@zereight/mcp-gitlab 2.0.24 → 2.0.28

package/build/index.js

@@ -4,12 +4,12 @@ const args = process.argv.slice(2);
 const cliArgs = {};
 for (let i = 0; i < args.length; i++) {
     const arg = args[i];
-    if (arg.startsWith('--')) {
-        const [key, value] = arg.slice(2).split('=');
+    if (arg.startsWith("--")) {
+        const [key, value] = arg.slice(2).split("=");
         if (value) {
             cliArgs[key] = value;
         }
-        else if (i + 1 < args.length && !args[i + 1].startsWith('--')) {
+        else if (i + 1 < args.length && !args[i + 1].startsWith("--")) {
             cliArgs[key] = args[++i];
         }
     }
@@ -89,14 +89,77 @@ try {
 catch {
     // Intentionally ignored: version read failure is non-critical
 }
-const server = new Server({
-    name: "better-gitlab-mcp-server",
-    version: SERVER_VERSION,
-}, {
-    capabilities: {
-        tools: {},
-    },
-});
+/**
+ * Create a new MCP Server instance with request handlers registered.
+ * Each transport connection gets its own Server instance to prevent
+ * cross-client data leakage (GHSA-345p-7cg4-v4c7).
+ */
+function createServer() {
+    const serverInstance = new Server({
+        name: "better-gitlab-mcp-server",
+        version: SERVER_VERSION,
+    }, {
+        capabilities: {
+            tools: {},
+        },
+    });
+    serverInstance.setRequestHandler(ListToolsRequestSchema, async () => {
+        // Apply read-only filter first
+        const tools0 = GITLAB_READ_ONLY_MODE
+            ? allTools.filter(tool => readOnlyTools.has(tool.name))
+            : allTools;
+        // Toggle wiki tools by USE_GITLAB_WIKI flag
+        const tools1 = USE_GITLAB_WIKI ? tools0 : tools0.filter(tool => !wikiToolNames.has(tool.name));
+        // Toggle milestone tools by USE_MILESTONE flag
+        const tools2 = USE_MILESTONE
+            ? tools1
+            : tools1.filter(tool => !milestoneToolNames.has(tool.name));
+        // Toggle pipeline tools by USE_PIPELINE flag
+        let tools = USE_PIPELINE ? tools2 : tools2.filter(tool => !pipelineToolNames.has(tool.name));
+        tools = GITLAB_DENIED_TOOLS_REGEX
+            ? tools.filter(tool => !GITLAB_DENIED_TOOLS_REGEX.test(tool.name))
+            : tools;
+        // <<< START: Gemini 호환성을 위해 $schema 제거 >>>
+        tools = tools.map(tool => {
+            // inputSchema가 존재하고 객체인지 확인
+            if (tool.inputSchema && typeof tool.inputSchema === "object" && tool.inputSchema !== null) {
+                // $schema 키가 존재하면 삭제
+                if ("$schema" in tool.inputSchema) {
+                    // 불변성을 위해 새로운 객체 생성 (선택적이지만 권장)
+                    const modifiedSchema = { ...tool.inputSchema };
+                    delete modifiedSchema.$schema;
+                    return { ...tool, inputSchema: modifiedSchema };
+                }
+            }
+            // 변경이 필요 없으면 그대로 반환
+            return tool;
+        });
+        // <<< END: Gemini 호환성을 위해 $schema 제거 >>>
+        return {
+            tools, // $schema가 제거된 도구 목록 반환
+        };
+    });
+    serverInstance.setRequestHandler(CallToolRequestSchema, async (request) => {
+        // Manually retrieve the session context using the session ID passed in the request.
+        // This is a robust workaround for AsyncLocalStorage context loss.
