chrome-devtools-mcp 1.0.1 → 1.1.0

package/build/src/daemon/daemon.js

@@ -4,8 +4,9 @@
  * Copyright 2026 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
-import fs from 'node:fs';
+import fs, { constants, openSync, writeSync, closeSync } from 'node:fs';
 import { createServer } from 'node:net';
+import os from 'node:os';
 import path from 'node:path';
 import process from 'node:process';
 import { logger } from '../logger.js';
@@ -19,10 +20,66 @@ if (isDaemonRunning(sessionId)) {
     process.exit(1);
 }
 const pidFilePath = getPidFilePath(sessionId);
-fs.mkdirSync(path.dirname(pidFilePath), {
-    recursive: true,
-});
-fs.writeFileSync(pidFilePath, process.pid.toString());
+const pidDir = path.dirname(pidFilePath);
+const currentUserUid = os.userInfo().uid;
+try {
+    fs.mkdirSync(pidDir, { recursive: true });
+    if (os.platform() !== 'win32') {
+        // POSIX specific checks
+        try {
+            const stats = fs.statSync(pidDir);
+            // 1. Check Ownership: Ensure the directory is owned by the current user.
+            if (stats.uid !== currentUserUid) {
+                console.error(`[MCP Daemon] Critical error: PID directory ${pidDir} is not owned by the current user (Expected: ${currentUserUid}, Found: ${stats.uid}). Possible tampering.`);
+                process.exit(1);
+            }
+            // 2. Check Permissions: Ensure the directory is not group or world-writable.
+            // Mode is a number, e.g., 0o700. We check if bits for group/world write are set.
+            const mode = stats.mode;
+            if (mode & constants.S_IWGRP || mode & constants.S_IWOTH) {
+                console.error(`[MCP Daemon] Critical error: PID directory ${pidDir} has insecure permissions (Mode: ${mode.toString(8)}). It should not be writable by group or others.`);
+                process.exit(1);
+            }
+        }
+        catch (statErr) {
+            console.error(`[MCP Daemon] Critical error stating PID directory ${pidDir}:`, statErr);
+            process.exit(1);
+        }
+    }
+}
+catch (err) {
+    console.error(`[MCP Daemon] Critical error creating/validating PID directory: ${pidDir}`, err);
+    process.exit(1);
+}
+let fd = -1;
+try {
+    // Open the file with flags to:
+    // - O_WRONLY: Write-only
+    // - O_CREAT: Create if it doesn't exist
+    // - O_TRUNC: Truncate to zero length if it exists
+    // - O_NOFOLLOW: DO NOT follow symlinks.
+    // - 0o600: Permissions: read/write for owner, no permissions for others.
+    fd = openSync(pidFilePath, constants.O_WRONLY |
+        constants.O_CREAT |
+        constants.O_TRUNC |
+        constants.O_NOFOLLOW, 0o600);
+    writeSync(fd, process.pid.toString());
+}
+catch (err) {
+    console.error(`[MCP Daemon] Critical error writing PID file: ${pidFilePath}`, err);
+    // If openSync fails due to O_NOFOLLOW on a symlink, the error will be caught here.
+    process.exit(1);
+}
+finally {
+    if (fd !== -1) {
+        try {
+            closeSync(fd);
+        }
+        catch (err) {
+            console.error(`[MCP Daemon] Error closing PID file: ${pidFilePath}`, err);
+        }
+    }
+}
 logger(`Writing ${process.pid.toString()} to ${pidFilePath}`);
 const socketPath = getSocketPath(sessionId);
 const startDate = new Date();

package/build/src/formatters/HeapSnapshotFormatter.js

@@ -29,10 +29,10 @@ export class HeapSnapshotFormatter {
         if (items.length > 0) {
             const firstItem = items[0];
             if (isNodeLike(firstItem)) {
-                lines.push('id,name,type,distance,selfSize,retainedSize');
+                lines.push('nodeId,nodeName,type,distance,selfSize,retainedSize');
             }
             else if (isEdgeLike(firstItem)) {
-                lines.push('edgeIndex,edgeName,edgeType,targetNodeId,targetNodeName');
+                lines.push('name,type,nodeId,nodeName');
             }
         }
         for (const item of items) {
@@ -40,7 +40,7 @@ export class HeapSnapshotFormatter {
                 lines.push(`${item.id},${item.name},${item.type},${item.distance},${DevTools.I18n.ByteUtilities.formatBytesToKb(item.selfSize)},${DevTools.I18n.ByteUtilities.formatBytesToKb(item.retainedSize)}`);
             }
             else if (isEdgeLike(item)) {
-                lines.push(`${item.edgeIndex},${item.name},${item.type},${item.node.id},${item.node.name}`);
+                lines.push(`${item.name},${item.type},${item.node.id},${item.node.name}`);
             }
         }
         return lines.join('\n');
@@ -51,17 +51,17 @@ export class HeapSnapshotFormatter {
     toString() {
         const sorted = this.#getSortedAggregates();
         const lines = [];
-        lines.push('uid,className,count,selfSize,maxRetainedSize');
+        lines.push('id,name,count,selfSize,maxRetainedSize');
         for (const info of sorted) {
-            const uid = info[stableIdSymbol] ?? '';
-            lines.push(`${uid},${info.name},${info.count},${DevTools.I18n.ByteUtilities.formatBytesToKb(info.self)},${DevTools.I18n.ByteUtilities.formatBytesToKb(info.maxRet)}`);
+            const id = info[stableIdSymbol] ?? '';
+            lines.push(`${id},${info.name},${info.count},${DevTools.I18n.ByteUtilities.formatBytesToKb(info.self)},${DevTools.I18n.ByteUtilities.formatBytesToKb(info.maxRet)}`);
         }
         return lines.join('\n');
     }
     toJSON() {
         const sorted = this.#getSortedAggregates();
         return sorted.map(info => ({
-            uid: info[stableIdSymbol],
+            id: info[stableIdSymbol],
             className: info.name,
             count: info.count,
             selfSize: DevTools.I18n.ByteUtilities.formatBytesToKb(info.self),

