mcp-rubber-duck 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/.github/workflows/security.yml +2 -0
  2. package/.trivyignore +8 -0
  3. package/CHANGELOG.md +7 -0
  4. package/Dockerfile +1 -1
  5. package/audit-ci.json +1 -2
  6. package/package.json +2 -2
package/.github/workflows/security.yml CHANGED
@@ -28,6 +28,7 @@ jobs:
28
28
  scan-ref: '.'
29
29
  format: 'sarif'
30
30
  output: 'trivy-results.sarif'
31
+ trivyignores: '.trivyignore'
31
32
 
32
33
  - name: 📤 Upload Trivy scan results to GitHub Security
33
34
  uses: github/codeql-action/upload-sarif@v3
@@ -48,6 +49,7 @@ jobs:
48
49
  image-ref: 'security-scan-image'
49
50
  format: 'sarif'
50
51
  output: 'trivy-docker-results.sarif'
52
+ trivyignores: '.trivyignore'
51
53
 
52
54
  - name: 📤 Upload Docker scan results
53
55
  uses: github/codeql-action/upload-sarif@v3
package/.trivyignore ADDED
@@ -0,0 +1,8 @@
1
+ # BusyBox vulnerabilities in node:20-alpine base image
2
+ # These require local access and are accepted risk for this container
3
+ CVE-2025-30680
4
+ CVE-2024-42237
5
+
6
+ # brace-expansion ReDoS - bundled in npm, low severity (CVSS 3.1)
7
+ # Cannot be fixed without upstream semantic-release update
8
+ CVE-2025-5889
package/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ ## [1.4.1](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.4.0...v1.4.1) (2025-12-08)
2
+
3
+
4
+ ### Bug Fixes
5
+
6
+ * **security:** update MCP SDK and address code scanning alerts ([08b3a40](https://github.com/nesquikm/mcp-rubber-duck/commit/08b3a40f9aaa053138003258812b0d4c8bbddfc3))
7
+
1
8
  # [1.4.0](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.3.0...v1.4.0) (2025-11-30)
2
9
 
3
10
 
package/Dockerfile CHANGED
@@ -20,7 +20,7 @@ RUN npm run build
20
20
  FROM node:20-alpine
21
21
 
22
22
  # Install dumb-init for proper signal handling
23
- RUN apk add --no-cache dumb-init
23
+ RUN apk add --no-cache dumb-init=1.2.5-r3
24
24
 
25
25
  # Create app user
26
26
  RUN addgroup -g 1001 -S nodejs && \
package/audit-ci.json CHANGED
@@ -5,7 +5,6 @@
5
5
  "critical": true,
6
6
  "report-type": "summary",
7
7
  "allowlist": [
8
- "GHSA-5j98-mcp5-4vw2",
9
- "GHSA-wqch-xfxh-vrr4"
8
+ "GHSA-5j98-mcp5-4vw2"
10
9
  ]
11
10
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mcp-rubber-duck",
3
- "version": "1.4.0",
3
+ "version": "1.4.1",
4
4
  "description": "An MCP server that bridges to multiple OpenAI-compatible LLMs - your AI rubber duck debugging panel",
5
5
  "main": "dist/index.js",
6
6
  "type": "module",
@@ -38,7 +38,7 @@
38
38
  "url": "https://github.com/nesquikm/mcp-rubber-duck/issues"
39
39
  },
40
40
  "dependencies": {
41
- "@modelcontextprotocol/sdk": "^1.0.0",
41
+ "@modelcontextprotocol/sdk": "^1.24.0",
42
42
  "ajv": "^8.17.1",
43
43
  "dotenv": "^16.4.0",
44
44
  "node-cache": "^5.1.2",