+        const sessionId = request.params.sessionId;
+        if (REMOTE_AUTHORIZATION && sessionId && authBySession[sessionId]) {
+            const authData = authBySession[sessionId];
+            const sessionContext = {
+                sessionId,
+                header: authData.header,
+                token: authData.token,
+                lastUsed: authData.lastUsed,
+                apiUrl: authData.apiUrl,
+            };
+            // Run the handler within the retrieved context
+            return await sessionAuthStore.run(sessionContext, () => handleToolCall(request.params));
+        }
+        // Fallback for non-remote-auth mode or if session is not found
+        return handleToolCall(request.params);
+    });
+    return serverInstance;
+}
 /**
  * Validate configuration at startup
  */
@@ -131,7 +194,7 @@ function validateConfiguration() {
         }
     }
     // Validate PORT
-    const portStr = getConfig('port', 'PORT');
+    const portStr = getConfig("port", "PORT");
     if (portStr) {
         const port = Number.parseInt(portStr, 10);
         if (Number.isNaN(port) || port < 1 || port > 65535) {
@@ -139,7 +202,7 @@ function validateConfiguration() {
         }
     }
     // Validate GITLAB_API_URL format
-    const apiUrls = getConfig('api-url', 'GITLAB_API_URL')?.split(",") || [];
+    const apiUrls = getConfig("api-url", "GITLAB_API_URL")?.split(",") || [];
     if (apiUrls.length > 0) {
         for (const url of apiUrls) {
             try {
@@ -151,14 +214,14 @@ function validateConfiguration() {
         }
     }
     // Validate auth configuration
-    const remoteAuth = getConfig('remote-auth', 'REMOTE_AUTHORIZATION') === "true";
-    const useOAuth = getConfig('use-oauth', 'GITLAB_USE_OAUTH') === "true";
-    const hasToken = !!getConfig('token', 'GITLAB_PERSONAL_ACCESS_TOKEN');
-    const hasCookie = !!getConfig('cookie-path', 'GITLAB_AUTH_COOKIE_PATH');
+    const remoteAuth = getConfig("remote-auth", "REMOTE_AUTHORIZATION") === "true";
+    const useOAuth = getConfig("use-oauth", "GITLAB_USE_OAUTH") === "true";
+    const hasToken = !!getConfig("token", "GITLAB_PERSONAL_ACCESS_TOKEN");
+    const hasCookie = !!getConfig("cookie-path", "GITLAB_AUTH_COOKIE_PATH");
     if (!remoteAuth && !useOAuth && !hasToken && !hasCookie) {
-        errors.push('Either --token, --cookie-path, --use-oauth=true, or --remote-auth=true must be set (or use environment variables)');
+        errors.push("Either --token, --cookie-path, --use-oauth=true, or --remote-auth=true must be set (or use environment variables)");
     }
-    const enableDynamicApiUrl = getConfig('enable-dynamic-api-url', 'ENABLE_DYNAMIC_API_URL') === "true";
+    const enableDynamicApiUrl = getConfig("enable-dynamic-api-url", "ENABLE_DYNAMIC_API_URL") === "true";
     if (enableDynamicApiUrl && !remoteAuth) {
         errors.push("ENABLE_DYNAMIC_API_URL=true requires REMOTE_AUTHORIZATION=true");
     }
@@ -169,32 +232,57 @@ function validateConfiguration() {
     }
     logger.info("Configuration validation passed");
 }
-const GITLAB_PERSONAL_ACCESS_TOKEN = getConfig('token', 'GITLAB_PERSONAL_ACCESS_TOKEN');
+const GITLAB_PERSONAL_ACCESS_TOKEN = getConfig("token", "GITLAB_PERSONAL_ACCESS_TOKEN");
 let OAUTH_ACCESS_TOKEN = null;
-const GITLAB_AUTH_COOKIE_PATH = getConfig('cookie-path', 'GITLAB_AUTH_COOKIE_PATH');
-const USE_OAUTH = getConfig('use-oauth', 'GITLAB_USE_OAUTH') === "true";
-const IS_OLD = getConfig('is-old', 'GITLAB_IS_OLD') === "true";
