@uluops/registry-mcp 0.2.6 → 0.2.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [0.2.7] - 2026-06-07
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **Bumped `mcp-secure-server` 0.0.14-security → 0.0.15-security** (`package.json:67`) to pick up the `top`/`whoami` false-positive fix. The 0.0.14-security `command.systemInfo` regexes used `\b<cmd>\s*` — the `\s*` quantifier matches zero whitespace, so any identifier beginning with those letters tripped the COMMAND_INJECTION layer (`topPerformers`, `topology`, `topic`, `whoamiHandler`, etc.). Surfaced on 2026-06-07 when Codex called `get_ecosystem_overview({ fields: ["topPerformers"] })` and the request was rejected by layer 2 as `Top Process Monitor` before reaching the registry's subscription-tier check. Every other `fields` value reached the intended 403 — the field name was the sole trigger. The bidirectional `\b<cmd>\b` form in 0.0.15-security continues to block real shell invocations (`top`, `top -o cpu`, `top | head`, `top; ls`, `whoami`, `whoami | grep root`) but rejects identifier substrings cleanly. Verified via Verdaccio publish + install + live regex probe before npm promotion.
|
|
15
|
+
|
|
10
16
|
## [0.2.6] - 2026-06-07
|
|
11
17
|
|
|
12
18
|
### Fixed
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@uluops/registry-mcp",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.7",
|
|
4
4
|
"description": "MCP server for the UluOps Registry API — definition management, versioning, and analytics",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -64,7 +64,7 @@
|
|
|
64
64
|
"@modelcontextprotocol/sdk": "1.29.0",
|
|
65
65
|
"@uluops/registry-sdk": "0.30.2",
|
|
66
66
|
"@uluops/sdk-core": "0.11.1",
|
|
67
|
-
"mcp-secure-server": "0.0.
|
|
67
|
+
"mcp-secure-server": "0.0.15-security",
|
|
68
68
|
"zod": "3.25.76"
|
|
69
69
|
},
|
|
70
70
|
"devDependencies": {
|