drupal-mcp-connector 0.6.1 → 0.7.0

package/CHANGELOG.md

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.0] - 2026-06-08
+
+### Added
+- CI: lint/syntax/unit tests now run across a Node `20, 22` matrix so the
+  advertised `engines.node >=20` floor is actually exercised.
+- CI: `release.yml` publishes to npm on a `v*` tag via **trusted publishing**
+  (GitHub Actions OIDC — no token/secret), gated on a tag↔`package.json` version
+  match. Provenance is attached automatically. One-time trusted-publisher setup
+  on npmjs.com (see CONTRIBUTING.md → Releasing).
+
+### Removed
+- **BREAKING:** dropped support for Node 18 (`engines.node` is now `>=20.0.0`).
+  Node 18 reached end-of-life in April 2025, and the vitest 4 dev toolchain
+  requires Node >=20.
+
+### Changed
+- Dev dependency: bumped `vitest` `^2.1.0` → `^4.1.8`, resolving three Dependabot
+  alerts in the test toolchain (vitest UI file read/execute — critical; vite path
+  traversal and esbuild dev-server exposure — moderate). All are devDependencies
+  and do not ship to consumers.
+
 ## [0.6.1] - 2026-06-04
 
 First release published to npm.
@@ -87,6 +108,8 @@ The connector is now **dual-protocol**: every tool runs against an abstract back
 - User tools gained explicit PII-access assertions.
 - Whole tree lint-clean (`npm run lint`) with object-injection sinks rewritten to safe lookups.
 
+[0.7.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.7.0
+[0.6.1]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.6.1
 [0.6.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.6.0
 [0.5.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.5.0
 [0.4.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.4.0

package/README.md

@@ -7,7 +7,7 @@
 [![Drupal](https://img.shields.io/badge/drupal-10%20%7C%2011-blue)](https://drupal.org)
 [![MCP](https://img.shields.io/badge/MCP-2025--11--25-purple)](https://modelcontextprotocol.io)
 
-Created by **Jeremy Michael Cerda**. Built and maintained by [Wilkes & Liberty, LLC](https://github.com/Wilkes-Liberty).
+Built by **Jeremy Michael Cerda** (jmcerda@wilkesliberty.com). Maintained by [Wilkes & Liberty, LLC](https://github.com/Wilkes-Liberty).
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "drupal-mcp-connector",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "description": "A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL.",
   "type": "module",
   "main": "src/index.js",
@@ -40,18 +40,18 @@
     "Wilkes & Liberty, LLC <opensource@wilkesliberty.com> (https://wilkesliberty.com)"
   ],
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "scripts": {
-    "start":        "node src/index.js",
-    "start:https":  "MCP_TRANSPORT=https node src/index.js",
-    "start:dev":    "MCP_TRANSPORT=https MCP_ALLOW_HTTP=1 MCP_PORT=3443 node src/index.js",
-    "lint":         "eslint src/",
-    "lint:fix":     "eslint src/ --fix",
-    "test":         "vitest run",
-    "test:watch":   "vitest",
-    "audit":        "npm audit --audit-level=high",
-    "check":        "npm run lint && npm run audit",
+    "start": "node src/index.js",
+    "start:https": "MCP_TRANSPORT=https node src/index.js",
+    "start:dev": "MCP_TRANSPORT=https MCP_ALLOW_HTTP=1 MCP_PORT=3443 node src/index.js",
+    "lint": "eslint src/",
+    "lint:fix": "eslint src/ --fix",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "audit": "npm audit --audit-level=high",
+    "check": "npm run lint && npm run audit",
     "syntax-check": "for f in src/lib/*.js src/tools/*.js src/index.js; do node --input-type=module --check < $f && echo \"$f ✓\"; done"
   },
   "dependencies": {
@@ -65,6 +65,6 @@
     "eslint-plugin-security": "^3.0.0",
     "eslint-plugin-n": "^17.0.0",
     "globals": "^15.0.0",
-    "vitest": "^2.1.0"
+    "vitest": "^4.1.8"
   }
 }