-const GITLAB_READ_ONLY_MODE = getConfig('read-only', 'GITLAB_READ_ONLY_MODE') === "true";
-const GITLAB_DENIED_TOOLS_REGEX = getConfig('denied-tools-regex', 'GITLAB_DENIED_TOOLS_REGEX')
-    ? new RegExp(getConfig('denied-tools-regex', 'GITLAB_DENIED_TOOLS_REGEX'))
-    : undefined;
-const USE_GITLAB_WIKI = getConfig('use-wiki', 'USE_GITLAB_WIKI') === "true";
-const USE_MILESTONE = getConfig('use-milestone', 'USE_MILESTONE') === "true";
-const USE_PIPELINE = getConfig('use-pipeline', 'USE_PIPELINE') === "true";
-const SSE = getConfig('sse', 'SSE') === "true";
-const STREAMABLE_HTTP = getConfig('streamable-http', 'STREAMABLE_HTTP') === "true";
-const REMOTE_AUTHORIZATION = getConfig('remote-auth', 'REMOTE_AUTHORIZATION') === "true";
-const ENABLE_DYNAMIC_API_URL = getConfig('enable-dynamic-api-url', 'ENABLE_DYNAMIC_API_URL') === "true";
-const SESSION_TIMEOUT_SECONDS = Number.parseInt(getConfig('session-timeout', 'SESSION_TIMEOUT_SECONDS', '3600'), 10);
-const HOST = getConfig('host', 'HOST') || '127.0.0.1';
-const PORT = Number.parseInt(getConfig('port', 'PORT', '3002'), 10);
+const GITLAB_AUTH_COOKIE_PATH = getConfig("cookie-path", "GITLAB_AUTH_COOKIE_PATH");
+const USE_OAUTH = getConfig("use-oauth", "GITLAB_USE_OAUTH") === "true";
+const IS_OLD = getConfig("is-old", "GITLAB_IS_OLD") === "true";
+const GITLAB_READ_ONLY_MODE = getConfig("read-only", "GITLAB_READ_ONLY_MODE") === "true";
+const GITLAB_DENIED_TOOLS_REGEX = (() => {
+    const pattern = getConfig("denied-tools-regex", "GITLAB_DENIED_TOOLS_REGEX");
+    if (!pattern)
+        return undefined;
+    // Reject patterns that are too long (potential ReDoS vector)
+    const MAX_PATTERN_LENGTH = 200;
+    if (pattern.length > MAX_PATTERN_LENGTH) {
+        logger.error(`GITLAB_DENIED_TOOLS_REGEX pattern exceeds ${MAX_PATTERN_LENGTH} chars. Ignoring.`);
+        return undefined;
+    }
+    // Reject patterns with nested quantifiers that can cause catastrophic backtracking (ReDoS)
+    // e.g., (a+)+, (a*)+, (a+)*, (a{1,})+
+    const NESTED_QUANTIFIER_PATTERN = /(\(.*[+*?].*\)|\[.*\])[+*?]|\(\?[^:)]/;
+    if (NESTED_QUANTIFIER_PATTERN.test(pattern)) {
+        logger.error(`GITLAB_DENIED_TOOLS_REGEX contains potentially unsafe nested quantifiers. Ignoring.`);
+        return undefined;
+    }
+    try {
+        const regex = new RegExp(pattern);
+        // Dry-run against a sample string to catch immediate issues
+        regex.test("sample_tool_name");
+        return regex;
+    }
+    catch {
+        logger.error(`Invalid GITLAB_DENIED_TOOLS_REGEX pattern: "${pattern}". Ignoring.`);
+        return undefined;
+    }
+})();
+const USE_GITLAB_WIKI = getConfig("use-wiki", "USE_GITLAB_WIKI") === "true";
+const USE_MILESTONE = getConfig("use-milestone", "USE_MILESTONE") === "true";
+const USE_PIPELINE = getConfig("use-pipeline", "USE_PIPELINE") === "true";
+const SSE = getConfig("sse", "SSE") === "true";
+const STREAMABLE_HTTP = getConfig("streamable-http", "STREAMABLE_HTTP") === "true";
+const REMOTE_AUTHORIZATION = getConfig("remote-auth", "REMOTE_AUTHORIZATION") === "true";
+const ENABLE_DYNAMIC_API_URL = getConfig("enable-dynamic-api-url", "ENABLE_DYNAMIC_API_URL") === "true";
+const SESSION_TIMEOUT_SECONDS = Number.parseInt(getConfig("session-timeout", "SESSION_TIMEOUT_SECONDS", "3600"), 10);
+const HOST = getConfig("host", "HOST") || "127.0.0.1";
+const PORT = Number.parseInt(getConfig("port", "PORT", "3002"), 10);
 // Add proxy configuration
