or equivalent):
-#### Option 1: Starter (39 Essential Tools)
-**Best for:** General MySQL database work - CRUD operations, schema management, and monitoring.
-```json
-{
-  "mcpServers": {
-    "mysql-mcp": {
-      "command": "node",
-      "args": [
-        "/path/to/mysql-mcp/dist/cli.js",
-        "--transport",
-        "stdio",
-        "--tool-filter",
-        "starter"
-      ],
-      "env": {
-        "MYSQL_HOST": "localhost",
-        "MYSQL_PORT": "3306",
-        "MYSQL_USER": "your_username",
-        "MYSQL_PASSWORD": "your_password",
-        "MYSQL_DATABASE": "your_database"
-      }
-    }
-  }
-}
-```
-#### Option 2: Cluster (11 Tools for InnoDB Cluster Monitoring)
-**Best for:** Monitoring InnoDB Cluster, Group Replication status, and cluster topology.
-> **⚠️ Prerequisites:**
->
-> - **InnoDB Cluster** must be configured and running with Group Replication enabled
-> - Connect to a cluster node directly (e.g., `localhost:3307`) — NOT a standalone MySQL instance
-> - Use `cluster_admin` or `root` user with appropriate privileges
-> - See [MySQL Ecosystem Setup Guide](https://github.com/neverinfamous/mysql-mcp/wiki/MySQL-Ecosystem-Setup) for cluster setup instructions
-```json
-{
-  "mcpServers": {
-    "mysql-mcp-cluster": {
-      "command": "node",
-      "args": [
-        "/path/to/mysql-mcp/dist/cli.js",
-        "--transport",
-        "stdio",
-        "--tool-filter",
-        "cluster"
-      ],
-      "env": {
-        "MYSQL_HOST": "localhost",
-        "MYSQL_PORT": "3307",
-        "MYSQL_USER": "cluster_admin",
-        "MYSQL_PASSWORD": "cluster_password",
-        "MYSQL_DATABASE": "mysql"
-      }
-    }
-  }
-}
-```
-#### Option 3: Ecosystem (42 Tools for InnoDB Cluster Deployments)
-**Best for:** MySQL Router, ProxySQL, MySQL Shell, and InnoDB Cluster deployments.
-> **⚠️ Prerequisites:**
->
-> - **InnoDB Cluster** with MySQL Router requires the cluster to be running for Router REST API authentication (uses `metadata_cache` backend)
-> - Router REST API uses HTTPS with self-signed certificates by default — set `MYSQL_ROUTER_INSECURE=true` to bypass certificate verification
-> - **X Protocol:** InnoDB Cluster includes the MySQL X Plugin by default. Set `MYSQL_XPORT` to the Router's X Protocol port (e.g., `6448`) for `mysqlsh_import_json` and `docstore` tools
-> - See [MySQL Ecosystem Setup Guide](https://github.com/neverinfamous/mysql-mcp/wiki/MySQL-Ecosystem-Setup) for detailed instructions
-```json
-{
-  "mcpServers": {
-    "mysql-mcp-ecosystem": {
-      "command": "node",
-      "args": [
-        "/path/to/mysql-mcp/dist/cli.js",
-        "--transport",
-        "stdio",
-        "--tool-filter",
-        "ecosystem"
-      ],
-      "env": {
-        "MYSQL_HOST": "localhost",
-        "MYSQL_PORT": "3307",
-        "MYSQL_XPORT": "6448",
-        "MYSQL_USER": "cluster_admin",
-        "MYSQL_PASSWORD": "cluster_password",
-        "MYSQL_DATABASE": "testdb",
-        "MYSQL_ROUTER_URL": "https://localhost:8443",
-        "MYSQL_ROUTER_USER": "rest_api",
-        "MYSQL_ROUTER_PASSWORD": "router_password",
-        "MYSQL_ROUTER_INSECURE": "true",
-        "PROXYSQL_HOST": "localhost",
-        "PROXYSQL_PORT": "6032",
-        "PROXYSQL_USER": "radmin",
-        "PROXYSQL_PASSWORD": "radmin",
-        "MYSQLSH_PATH": "/usr/local/bin/mysqlsh"
-      }
-    }
-  }
-}
-```
-**Customization Notes:**
-- Replace `/path/to/mysql-mcp/` with your actual installation path
-- Update credentials with your actual values
-- For Windows: Use forward slashes (e.g., `C:/mysql-mcp/dist/cli.js`) or escape backslashes
-- For Windows MySQL Shell: `"MYSQLSH_PATH": "C:\\Program Files\\MySQL\\MySQL Shell 9.5\\bin\\mysqlsh.exe"`
-- **Router Authentication:** Router REST API authenticates against the InnoDB Cluster metadata. The cluster must be running for authentication to work.
