Skip to content

Release v1.0.2

Latest
Latest

Choose a tag to compare

View all tags
@isiahw1 isiahw1 released this 10 Feb 01:42
v1.0.2
e2415f2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

  • Fix API key exposure in URL query strings — now passed via httpx params dict
  • Fix URL injection / parameter pollution across all 60 tools
  • Fix API key override via caller-supplied params (defense-in-depth)
  • Remove self-referential npm dependency (supply chain risk)

Fixed

  • Concurrency race condition on shared HTTP client — replaced with lazy persistent client
  • No connection pooling — persistent client with httpx.Limits and granular timeouts
  • API key validation deferred from import-time to app() startup
  • Version desync between package.json and version.py
  • False "Python installed automatically" claim in README
  • Dev setup instructions now use uv instead of pip/venv

CI/CD

  • Switch npm publish to OIDC trusted publishing (no token rotation needed)
  • Packages now include cryptographic provenance attestation

Installation

npx @isiahw1/mcp-server-bing-webmaster@1.0.2

See CHANGELOG.md for full details.

Assets 2
Loading