-const HTTP_PROXY = getConfig('http-proxy', 'HTTP_PROXY');
-const HTTPS_PROXY = getConfig('https-proxy', 'HTTPS_PROXY');
-const NODE_TLS_REJECT_UNAUTHORIZED = getConfig('tls-reject-unauthorized', 'NODE_TLS_REJECT_UNAUTHORIZED');
-const GITLAB_CA_CERT_PATH = getConfig('ca-cert-path', 'GITLAB_CA_CERT_PATH');
-const GITLAB_POOL_MAX_SIZE = getConfig('pool-max-size', 'GITLAB_POOL_MAX_SIZE')
-    ? Number.parseInt(getConfig('pool-max-size', 'GITLAB_POOL_MAX_SIZE'), 10)
+const HTTP_PROXY = getConfig("http-proxy", "HTTP_PROXY");
+const HTTPS_PROXY = getConfig("https-proxy", "HTTPS_PROXY");
+const NODE_TLS_REJECT_UNAUTHORIZED = getConfig("tls-reject-unauthorized", "NODE_TLS_REJECT_UNAUTHORIZED");
+const GITLAB_CA_CERT_PATH = getConfig("ca-cert-path", "GITLAB_CA_CERT_PATH");
+const GITLAB_POOL_MAX_SIZE = getConfig("pool-max-size", "GITLAB_POOL_MAX_SIZE")
+    ? Number.parseInt(getConfig("pool-max-size", "GITLAB_POOL_MAX_SIZE"), 10)
     : 100;
 let sslOptions = undefined;
 if (NODE_TLS_REJECT_UNAUTHORIZED === "0") {
@@ -415,10 +503,10 @@ const getFetchConfig = () => {
     };
 };
 const toJSONSchema = (schema) => {
-    const jsonSchema = zodToJsonSchema(schema, { $refStrategy: 'none' });
+    const jsonSchema = zodToJsonSchema(schema, { $refStrategy: "none" });
     // Post-process to fix nullable/optional fields that should truly be optional
     function fixNullableOptional(obj) {
-        if (obj && typeof obj === 'object') {
+        if (obj && typeof obj === "object") {
             // If this object has properties, process them
             if (obj.properties) {
                 const requiredSet = new Set(obj.required || []);
@@ -426,10 +514,10 @@ const toJSONSchema = (schema) => {
                     const prop = obj.properties[key];
                     // Handle fields that can be null or omitted
                     // If a property has type: ["object", "null"] or anyOf with null, it should not be required
-                    if (prop.anyOf && prop.anyOf.some((t) => t.type === 'null')) {
+                    if (prop.anyOf && prop.anyOf.some((t) => t.type === "null")) {
                         requiredSet.delete(key);
                     }
-                    else if (Array.isArray(prop.type) && prop.type.includes('null')) {
+                    else if (Array.isArray(prop.type) && prop.type.includes("null")) {
                         requiredSet.delete(key);
                     }
                     // Recursively process nested objects
@@ -439,12 +527,12 @@ const toJSONSchema = (schema) => {
                 if (requiredSet.size > 0) {
                     obj.required = Array.from(requiredSet);
                 }
-                else if (Object.prototype.hasOwnProperty.call(obj, 'required')) {
+                else if (Object.prototype.hasOwnProperty.call(obj, "required")) {
                     delete obj.required;
                 }
             }
             // Process anyOf/allOf/oneOf
-            ['anyOf', 'allOf', 'oneOf'].forEach(combiner => {
+            ["anyOf", "allOf", "oneOf"].forEach(combiner => {
                 if (obj[combiner]) {
                     obj[combiner] = obj[combiner].map(fixNullableOptional);
                 }
@@ -1703,17 +1791,41 @@ async function updateMergeRequestDiscussionNote(projectId, mergeRequestIid, disc
 }
 /**
  * Update an issue discussion note
+ *
+ * Note: Only one of `body` or `resolved` can be provided per GitLab API requirements.
+ * At least one parameter must be provided.
