Tags: cyanheads/git-mcp-server
Tags
fix(deps): pin dotenv to 16.6.1 to suppress console message - Pins the `dotenv` package to `16.6.1` to prevent the promotional message from being printed to the console during startup, which could interfere with STDIO-based MCP clients. - Adds `dotenv` to the `.ncurc.json` reject list to prevent future automatic upgrades to problematic versions. - Updates the CHANGELOG to document this fix.
fix(security): patch command injection vulnerability Replaced all instances of `child_process.exec` with `child_process.execFile` to prevent shell metacharacter injection. This ensures that user-provided input is treated as arguments rather than being executed as part of a shell command, mitigating the risk of remote code execution. This addresses the vulnerability disclosed in GHSA-3q26-f695-pp76. Special thanks to @dellalibera for the responsible disclosure.
feat(http): migrate from Express to Hono and refactor auth - Replaces the Express-based HTTP transport with a more performant and modern implementation using Hono. - Refactors the authentication layer into a modular, strategy-based system supporting both JWT and OAuth 2.1, configured via `MCP_AUTH_MODE`. - Simplifies session management by removing transport-specific state in favor of a unified, session-scoped working directory. - Introduces a centralized HTTP error handler for consistent JSON-RPC error responses.
chore: bump version to 2.0.15 and update related files - Updated SDK version in README.md - Downgraded chrono-node to 2.8.0 and added .ncurc.json to manage this - Refined instructional text in gitWrapupInstructions tool - Updated documentation (README.md, docs/tree.md, CHANGELOG.md)
PreviousNext