-- **Cluster Resource:** The `mysql://cluster` resource is only available when connected to an InnoDB Cluster node
-> **📖 See the [Tool Filtering Wiki](https://github.com/neverinfamous/mysql-mcp/wiki/Tool-Filtering)** for advanced examples.
+> **📖 See the [Tool Filtering Wiki](https://github.com/neverinfamous/mysql-mcp/wiki/Tool-Filtering)** for IDE configuration examples and advanced usage.
 ---
@@ -448,56 +299,13 @@ For debugging or manual reference, see the source: [`src/constants/ServerInstruc
 ## 🤖 AI-Powered Prompts
-This server includes **19 intelligent prompts** for guided workflows:
-| Prompt                        | Description                                            |
-| ----------------------------- | ------------------------------------------------------ |
-| `mysql_query_builder`         | Construct SQL queries with security best practices     |
-| `mysql_schema_design`         | Design table schemas with indexes and relationships    |
-| `mysql_performance_analysis`  | Analyze slow queries with optimization recommendations |
-| `mysql_migration`             | Generate migration scripts with rollback options       |
-| `mysql_database_health_check` | Comprehensive database health assessment               |
-| `mysql_backup_strategy`       | Enterprise backup planning with RTO/RPO                |
-| `mysql_index_tuning`          | Index analysis and optimization workflow               |
-| `mysql_setup_router`          | MySQL Router configuration guide                       |
-| `mysql_setup_proxysql`        | ProxySQL configuration guide                           |
-| `mysql_setup_replication`     | Replication setup guide                                |
-| `mysql_setup_shell`           | MySQL Shell usage guide                                |
-| `mysql_tool_index`            | Complete tool index with categories                    |
-| `mysql_quick_query`           | Quick query execution shortcut                         |
-| `mysql_quick_schema`          | Quick schema exploration                               |
-| **`mysql_setup_events`**      | Event Scheduler setup guide                            |
-| **`mysql_sys_schema_guide`**  | sys schema usage and diagnostics                       |
-| **`mysql_setup_spatial`**     | Spatial/GIS data setup guide                           |
-| **`mysql_setup_cluster`**     | InnoDB Cluster/Group Replication guide                 |
-| **`mysql_setup_docstore`**    | Document Store / X DevAPI guide                        |
+**19 intelligent prompts** for guided workflows including query building, schema design, performance analysis, migration planning, backup strategy, index tuning, and ecosystem setup (Router, ProxySQL, Replication, Shell, Cluster, Spatial, Events, Document Store).