+ *
  * @param {string} projectId - The ID or URL-encoded path of the project
- * @param {number} issueIid - The IID of an issue
+ * @param {number|string} issueIid - The IID of an issue
  * @param {string} discussionId - The ID of a thread
- * @param {number} noteId - The ID of a thread note
- * @param {string} body - The new content of the note
+ * @param {number|string} noteId - The ID of a thread note
+ * @param {string} [body] - The new content of the note (optional, mutually exclusive with resolved)
+ * @param {boolean} [resolved] - Resolve (true) or unresolve (false) the thread (optional, mutually exclusive with body)
  * @returns {Promise<GitLabDiscussionNote>} The updated note
+ *
+ * @example
+ * // Resolve a thread
+ * await updateIssueNote('mygroup/myproject', 123, 'abc123', 456, undefined, true);
+ *
+ * @example
+ * // Unresolve a thread
+ * await updateIssueNote('mygroup/myproject', 123, 'abc123', 456, undefined, false);
+ *
+ * @example
+ * // Update note body
+ * await updateIssueNote('mygroup/myproject', 123, 'abc123', 456, 'Updated content');
  */
-async function updateIssueNote(projectId, issueIid, discussionId, noteId, body) {
+async function updateIssueNote(projectId, issueIid, discussionId, noteId, body, resolved) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/issues/${issueIid}/discussions/${discussionId}/notes/${noteId}`);
-    const payload = { body };
+    // Only one of body or resolved can be sent according to GitLab API
+    const payload = {};
+    if (body !== undefined) {
+        payload.body = body;
+    }
+    else if (resolved !== undefined) {
+        payload.resolved = resolved;
+    }
     const response = await fetch(url.toString(), {
         ...getFetchConfig(),
         method: "PUT",
@@ -1815,7 +1927,7 @@ async function getMergeRequestNote(projectId, mergeRequestIid, noteId) {
     const data = await response.json();
     return GitLabDiscussionNoteSchema.parse(data);
 }
-async function getMergeRequestNotes(projectId, mergeRequestIid, sort, order_by) {
+async function getMergeRequestNotes(projectId, mergeRequestIid, sort, order_by, per_page, page) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/notes`);
     if (sort) {
@@ -1824,6 +1936,12 @@ async function getMergeRequestNotes(projectId, mergeRequestIid, sort, order_by)
     if (order_by) {
         url.searchParams.append("order_by", order_by);
     }
+    if (per_page) {
+        url.searchParams.append("per_page", per_page.toString());
+    }
+    if (page) {
+        url.searchParams.append("page", page.toString());
+    }
     const response = await fetch(url.toString(), {
         ...getFetchConfig(),
         method: "GET",
@@ -3987,59 +4105,8 @@ async function downloadReleaseAsset(projectId, tagName, directAssetPath) {
     await handleGitLabError(response);
     return await response.text();
 }
-server.setRequestHandler(ListToolsRequestSchema, async () => {
-    // Apply read-only filter first
-    const tools0 = GITLAB_READ_ONLY_MODE
-        ? allTools.filter(tool => readOnlyTools.has(tool.name))
-        : allTools;
-    // Toggle wiki tools by USE_GITLAB_WIKI flag
-    const tools1 = USE_GITLAB_WIKI ? tools0 : tools0.filter(tool => !wikiToolNames.has(tool.name));
-    // Toggle milestone tools by USE_MILESTONE flag
-    const tools2 = USE_MILESTONE ? tools1 : tools1.filter(tool => !milestoneToolNames.has(tool.name));
-    // Toggle pipeline tools by USE_PIPELINE flag
-    let tools = USE_PIPELINE ? tools2 : tools2.filter(tool => !pipelineToolNames.has(tool.name));
-    tools = GITLAB_DENIED_TOOLS_REGEX
-        ? tools.filter(tool => !GITLAB_DENIED_TOOLS_REGEX.test(tool.name))
-        : tools;
-    // <<< START: Gemini 호환성을 위해 $schema 제거 >>>
-    tools = tools.map(tool => {
-        // inputSchema가 존재하고 객체인지 확인
-        if (tool.inputSchema && typeof tool.inputSchema === "object" && tool.inputSchema !== null) {
-            // $schema 키가 존재하면 삭제
-            if ("$schema" in tool.inputSchema) {
-                // 불변성을 위해 새로운 객체 생성 (선택적이지만 권장)
-                const modifiedSchema = { ...tool.inputSchema };
-                delete modifiedSchema.$schema;
-                return { ...tool, inputSchema: modifiedSchema };
-            }
-        }
-        // 변경이 필요 없으면 그대로 반환
-        return tool;
-    });
-    // <<< END: Gemini 호환성을 위해 $schema 제거 >>>
-    return {
-        tools, // $schema가 제거된 도구 목록 반환
-    };
-});
-server.setRequestHandler(CallToolRequestSchema, async (request) => {
-    // Manually retrieve the session context using the session ID passed in the request.
