mcp-rubber-duck 1.9.0 → 1.9.4

package/.github/FUNDING.yml

@@ -0,0 +1 @@
+custom: ['https://github.com/nesquikm/mcp-rubber-duck/blob/master/DONATE.md']

package/.github/workflows/security.yml

@@ -33,7 +33,7 @@ jobs:
           trivyignores: '.trivyignore'
 
       - name: 📤 Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
@@ -54,7 +54,7 @@ jobs:
           trivyignores: '.trivyignore'
 
       - name: 📤 Upload Docker scan results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && github.event_name != 'schedule'
         with:
           sarif_file: 'trivy-docker-results.sarif'
@@ -71,7 +71,7 @@ jobs:
       - name: 📦 Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: 📥 Install dependencies
@@ -105,7 +105,7 @@ jobs:
           no-fail: true
 
       - name: 📤 Upload Dockerfile lint results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: hadolint-results.sarif
@@ -122,7 +122,7 @@ jobs:
       - name: 📦 Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: 📥 Install dependencies

package/.github/workflows/semantic-release.yml

@@ -18,6 +18,7 @@ permissions:
   packages: write
   security-events: write
   actions: read
+  id-token: write
 
 jobs:
   test:
@@ -30,7 +31,7 @@ jobs:
       - name: 📦 Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: 📥 Install dependencies
@@ -65,7 +66,7 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: 📤 Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
@@ -83,7 +84,7 @@ jobs:
           output: 'trivy-docker-results.sarif'
 
       - name: 📤 Upload Docker scan results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-docker-results.sarif'
@@ -100,7 +101,7 @@ jobs:
       - name: 📦 Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: 📥 Install dependencies
@@ -134,7 +135,7 @@ jobs:
           no-fail: true
 
       - name: 📤 Upload Dockerfile lint results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: hadolint-results.sarif
@@ -158,8 +159,9 @@ jobs:
       - name: 📦 Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: 📥 Install dependencies
         run: npm ci
@@ -177,7 +179,6 @@ jobs:
       - name: 📦 Run semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npx semantic-release
 
       - name: 🏷️ Get latest tag after release
@@ -210,6 +211,16 @@ jobs:
             echo "No new release"
           fi
 
+      - name: 📦 Upgrade npm for OIDC support
+        if: steps.check-release.outputs.released == 'true'
+        run: |
+          npm install -g npm@latest
+          npm --version
+
+      - name: 📤 Publish to npm with provenance
+        if: steps.check-release.outputs.released == 'true'
+        run: npm publish --provenance --access public
+
       - name: 📊 Release Summary
         if: success()
         run: |

package/.releaserc.json

@@ -12,7 +12,12 @@
         "changelogFile": "CHANGELOG.md"
       }
     ],
-    "@semantic-release/npm",
+    [
+      "@semantic-release/npm",
+      {
+        "npmPublish": false
+      }
+    ],
     [
       "@semantic-release/git",
       {

package/CHANGELOG.md

@@ -1,3 +1,32 @@
+## [1.9.4](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.9.3...v1.9.4) (2026-01-26)
+
+
+### Bug Fixes
+
+* override lodash to 4.17.23 to address CVE-2025-13465 ([8cb5a3a](https://github.com/nesquikm/mcp-rubber-duck/commit/8cb5a3a0b3a644b2ed368537412cda32b8a333f2))
+
+## [1.9.3](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.9.2...v1.9.3) (2026-01-19)
+
+
+### Bug Fixes
+
+* upgrade npm to latest for OIDC trusted publishing ([a6ca82c](https://github.com/nesquikm/mcp-rubber-duck/commit/a6ca82cddd15bbd56a9e7eaabb513d7cb5b13d8c))
+
+## [1.9.2](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.9.1...v1.9.2) (2026-01-19)
+
+
+### Bug Fixes
+
+* configure registry-url for npm OIDC auth ([0798f7c](https://github.com/nesquikm/mcp-rubber-duck/commit/0798f7c94a0a69470d6cae9f27ca984ee2975ac8))
+
+## [1.9.1](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.9.0...v1.9.1) (2026-01-19)
+
+
+### Bug Fixes
+
+* switch to npm OIDC trusted publishing ([b1f92ca](https://github.com/nesquikm/mcp-rubber-duck/commit/b1f92ca97baba8ac50b77cf16c880174a4dd32fa))
+* use native npm publish for OIDC provenance ([99fb6d8](https://github.com/nesquikm/mcp-rubber-duck/commit/99fb6d8d77a786e1b1c748bc9a3b68c81cffec99))
+
 # [1.9.0](https://github.com/nesquikm/mcp-rubber-duck/compare/v1.8.0...v1.9.0) (2026-01-15)
 
 

package/DONATE.md

@@ -0,0 +1,30 @@
+# 🦆 Feed the Ducks
+
+```
+     __
+   <(o )___
+    ( ._> /
+     `---'  Quack! Spare some crypto?
+```
+
+Enjoying the duck pond? Toss us some digital bread crumbs to keep the ducks quacking!
+
+## Bitcoin (BTC)
+
+`bc1qlq3dl8pca5q27qz5zk2jm6qqf6xgt6lvh4yrxs`
+
+## Ethereum (ETH, USDT, USDC)
+
+`0x41341d35Ee5C02DdD4255113E58e32Ba024754e9`
+
+## Solana (SOL, USDT, USDC)
+
+`C2JuPcbcVQEfYwzDtbF3iwbhbjFzdJLqjYxzhPxNZQH6`
+
+## Tron (TRX, USDT, USDC)
+
+`TBi9y3fEUJLAX7DSGK6pVPB7TUW9ymFRJ8`
+
+---
+
+🦆 Every satoshi helps keep our ducks debugging! Thank you!

package/audit-ci.json

@@ -6,6 +6,9 @@
   "report-type": "summary",
   "allowlist": [
     "GHSA-5j98-mcp5-4vw2",
-    "GHSA-73rr-hh4g-fpgx"
+    "GHSA-73rr-hh4g-fpgx",
+    "GHSA-8qq5-rm4j-mr97",
+    "GHSA-g9mf-h72j-4rw9",
+    "GHSA-r6q2-hw4h-h46w"
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-rubber-duck",
-  "version": "1.9.0",
+  "version": "1.9.4",
   "description": "An MCP server that bridges to multiple OpenAI-compatible LLMs - your AI rubber duck debugging panel",
   "main": "dist/index.js",
   "type": "module",
@@ -37,8 +37,13 @@
   "bugs": {
     "url": "https://github.com/nesquikm/mcp-rubber-duck/issues"
   },
+  "publishConfig": {
+    "provenance": true,
+    "access": "public"
+  },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.24.0",
+    "@semantic-release/npm": "^13.1.3",
     "ajv": "^8.17.1",
     "dotenv": "^16.4.0",
     "node-cache": "^5.1.2",
@@ -57,12 +62,14 @@
     "eslint": "^8.0.0",
     "jest": "^29.0.0",
     "prettier": "^3.0.0",
-    "semantic-release": "^24.2.8",
+    "semantic-release": "^25.0.2",
     "ts-jest": "^29.0.0",
     "tsx": "^4.0.0",
     "typescript": "^5.0.0"
   },
   "overrides": {
-    "js-yaml": "^4.1.1"
+    "js-yaml": "^4.1.1",
+    "lodash": "^4.17.23",
+    "lodash-es": "^4.17.23"
   }
 }