chore: bump ext-apps to 1.7.4#685
Merged
Merged
Conversation
@modelcontextprotocol/ext-apps
@modelcontextprotocol/server-basic-preact
@modelcontextprotocol/server-basic-react
@modelcontextprotocol/server-basic-solid
@modelcontextprotocol/server-basic-svelte
@modelcontextprotocol/server-basic-vanillajs
@modelcontextprotocol/server-basic-vue
@modelcontextprotocol/server-budget-allocator
@modelcontextprotocol/server-cohort-heatmap
@modelcontextprotocol/server-customer-segmentation
@modelcontextprotocol/server-debug
@modelcontextprotocol/server-lazy-auth
@modelcontextprotocol/server-map
@modelcontextprotocol/server-pdf
@modelcontextprotocol/server-scenario-modeler
@modelcontextprotocol/server-shadertoy
@modelcontextprotocol/server-sheet-music
@modelcontextprotocol/server-system-monitor
@modelcontextprotocol/server-threejs
@modelcontextprotocol/server-transcript
@modelcontextprotocol/server-video-resource
@modelcontextprotocol/server-wiki-explorer
commit: |
- Remove unused vitest devDependency from basic-host (critical advisory, package was never referenced by any test or config) - systeminformation ^5.31.5 -> ^5.31.6 (command injection, GHSA-hvx9-hwr7-wjj9) - Lockfile-only bumps: devalue 5.8.1, fast-uri 3.1.2, hono 4.12.23, ip-address 10.2.0, express-rate-limit 8.5.2, postcss 8.5.15, qs 6.15.2, svelte 5.56.1 npm audit now reports 0 vulnerabilities.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes since 1.7.3
No SDK API changes in this release.
Examples
Security
npm auditnow reports 0 vulnerabilities (was: 1 critical, 3 high, 6 moderate):vitestdevDependency from basic-host (critical advisory; the package was never referenced by any test or config)systeminformation^5.31.5→^5.31.6in system-monitor-server (Linux command injection, GHSA-hvx9-hwr7-wjj9)Verified in the playwright Docker image (linux):
npm ci+ unit tests 373/373 pass; e2e failures are identical to unmodifiedorigin/mainin the same container (arm64 golden-screenshot/timing artifacts), so no regressions from the bumps — GitHub CI is authoritative for e2e.Release process
After merging, create a GitHub Release with tag
v1.7.4to trigger the npm publish workflow.Note: the v1.7.3 publish run failed for
@modelcontextprotocol/server-transcript(E404 on PUT on both attempts — npm masks missing per-package token access as 404, and the same token published the other 18 packages on attempt 2). IfNPM_SECRETis a granular token, its package list likely omitsserver-transcript; worth fixing before approving the 1.7.4 deployment so transcript-server doesn't get skipped twice.