-    // This is a robust workaround for AsyncLocalStorage context loss.
-    const sessionId = request.params.sessionId;
-    if (REMOTE_AUTHORIZATION && sessionId && authBySession[sessionId]) {
-        const authData = authBySession[sessionId];
-        const sessionContext = {
-            sessionId,
-            header: authData.header,
-            token: authData.token,
-            lastUsed: authData.lastUsed,
-            apiUrl: authData.apiUrl,
-        };
-        // Run the handler within the retrieved context
-        return await sessionAuthStore.run(sessionContext, () => handleToolCall(request.params));
-    }
-    // Fallback for non-remote-auth mode or if session is not found
-    return handleToolCall(request.params);
-});
+// Request handlers are now registered inside createServer() factory function
+// to ensure each transport connection gets its own Server instance (GHSA-345p-7cg4-v4c7).
 /**
  * Filter diffs by excluded file patterns
  * Safely handles invalid regex patterns by logging and ignoring them
@@ -4052,7 +4119,7 @@ function filterDiffsByPatterns(diffs, excludedFilePatterns) {
     if (!excludedFilePatterns?.length)
         return diffs;
     const regexPatterns = excludedFilePatterns
-        .map((pattern) => {
+        .map(pattern => {
         try {
             return new RegExp(pattern);
         }
@@ -4067,9 +4134,9 @@ function filterDiffsByPatterns(diffs, excludedFilePatterns) {
     const matchesAnyPattern = (path) => {
         if (!path)
             return false;
-        return regexPatterns.some((regex) => regex.test(path));
+        return regexPatterns.some(regex => regex.test(path));
     };
-    return diffs.filter((diff) => !matchesAnyPattern(diff.new_path));
+    return diffs.filter(diff => !matchesAnyPattern(diff.new_path));
 }
 async function handleToolCall(params) {
     try {
@@ -4279,7 +4346,7 @@ async function handleToolCall(params) {
             }
             case "get_merge_request_notes": {
                 const args = GetMergeRequestNotesSchema.parse(params.arguments);
-                const notes = await getMergeRequestNotes(args.project_id, args.merge_request_iid, args.sort, args.order_by);
+                const notes = await getMergeRequestNotes(args.project_id, args.merge_request_iid, args.sort, args.order_by, args.per_page, args.page);
                 return {
                     content: [{ type: "text", text: JSON.stringify(notes, null, 2) }],
                 };
@@ -4293,7 +4360,7 @@ async function handleToolCall(params) {
             }
             case "update_issue_note": {
                 const args = UpdateIssueNoteSchema.parse(params.arguments);
-                const note = await updateIssueNote(args.project_id, args.issue_iid, args.discussion_id, args.note_id, args.body);
+                const note = await updateIssueNote(args.project_id, args.issue_iid, args.discussion_id, args.note_id, args.body, args.resolved);
                 return {
                     content: [{ type: "text", text: JSON.stringify(note, null, 2) }],
                 };
@@ -5170,8 +5237,9 @@ function determineTransportMode() {
  * Start server with stdio transport
  */
 async function startStdioServer() {
+    const serverInstance = createServer();
     const transport = new StdioServerTransport();
-    await server.connect(transport);
+    await serverInstance.connect(transport);
 }
 /**
  * Start server with traditional SSE transport
@@ -5180,12 +5248,13 @@ async function startSSEServer() {
     const app = express();
     const transports = {};
     app.get("/sse", async (_, res) => {
+        const serverInstance = createServer();
         const transport = new SSEServerTransport("/messages", res);
         transports[transport.sessionId] = transport;
         res.on("close", () => {
             delete transports[transport.sessionId];
         });
-        await server.connect(transport);
+        await serverInstance.connect(transport);
     });
     app.post("/messages", async (req, res) => {
         const sessionId = req.query.sessionId;
@@ -5439,8 +5508,10 @@ async function startStreamableHTTPServer() {
