@uluops/registry-mcp 0.2.6 → 0.2.9

package/CHANGELOG.md

@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.9] - 2026-06-08
+
+### Internal
+
+- **Strengthen `prepublishOnly` script** to match the other public `@uluops/*` packages (ops-sdk, registry-sdk, ops-mcp 0.4.3, cli): `npm run lint && npm test && npm audit --audit-level=high --omit=dev && npm run build`. The prior `prepublishOnly` ran only `npm run build`, so `npm publish` skipped lint+test+audit and relied on the developer to remember to run them manually. Aligning the safety net with the rest of the public surface. No behavior change in the runtime package.
+
+## [0.2.8] - 2026-06-08
+
+### Dependencies
+
+- **Bump `@uluops/registry-sdk` 0.30.2 → 0.31.1.** Wave-coordination bump for the live-tests T2 wave (R12 envelope rewrite + post-impl r2 hardening). Picks up:
+  - **R12 envelope schemas** (0.31.0): `dependencies.get()` and `dependencies.getDependents()` now return real typed envelopes (`DependencyGraphResponse` with recursive `graph` + `flat` + `totalCount` + `maxDepth`; `DependentsResponse` with `Dependent[]` carrying `context`). Replaces the all-optional `dependencyGraphSchema` that silently parsed every real response as `{}`. The MCP layer passes SDK return types through opaquely, so no source changes here — but consumers of `get_dependents` / `get_dependencies` now receive the typed envelope shape via JSON-serialized tool responses.
+  - **CWE-674 pre-parse depth guard** (0.31.1): `dependencies.get()` checks the envelope's `maxDepth` field before the recursive Zod parse runs, throwing `RangeError` when > `MAX_SAFE_GRAPH_DEPTH` (50, ~7× the live-verified production max of 7). A malicious or pathological 10k-deep payload would otherwise exhaust the V8 call stack via the recursive `z.lazy()` walk.
+  - **CWE-20 defensive string ceilings** (0.31.1): `.max()` bounds on `name` (100), `version` (20), `context` (255) across `dependencyNodeSchema`, `flatDepSchema`, and `dependentSchema`. Oversized payloads convert from silent memory pressure into a loud `ZodError` at parse time.
+
+Build + 348 tests pass on the new pin. No source changes in this package.
+
+## [0.2.7] - 2026-06-07
+
+### Fixed
+
+- **Bumped `mcp-secure-server` 0.0.14-security → 0.0.15-security** (`package.json:67`) to pick up the `top`/`whoami` false-positive fix. The 0.0.14-security `command.systemInfo` regexes used `\b<cmd>\s*` — the `\s*` quantifier matches zero whitespace, so any identifier beginning with those letters tripped the COMMAND_INJECTION layer (`topPerformers`, `topology`, `topic`, `whoamiHandler`, etc.). Surfaced on 2026-06-07 when Codex called `get_ecosystem_overview({ fields: ["topPerformers"] })` and the request was rejected by layer 2 as `Top Process Monitor` before reaching the registry's subscription-tier check. Every other `fields` value reached the intended 403 — the field name was the sole trigger. The bidirectional `\b<cmd>\b` form in 0.0.15-security continues to block real shell invocations (`top`, `top -o cpu`, `top | head`, `top; ls`, `whoami`, `whoami | grep root`) but rejects identifier substrings cleanly. Verified via Verdaccio publish + install + live regex probe before npm promotion.
+
 ## [0.2.6] - 2026-06-07
 
 ### Fixed
@@ -275,7 +298,15 @@ first public npm publish under the scoped name.
 - Error sanitization stripping sensitive data (API keys, tokens, stack traces) from MCP responses
 - Test suite with 194 tests covering all tools, resources, and registry config
 
-[Unreleased]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.1...HEAD
+[Unreleased]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.9...HEAD
+[0.2.9]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.8...v0.2.9
+[0.2.8]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.7...v0.2.8
+[0.2.7]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.6...v0.2.7
+[0.2.6]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.5...v0.2.6
+[0.2.5]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.4...v0.2.5
+[0.2.4]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.3...v0.2.4
+[0.2.3]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/Uluops/-uluops-registry-mcp/releases/tag/v0.2.0
 [1.14.0]: https://github.com/Uluops/-uluops-registry-mcp/compare/v1.13.0...v1.14.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uluops/registry-mcp",
-  "version": "0.2.6",
+  "version": "0.2.9",
   "description": "MCP server for the UluOps Registry API — definition management, versioning, and analytics",
   "type": "module",
   "main": "dist/index.js",
@@ -35,7 +35,7 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run lint && npm test && npm audit --audit-level=high --omit=dev && npm run build"
   },
   "keywords": [
     "mcp",
@@ -62,9 +62,9 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.29.0",
-    "@uluops/registry-sdk": "0.30.2",
+    "@uluops/registry-sdk": "0.31.1",
     "@uluops/sdk-core": "0.11.1",
-    "mcp-secure-server": "0.0.14-security",
+    "mcp-secure-server": "0.0.15-security",
     "zod": "3.25.76"
   },
   "devDependencies": {