@uluops/registry-mcp 0.2.7 → 0.2.11

package/CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.11] - 2026-06-16
+
+### Changed
+
+- **Bump `@uluops/registry-sdk` 0.32.0 → 0.33.0.** Surfaces the durable fork source-identity snapshot through the fork tools: `get_fork_lineage` (and the fork list/create paths) now return `sourceType` / `sourceName` / `sourceVersion` on the fork record plus `sourceAvailable` on lineage, so a fork's origin is readable even after the source is deleted (requires registry API ≥ V1 `2026-06-16`). Pure passthrough — no tool-schema change. Live-verified end-to-end against a local registry.
+
+## [0.2.10] - 2026-06-11
+
+### Security
+
+- **Bump `mcp-secure-server` 0.0.15-security → 0.0.16-security.** Picks up the `executionWrappers` word-boundary fix: the `System Call` (`/system\s*\(/`) and `Exec Call` (`/exec\s*\(/`) content-layer patterns were unanchored, so benign prose like `filesystem (` matched the `system (` substring and was rejected as a CRITICAL command-injection attempt. The new `\b`-anchored patterns still catch real `system(`/`exec(` calls. Drop-in patch, no API change; build + dist unchanged.
+
+## [0.2.9] - 2026-06-08
+
+### Internal
+
+- **Strengthen `prepublishOnly` script** to match the other public `@uluops/*` packages (ops-sdk, registry-sdk, ops-mcp 0.4.3, cli): `npm run lint && npm test && npm audit --audit-level=high --omit=dev && npm run build`. The prior `prepublishOnly` ran only `npm run build`, so `npm publish` skipped lint+test+audit and relied on the developer to remember to run them manually. Aligning the safety net with the rest of the public surface. No behavior change in the runtime package.
+
+## [0.2.8] - 2026-06-08
+
+### Dependencies
+
+- **Bump `@uluops/registry-sdk` 0.30.2 → 0.31.1.** Wave-coordination bump for the live-tests T2 wave (R12 envelope rewrite + post-impl r2 hardening). Picks up:
+  - **R12 envelope schemas** (0.31.0): `dependencies.get()` and `dependencies.getDependents()` now return real typed envelopes (`DependencyGraphResponse` with recursive `graph` + `flat` + `totalCount` + `maxDepth`; `DependentsResponse` with `Dependent[]` carrying `context`). Replaces the all-optional `dependencyGraphSchema` that silently parsed every real response as `{}`. The MCP layer passes SDK return types through opaquely, so no source changes here — but consumers of `get_dependents` / `get_dependencies` now receive the typed envelope shape via JSON-serialized tool responses.
+  - **CWE-674 pre-parse depth guard** (0.31.1): `dependencies.get()` checks the envelope's `maxDepth` field before the recursive Zod parse runs, throwing `RangeError` when > `MAX_SAFE_GRAPH_DEPTH` (50, ~7× the live-verified production max of 7). A malicious or pathological 10k-deep payload would otherwise exhaust the V8 call stack via the recursive `z.lazy()` walk.
+  - **CWE-20 defensive string ceilings** (0.31.1): `.max()` bounds on `name` (100), `version` (20), `context` (255) across `dependencyNodeSchema`, `flatDepSchema`, and `dependentSchema`. Oversized payloads convert from silent memory pressure into a loud `ZodError` at parse time.
+
+Build + 348 tests pass on the new pin. No source changes in this package.
+
 ## [0.2.7] - 2026-06-07
 
 ### Fixed
@@ -281,7 +310,15 @@ first public npm publish under the scoped name.
 - Error sanitization stripping sensitive data (API keys, tokens, stack traces) from MCP responses
 - Test suite with 194 tests covering all tools, resources, and registry config
 
-[Unreleased]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.1...HEAD
+[Unreleased]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.9...HEAD
+[0.2.9]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.8...v0.2.9
+[0.2.8]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.7...v0.2.8
+[0.2.7]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.6...v0.2.7
+[0.2.6]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.5...v0.2.6
+[0.2.5]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.4...v0.2.5
+[0.2.4]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.3...v0.2.4
+[0.2.3]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/Uluops/-uluops-registry-mcp/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/Uluops/-uluops-registry-mcp/releases/tag/v0.2.0
 [1.14.0]: https://github.com/Uluops/-uluops-registry-mcp/compare/v1.13.0...v1.14.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uluops/registry-mcp",
-  "version": "0.2.7",
+  "version": "0.2.11",
   "description": "MCP server for the UluOps Registry API — definition management, versioning, and analytics",
   "type": "module",
   "main": "dist/index.js",
@@ -35,7 +35,7 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run lint && npm test && npm audit --audit-level=high --omit=dev && npm run build"
   },
   "keywords": [
     "mcp",
@@ -62,9 +62,9 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.29.0",
-    "@uluops/registry-sdk": "0.30.2",
+    "@uluops/registry-sdk": "0.33.0",
     "@uluops/sdk-core": "0.11.1",
-    "mcp-secure-server": "0.0.15-security",
+    "mcp-secure-server": "0.0.16-security",
     "zod": "3.25.76"
   },
   "devDependencies": {