                             }
                         }
                     };
-                    // Connect transport to MCP server
-                    await server.connect(transport);
+                    // Create a new Server instance per session to prevent
+                    // cross-client data leakage (GHSA-345p-7cg4-v4c7)
+                    const serverInstance = createServer();
+                    await serverInstance.connect(transport);
                     // Handle the request - context is already set up in the outer handleRequest wrapper
                     await transport.handleRequest(req, res, req.body);
                 }

package/build/schemas.js

@@ -856,6 +856,8 @@ export const GetMergeRequestNotesSchema = ProjectParamsSchema.extend({
     merge_request_iid: z.coerce.string().describe("The IID of a merge request"),
     sort: z.enum(["asc", "desc"]).optional().describe("The sort order of the notes"),
     order_by: z.enum(["created_at", "updated_at"]).optional().describe("The field to sort the notes by"),
+    per_page: z.coerce.number().optional().describe("Number of items per page"),
+    page: z.coerce.number().optional().describe("Page number for pagination"),
 });
 export const GetMergeRequestNoteSchema = ProjectParamsSchema.extend({
     merge_request_iid: z.coerce.string().describe("The IID of a merge request"),
@@ -908,7 +910,14 @@ export const UpdateIssueNoteSchema = ProjectParamsSchema.extend({
     issue_iid: z.coerce.string().describe("The IID of an issue"),
     discussion_id: z.coerce.string().describe("The ID of a thread"),
     note_id: z.coerce.string().describe("The ID of a thread note"),
-    body: z.string().describe("The content of the note or reply"),
+    body: z.string().optional().describe("The content of the note or reply"),
+    resolved: z.boolean().optional().describe("Resolve or unresolve the note"),
+})
+    .refine(data => data.body !== undefined || data.resolved !== undefined, {
+    message: "At least one of 'body' or 'resolved' must be provided",
+})
+    .refine(data => !(data.body !== undefined && data.resolved !== undefined), {
+    message: "Only one of 'body' or 'resolved' can be provided, not both",
 });
 // Input schema for adding a note to an existing issue discussion
 export const CreateIssueNoteSchema = ProjectParamsSchema.extend({

package/build/test-resolve-issue-note.js

@@ -0,0 +1,127 @@
+/**
+ * This test file demonstrates the new resolve functionality for issue notes.
+ * It shows how to use the update_issue_note tool to resolve or unresolve
+ * issue discussion threads.
+ */
+import fetch from "node-fetch";
+// GitLab API configuration (replace with actual values when testing)
+const GITLAB_API_URL = process.env.GITLAB_API_URL || "https://gitlab.com";
+const GITLAB_PERSONAL_ACCESS_TOKEN = process.env.GITLAB_TOKEN || "";
+const PROJECT_ID = process.env.PROJECT_ID || "your/project";
+const ISSUE_IID = Number(process.env.ISSUE_IID || "1");
+const DISCUSSION_ID = process.env.DISCUSSION_ID || "your-discussion-id";
+const NOTE_ID = process.env.NOTE_ID || "your-note-id";
+/**
+ * Test resolving an issue note
+ */
+async function testResolveIssueNote() {
+    try {
+        const url = new URL(`${GITLAB_API_URL}/api/v4/projects/${encodeURIComponent(PROJECT_ID)}/issues/${ISSUE_IID}/discussions/${DISCUSSION_ID}/notes/${NOTE_ID}`);
+        const response = await fetch(url.toString(), {
+            method: "PUT",
+            headers: {
+                Accept: "application/json",
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${GITLAB_PERSONAL_ACCESS_TOKEN}`,
+            },
+            body: JSON.stringify({ resolved: true }),
+        });
+        if (!response.ok) {
+            const errorBody = await response.text();
+            throw new Error(`GitLab API error: ${response.status} ${response.statusText}\n${errorBody}`);
+        }
+        const data = await response.json();
+        console.log("Successfully resolved issue note:");
+        console.log(JSON.stringify(data, null, 2));
+        return true;
+    }
+    catch (error) {
+        console.error("Error resolving issue note:", error);
+        return false;
