@seed-ship/mcp-ui-solid 6.13.0 → 6.14.0

package/CHANGELOG.md

@@ -5,6 +5,33 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.14.0] - 2026-05-31
+
+Make the external quickchart.io chart fallback an explicit host opt-in
+(audit P1.7).
+
+### Security / privacy
+
+- The chart renderer could silently fall back to **quickchart.io** when the
+  native `chart.js` peer was unavailable (auto mode) — encoding the **entire
+  chart config** (labels + data) into an external image URL. That is an
+  implicit network call that can leak potentially sensitive data and behaves
+  differently offline.
+- A new **host-level** prop `allowQuickchartFallback` (on `<UIResourceRenderer>`
+  and `<StreamingUIRenderer>`) gates **all** quickchart.io access.
+  **Default `false`**:
+  - in `auto` mode, when Chart.js is missing the chart now **degrades to a
+    local data table** (the P2.5 fallback ladder) and emits a `render:error`
+    telemetry signal (`componentType: 'chart'`) — no external call;
+  - an explicit `renderer: 'iframe'` request is likewise declined (and
+    degraded) unless the host opts in.
+- Native Chart.js stays the preferred path and is unchanged. Setting
+  `allowQuickchartFallback` restores the previous quickchart behaviour.
+
+  Like `allowHtmlPopups` (v6.10.0), this is deliberately a host prop, not a
+  payload field — a payload must not be able to opt itself into an external
+  call.
+
 ## [6.13.0] - 2026-05-31
 
 `graph` is now first-class in the `UIComponent` params union (audit follow-up