 ---
 ## 📊 Resources
-This server exposes **18 resources** for database observability:
-| Resource                | Description                                 |
-| ----------------------- | ------------------------------------------- |
-| `mysql://schema`        | Full database schema                        |
-| `mysql://tables`        | Table listing with metadata                 |
-| `mysql://variables`     | Server configuration variables              |
-| `mysql://status`        | Server status metrics                       |
-| `mysql://processlist`   | Active connections and queries              |
-| `mysql://pool`          | Connection pool statistics                  |
-| `mysql://capabilities`  | Server version, features, tool categories   |
-| `mysql://health`        | Comprehensive health status                 |
-| `mysql://performance`   | Query performance metrics                   |
-| `mysql://indexes`       | Index usage and statistics                  |
-| `mysql://replication`   | Replication status and lag                  |
-| `mysql://innodb`        | InnoDB buffer pool and engine metrics       |
-| **`mysql://events`**    | Event Scheduler status and scheduled events |
-| **`mysql://sysschema`** | sys schema diagnostics summary              |
-| **`mysql://locks`**     | InnoDB lock contention detection            |
-| **`mysql://cluster`**   | Group Replication/InnoDB Cluster status     |
-| **`mysql://spatial`**   | Spatial columns and indexes                 |
-| **`mysql://docstore`**  | Document Store collections                  |
+**18 real-time resources** for database observability: schema, tables, variables, status, processlist, connection pool, capabilities, health, performance, indexes, replication, InnoDB metrics, events, sys schema, locks, cluster status, spatial metadata, and document store collections.
 ---
@@ -552,20 +360,6 @@ Schema metadata is cached to reduce repeated queries during tool/resource invoca
 ---
-## Contributing
-Contributions are welcome! Please read our [Contributing Guidelines](CONTRIBUTING.md) before submitting a pull request.
-## Security
-For security concerns, please see our [Security Policy](SECURITY.md).
-> **⚠️ Never commit credentials** - Store secrets in `.env` (gitignored)
-## License
-This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
-## Code of Conduct
+## Contributing & Security
-Please read our [Code of Conduct](CODE_OF_CONDUCT.md) before participating in this project.
+[Contributing Guidelines](CONTRIBUTING.md) • [Security Policy](SECURITY.md) • [MIT License](LICENSE) • [Code of Conduct](CODE_OF_CONDUCT.md)

package/Dockerfile CHANGED Viewed

@@ -48,7 +48,12 @@ RUN apk upgrade --no-cache
 # - CVE-2024-21538: cross-spawn < 7.0.5
 # - CVE-2025-64756: glob < 10.5.0
 # - CVE-2025-5889: brace-expansion <= 2.0.1
+# - CVE-2026-26960: tar < 7.5.8 (patch npm's bundled copy)
 RUN npm install -g npm@latest && \
+    npm install -g tar@latest && \
+    rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
+    cp -r /usr/local/lib/node_modules/tar /usr/local/lib/node_modules/npm/node_modules/tar && \
+    npm uninstall -g tar && \
     npm cache clean --force
 # Create non-root user for security

package/README.md CHANGED Viewed

@@ -52,13 +52,18 @@
 #### NPM (Recommended)
 ```bash
-# Install globally
 npm install -g @neverinfamous/mysql-mcp
+```
+Run the server:
-# Run
+```bash
 mysql-mcp --transport stdio --mysql mysql://user:password@localhost:3306/database
+```
-# Or use npx without installing
+Or use npx without installing:
+```bash
 npx @neverinfamous/mysql-mcp --transport stdio --mysql mysql://user:password@localhost:3306/database
 ```
@@ -118,11 +123,15 @@ mysql-mcp --mysql mysql://root:pass@localhost/db \
 **Start the HTTP server:**
+Local installation:
 ```bash
-# Local installation
 node dist/cli.js --transport http --port 3000 --server-host 0.0.0.0 --mysql mysql://user:password@localhost:3306/database
+```
+Docker (expose port 3000):
-# Docker (expose port 3000)
+```bash
 docker run -p 3000:3000 writenotenow/mysql-mcp \
   --transport http \
   --port 3000 \
@@ -205,11 +214,16 @@ If MySQL is installed directly on your computer (via installer, Homebrew, etc.):