+    }
+}
+/**
+ * Test unresolving an issue note
+ */
+async function testUnresolveIssueNote() {
+    try {
+        const url = new URL(`${GITLAB_API_URL}/api/v4/projects/${encodeURIComponent(PROJECT_ID)}/issues/${ISSUE_IID}/discussions/${DISCUSSION_ID}/notes/${NOTE_ID}`);
+        const response = await fetch(url.toString(), {
+            method: "PUT",
+            headers: {
+                Accept: "application/json",
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${GITLAB_PERSONAL_ACCESS_TOKEN}`,
+            },
+            body: JSON.stringify({ resolved: false }),
+        });
+        if (!response.ok) {
+            const errorBody = await response.text();
+            throw new Error(`GitLab API error: ${response.status} ${response.statusText}\n${errorBody}`);
+        }
+        const data = await response.json();
+        console.log("Successfully unresolved issue note:");
+        console.log(JSON.stringify(data, null, 2));
+        return true;
+    }
+    catch (error) {
+        console.error("Error unresolving issue note:", error);
+        return false;
+    }
+}
+/**
+ * Test updating note body (existing functionality should still work)
+ */
+async function testUpdateIssueNoteBody() {
+    try {
+        const url = new URL(`${GITLAB_API_URL}/api/v4/projects/${encodeURIComponent(PROJECT_ID)}/issues/${ISSUE_IID}/discussions/${DISCUSSION_ID}/notes/${NOTE_ID}`);
+        const response = await fetch(url.toString(), {
+            method: "PUT",
+            headers: {
+                Accept: "application/json",
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${GITLAB_PERSONAL_ACCESS_TOKEN}`,
+            },
+            body: JSON.stringify({ body: "Updated note content" }),
+        });
+        if (!response.ok) {
+            const errorBody = await response.text();
+            throw new Error(`GitLab API error: ${response.status} ${response.statusText}\n${errorBody}`);
+        }
+        const data = await response.json();
+        console.log("Successfully updated issue note body:");
+        console.log(JSON.stringify(data, null, 2));
+        return true;
+    }
+    catch (error) {
+        console.error("Error updating issue note body:", error);
+        return false;
+    }
+}
+// Only run the test if executed directly
+if (require.main === module) {
+    console.log("Testing issue note resolve functionality...\n");
+    console.log("Note: This is a demonstration test file.");
+    console.log("To run actual tests, set the following environment variables:");
+    console.log("  - GITLAB_API_URL");
+    console.log("  - GITLAB_TOKEN");
+    console.log("  - PROJECT_ID");
+    console.log("  - ISSUE_IID");
+    console.log("  - DISCUSSION_ID");
+    console.log("  - NOTE_ID");
+    console.log("\nExample MCP tool usage:");
+    console.log(`
+  {
+    "name": "update_issue_note",
+    "arguments": {
+      "project_id": "your/project",
+      "issue_iid": "1",
+      "discussion_id": "abc123",
+      "note_id": "456",
+      "resolved": true
+    }
+  }
+  `);
+}
+// Export for use in other tests
+export { testResolveIssueNote, testUnresolveIssueNote, testUpdateIssueNoteBody };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.0.24",
+  "version": "2.0.28",
   "description": "MCP server for using the GitLab API",
   "license": "MIT",
   "author": "zereight",
@@ -37,10 +37,12 @@
     "test:approvals": "npm run build && tsx test/test-merge-request-approvals.ts",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
+    "release": "bash scripts/release.sh",
     "format": "prettier --write \"**/*.{js,ts,json,md}\"",
     "format:check": "prettier --check \"**/*.{js,ts,json,md}\""
   },
   "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.24.2",
     "@types/node-fetch": "^2.6.12",
     "express": "^5.1.0",
     "fetch-cookie": "^3.1.0",
@@ -53,9 +55,9 @@
     "pino-pretty": "^13.0.0",
     "pkce-challenge": "^5.0.0",
     "socks-proxy-agent": "^8.0.5",
+    "tldts": "^6.1.86",
     "tough-cookie": "^5.1.2",
     "zod": "^3.24.2",
-    "@modelcontextprotocol/sdk": "^1.24.2",
     "zod-to-json-schema": "3.24.5"
   },
   "devDependencies": {