package/build/src/third_party/THIRD_PARTY_NOTICES

@@ -324,7 +324,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE
 
 Name: semver
 URL: git+https://github.com/npm/node-semver.git
-Version: 7.8.0
+Version: 7.8.1
 License: ISC
 
 The ISC License
@@ -867,21 +867,21 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 Name: puppeteer-core
 URL: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
-Version: 25.0.4
+Version: 25.1.0
 License: Apache-2.0
 
 -------------------- DEPENDENCY DIVIDER --------------------
 
 Name: @puppeteer/browsers
 URL: https://github.com/puppeteer/puppeteer/tree/main/packages/browsers
-Version: 3.0.3
+Version: 3.0.4
 License: Apache-2.0
 
 -------------------- DEPENDENCY DIVIDER --------------------
 
 Name: ws
 URL: https://github.com/websockets/ws
-Version: 8.20.0
+Version: 8.21.0
 License: MIT
 
 Copyright (c) 2011 Einar Otto Stangvik <einaros@gmail.com>

package/build/src/third_party/bundled-packages.json

@@ -1,11 +1,11 @@
 {
   "@modelcontextprotocol/sdk": "1.29.0",
-  "chrome-devtools-frontend": "1.0.1631386",
+  "chrome-devtools-frontend": "1.0.1632065",
   "core-js": "3.49.0",
   "debug": "4.4.3",
   "lighthouse": "13.3.0",
   "semver": "^7.7.4",
   "urlpattern-polyfill": "^10.1.0",
   "yargs": "18.0.0",
-  "puppeteer-core": "25.0.4"
+  "puppeteer-core": "25.1.0"
 }

package/build/src/third_party/devtools-formatter-worker.js

@@ -12262,6 +12262,7 @@ const UIStrings$2 = {
     memoryInspectorPanel: 'Memory inspector panel',
     developerResourcesPanel: 'Developer Resources panel',
     animationsPanel: 'Animations panel',
+    lighthousePanel: 'Lighthouse panel',
 };
 const str_$2 = registerUIStrings('core/common/Revealer.ts', UIStrings$2);
 const i18nLazyString$1 = getLazilyComputedLocalizedString.bind(undefined, str_$2);
@@ -12278,6 +12279,7 @@ const i18nLazyString$1 = getLazilyComputedLocalizedString.bind(undefined, str_$2
     SOURCES_PANEL: i18nLazyString$1(UIStrings$2.sourcesPanel),
     MEMORY_INSPECTOR_PANEL: i18nLazyString$1(UIStrings$2.memoryInspectorPanel),
     ANIMATIONS_PANEL: i18nLazyString$1(UIStrings$2.animationsPanel),
+    LIGHTHOUSE_PANEL: i18nLazyString$1(UIStrings$2.lighthousePanel),
 });
 
 // Copyright 2014 The Chromium Authors

package/build/src/third_party/devtools-heap-snapshot-worker.js

@@ -4808,6 +4808,7 @@ const UIStrings$2 = {
     memoryInspectorPanel: 'Memory inspector panel',
     developerResourcesPanel: 'Developer Resources panel',
     animationsPanel: 'Animations panel',
+    lighthousePanel: 'Lighthouse panel',
 };
 const str_$2 = registerUIStrings('core/common/Revealer.ts', UIStrings$2);
 const i18nLazyString$1 = getLazilyComputedLocalizedString.bind(undefined, str_$2);
@@ -4863,6 +4864,7 @@ async function reveal(revealable, omitFocus = false) {
     SOURCES_PANEL: i18nLazyString$1(UIStrings$2.sourcesPanel),
     MEMORY_INSPECTOR_PANEL: i18nLazyString$1(UIStrings$2.memoryInspectorPanel),
     ANIMATIONS_PANEL: i18nLazyString$1(UIStrings$2.animationsPanel),
+    LIGHTHOUSE_PANEL: i18nLazyString$1(UIStrings$2.lighthousePanel),
 });
 
 // Copyright 2014 The Chromium Authors