 Add both containers to the same Docker network, then use the container name:
+Create a network and run MySQL:
 ```bash
-# Create network and run MySQL
 docker network create mynet
 docker run -d --name mysql-db --network mynet -e MYSQL_ROOT_PASSWORD=pass mysql:8
-# Run MCP server on same network
+```
+Run MCP server on the same network:
+```bash
 docker run -i --rm --network mynet writenotenow/mysql-mcp:latest \
   --transport stdio --mysql mysql://root:pass@mysql-db:3306/mysql
 ```
@@ -574,11 +588,15 @@ Schema metadata is cached to reduce repeated queries during tool/resource invoca
 Use [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to visually test and debug mysql-mcp:
+Build the server first:
 ```bash
-# Build the server first
 npm run build
+```
-# Launch Inspector with mysql-mcp
+Launch Inspector with mysql-mcp:
+```bash
 npx @modelcontextprotocol/inspector node dist/cli.js \
   --transport stdio \
   --mysql mysql://user:password@localhost:3306/database
@@ -588,13 +606,17 @@ Open **http://localhost:6274** to browse all 193 tools, 18 resources, and 19 pro
 **CLI mode for scripting:**
+List all tools:
 ```bash
-# List all tools
 npx @modelcontextprotocol/inspector --cli node dist/cli.js \
   --transport stdio --mysql mysql://... \
   --method tools/list
+```
+Call a specific tool:
-# Call a specific tool
+```bash
 npx @modelcontextprotocol/inspector --cli node dist/cli.js \
   --transport stdio --mysql mysql://... \
   --method tools/call --tool-name mysql_list_tables
@@ -607,10 +629,12 @@ npx @modelcontextprotocol/inspector --cli node dist/cli.js \
 The project maintains high test coverage (~86%) using Vitest.
 ```bash
-# Run tests
 npm test
+```
+Run coverage report:
-# Run coverage report
+```bash
 npm run test:coverage
 ```

package/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 2.3.0
1	+ 2.3.1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@neverinfamous/mysql-mcp",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "Enterprise-grade MySQL MCP Server with OAuth 2.0 authentication, connection pooling & tool filtering",
   "type": "module",
   "main": "dist/index.js",

package/releases/v2.3.0-release-notes.md CHANGED Viewed

@@ -25,14 +25,14 @@ The headline feature of v2.3.0. Code Mode provides a sandboxed `mysql.*` API nam
 ### Key Capabilities
-| Feature | Details |
-|---|---|
+| Feature           | Details                                                                                                                                          |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
 | **22 API Groups** | `mysql.core`, `mysql.json`, `mysql.transactions`, `mysql.spatial`, `mysql.stats`, `mysql.security`, `mysql.cluster`, `mysql.router`, and 14 more |
-| **168+ Methods** | Full coverage of all mysql-mcp tools |
-| **VM Isolation** | Sandboxed execution with security validation and rate limiting |
-| **Auto-Cleanup** | Automatic transaction rollback on completion — no dangling locks |
-| **Help System** | `mysql.help()` and `mysql.{group}.help()` for introspection |
-| **Token Savings** | 70–90% reduction vs. individual tool calls for multi-step operations |
+| **168+ Methods**  | Full coverage of all mysql-mcp tools                                                                                                             |
+| **VM Isolation**  | Sandboxed execution with security validation and rate limiting                                                                                   |
+| **Auto-Cleanup**  | Automatic transaction rollback on completion — no dangling locks                                                                                 |
+| **Help System**   | `mysql.help()` and `mysql.{group}.help()` for introspection                                                                                      |
+| **Token Savings** | 70–90% reduction vs. individual tool calls for multi-step operations                                                                             |
 ### API Groups
@@ -48,12 +48,12 @@ Code Mode is automatically included in all preset shortcuts (`starter`, `essenti
 Tools now accept alternative parameter names for commonly used fields, normalized automatically via Zod schema preprocessing:
-| Alias | Canonical | Applies To |
-|---|---|---|
-| `table` / `tableName` / `name` | table parameter | Core, Text, Backup, Partitioning, Performance, Admin |
-| `query` / `sql` | query parameter | `mysql_read_query`, `mysql_write_query`, `mysql_explain`, `mysql_explain_analyze`, `mysql_query_rewrite`, `mysql_optimizer_trace` |
-| `where` / `filter` | WHERE clause | `mysql_export_table` and all Text tools |
-| `column` / `col` | column parameter | Text tools |
+| Alias                          | Canonical        | Applies To                                                                                                                        |
+| ------------------------------ | ---------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| `table` / `tableName` / `name` | table parameter  | Core, Text, Backup, Partitioning, Performance, Admin                                                                              |
+| `query` / `sql`                | query parameter  | `mysql_read_query`, `mysql_write_query`, `mysql_explain`, `mysql_explain_analyze`, `mysql_query_rewrite`, `mysql_optimizer_trace` |
+| `where` / `filter`             | WHERE clause     | `mysql_export_table` and all Text tools                                                                                           |
+| `column` / `col`               | column parameter | Text tools                                                                                                                        |
 Schema definitions use a **Dual-Schema pattern**: `SchemaBase` (with aliases visible to MCP clients) for `inputSchema`, and the runtime `Schema` (with preprocessing + transformation) for handler validation.
@@ -78,13 +78,13 @@ Schema definitions use a **Dual-Schema pattern**: `SchemaBase` (with aliases vis
 Five tool groups were completely inaccessible in Code Mode due to prefix-stripping misconfigurations. All returned `TypeError: ... is not a function`:
-| Group | Tools Affected | Root Cause |
-|---|---|---|
-| **Security** | 9 tools | `security` in `keepPrefix` set |
-| **Stats** | 8 tools | `stats` in `keepPrefix` set |
-| **Spatial** | 12 tools | `spatial` in `keepPrefix` set |
-| **Router** | 9 tools | `router` in `keepPrefix` set |
-| **Shell** | 10 tools | Missing `groupPrefixMap` entry |
+| Group        | Tools Affected | Root Cause                     |
+| ------------ | -------------- | ------------------------------ |
+| **Security** | 9 tools        | `security` in `keepPrefix` set |
+| **Stats**    | 8 tools        | `stats` in `keepPrefix` set    |
+| **Spatial**  | 12 tools       | `spatial` in `keepPrefix` set  |
+| **Router**   | 9 tools        | `router` in `keepPrefix` set   |
+| **Shell**    | 10 tools       | Missing `groupPrefixMap` entry |
 ### Code Mode Help Example Fixes

package/releases/v2.3.1-release-notes.md ADDED Viewed

@@ -0,0 +1,34 @@
+# mysql-mcp v2.3.1 Release Notes
+**Release Date:** February 18, 2026
+Security patch addressing CVE-2026-26960 and hardening the Docker deployment pipeline.
+## Security
+- **CVE-2026-26960 (tar < 7.5.8)** — Patched npm's bundled `tar` in the Docker runtime image to fix a high-severity path traversal vulnerability that allowed arbitrary file read/write via crafted hardlinks.
+## Changed
+- **Docker Scout Gate Hardened** — Security scan now **blocks deployments** on any fixable CVE (any severity) using `--only-fixed --exit-code`. Unfixable zero-day CVEs pass through. Previously the scan was informational only.
+- **CodeQL Workflow PR Trigger** — Removed `paths` filter from `pull_request` trigger so the required `analyze (javascript-typescript)` check always runs on PRs, preventing non-code PRs from being blocked by branch rulesets.
+## Install
+### Docker
+```bash
+docker pull writenotenow/mysql-mcp:latest
+```
+```bash
+docker pull writenotenow/mysql-mcp:v2.3.1
+```
+### NPM
+```bash
+npm install -g @neverinfamous/mysql-mcp@2.3.1
+```
+**Full Changelog:** [v2.3.0...v2.3.1](https://github.com/neverinfamous/mysql-mcp/compare/v2.3.0...v2.3.1)