From c816e5de11f0716dc80ba1ce9dd63e5f91879389 Mon Sep 17 00:00:00 2001 From: Pierre Merlet Date: Thu, 12 Feb 2026 11:06:15 +0100 Subject: [PATCH 1/6] fix(security): bump vulnerable packages --- package.json | 7 +++++- packages/mcp-server/src/server.ts | 2 ++ yarn.lock | 41 +++---------------------------- 3 files changed, 12 insertions(+), 38 deletions(-) diff --git a/package.json b/package.json index 7f2443851..476708ff3 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,12 @@ "@isaacs/brace-expansion": ">=5.0.1", "axios": ">=1.13.5", "micromatch": "^4.0.8", + "@babel/helpers": "^7.26.10", "semantic-release": "^25.0.0", - "qs": ">=6.14.1" + "qs": ">=6.14.1", + "validator": ">=13.15.22", + "jsonwebtoken": "^9.0.3", + "@modelcontextprotocol/sdk": "^1.26.0", + "jws": ">=4.0.1" } } diff --git a/packages/mcp-server/src/server.ts b/packages/mcp-server/src/server.ts index 1cb02fd30..60eef687e 100644 --- a/packages/mcp-server/src/server.ts +++ b/packages/mcp-server/src/server.ts @@ -288,6 +288,8 @@ export default class ForestMCPServer { }); } } + + await transport.close(); } /** diff --git a/yarn.lock b/yarn.lock index 7c0b51e3b..59b793994 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1272,7 +1272,7 @@ resolved "https://registry.yarnpkg.com/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz#fa52f5b1e7db1ab049445b421c4471303897702f" integrity sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg== -"@babel/helpers@^7.23.2", "@babel/helpers@^7.28.4": +"@babel/helpers@^7.23.2", "@babel/helpers@^7.26.10", "@babel/helpers@^7.28.4": version "7.28.6" resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.28.6.tgz#fca903a313ae675617936e8998b814c415cbf5d7" integrity sha512-xOBvwq86HHdB7WUDTfKfT/Vuxh7gElQ+Sfti2Cy6yIWNW05P8iUslOVcZ4/sKbE+/jQaukQAdz/gf3724kYdqw== @@ -11693,23 +11693,7 @@ jsonpointer@^5.0.1: resolved "https://registry.yarnpkg.com/jsonpointer/-/jsonpointer-5.0.1.tgz#2110e0af0900fd37467b5907ecd13a7884a1b559" integrity sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ== -jsonwebtoken@9.0.2, jsonwebtoken@^9.0.0: - version "9.0.2" - resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz#65ff91f4abef1784697d40952bb1998c504caaf3" - integrity sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ== - dependencies: - jws "^3.2.2" - lodash.includes "^4.3.0" - lodash.isboolean "^3.0.3" - lodash.isinteger "^4.0.4" - lodash.isnumber "^3.0.3" - lodash.isplainobject "^4.0.6" - lodash.isstring "^4.0.1" - lodash.once "^4.0.0" - ms "^2.1.1" - semver "^7.5.4" - -jsonwebtoken@^9.0.3: +jsonwebtoken@9.0.2, jsonwebtoken@^9.0.0, jsonwebtoken@^9.0.3: version "9.0.3" resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz#6cd57ab01e9b0ac07cb847d53d3c9b6ee31f7ae2" integrity sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g== @@ -11745,15 +11729,6 @@ just-diff@^6.0.0: resolved "https://registry.yarnpkg.com/just-diff/-/just-diff-6.0.2.tgz#03b65908543ac0521caf6d8eb85035f7d27ea285" integrity sha512-S59eriX5u3/QhMNq3v/gm8Kd0w8OS6Tz2FS1NG4blv+z0MuQcBRJyFWjdovM0Rad4/P4aUPFtnkNjMjyMlMSYA== -jwa@^1.4.2: - version "1.4.2" - resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.4.2.tgz#16011ac6db48de7b102777e57897901520eec7b9" - integrity sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw== - dependencies: - buffer-equal-constant-time "^1.0.1" - ecdsa-sig-formatter "1.0.11" - safe-buffer "^5.0.1" - jwa@^2.0.1: version "2.0.1" resolved "https://registry.yarnpkg.com/jwa/-/jwa-2.0.1.tgz#bf8176d1ad0cd72e0f3f58338595a13e110bc804" @@ -11763,15 +11738,7 @@ jwa@^2.0.1: ecdsa-sig-formatter "1.0.11" safe-buffer "^5.0.1" -jws@^3.2.2: - version "3.2.3" - resolved "https://registry.yarnpkg.com/jws/-/jws-3.2.3.tgz#5ac0690b460900a27265de24520526853c0b8ca1" - integrity sha512-byiJ0FLRdLdSVSReO/U4E7RoEyOCKnEnEPMjq3HxWtvzLsV08/i5RQKsFVNkCldrCaPr2vDNAOMsfs8T/Hze7g== - dependencies: - jwa "^1.4.2" - safe-buffer "^5.0.1" - -jws@^4.0.0, jws@^4.0.1: +jws@>=4.0.1, jws@^4.0.0, jws@^4.0.1: version "4.0.1" resolved "https://registry.yarnpkg.com/jws/-/jws-4.0.1.tgz#07edc1be8fac20e677b283ece261498bd38f0690" integrity sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA== @@ -18142,7 +18109,7 @@ validate-npm-package-name@^7.0.0: resolved "https://registry.yarnpkg.com/validate-npm-package-name/-/validate-npm-package-name-7.0.2.tgz#e57c3d721a4c8bbff454a246e7f7da811559ea0d" integrity sha512-hVDIBwsRruT73PbK7uP5ebUt+ezEtCmzZz3F59BSr2F6OVFnJ/6h8liuvdLrQ88Xmnk6/+xGGuq+pG9WwTuy3A== -validator@^13.9.0: +validator@>=13.15.22, validator@^13.9.0: version "13.15.26" resolved "https://registry.yarnpkg.com/validator/-/validator-13.15.26.tgz#36c3deeab30e97806a658728a155c66fcaa5b944" integrity sha512-spH26xU080ydGggxRyR1Yhcbgx+j3y5jbNXk/8L+iRvdIEQ4uTRH2Sgf2dokud6Q4oAtsbNvJ1Ft+9xmm6IZcA== From d246cd233a21367c90cd8bba5b1f5b790b0e3d86 Mon Sep 17 00:00:00 2001 From: Pierre Merlet Date: Thu, 12 Feb 2026 11:46:54 +0100 Subject: [PATCH 2/6] chore: follow mcp server documentation --- packages/mcp-server/src/server.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packages/mcp-server/src/server.ts b/packages/mcp-server/src/server.ts index 60eef687e..4752e07e3 100644 --- a/packages/mcp-server/src/server.ts +++ b/packages/mcp-server/src/server.ts @@ -189,7 +189,7 @@ export default class ForestMCPServer { ), ]; - this.logger('Debug', `Registered ${toolNames.length} tools: ${toolNames.join(', ')}`); + this.logger('Info', `Registered ${toolNames.length} tools: ${toolNames.join(', ')}`); return mcpServer; } @@ -288,8 +288,6 @@ export default class ForestMCPServer { }); } } - - await transport.close(); } /** From d790daf54f1dc1c0f42c5f124cb362b68a5ac796 Mon Sep 17 00:00:00 2001 From: Pierre Merlet Date: Thu, 12 Feb 2026 15:00:03 +0100 Subject: [PATCH 3/6] fix: remove resolutions at the root level --- package.json | 7 +------ yarn.lock | 50 +++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 46 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index 476708ff3..6cd46a192 100644 --- a/package.json +++ b/package.json @@ -59,11 +59,6 @@ "axios": ">=1.13.5", "micromatch": "^4.0.8", "@babel/helpers": "^7.26.10", - "semantic-release": "^25.0.0", - "qs": ">=6.14.1", - "validator": ">=13.15.22", - "jsonwebtoken": "^9.0.3", - "@modelcontextprotocol/sdk": "^1.26.0", - "jws": ">=4.0.1" + "semantic-release": "^25.0.0" } } diff --git a/yarn.lock b/yarn.lock index 59b793994..d91f8d83a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11693,7 +11693,23 @@ jsonpointer@^5.0.1: resolved "https://registry.yarnpkg.com/jsonpointer/-/jsonpointer-5.0.1.tgz#2110e0af0900fd37467b5907ecd13a7884a1b559" integrity sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ== -jsonwebtoken@9.0.2, jsonwebtoken@^9.0.0, jsonwebtoken@^9.0.3: +jsonwebtoken@9.0.2: + version "9.0.2" + resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz#65ff91f4abef1784697d40952bb1998c504caaf3" + integrity sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ== + dependencies: + jws "^3.2.2" + lodash.includes "^4.3.0" + lodash.isboolean "^3.0.3" + lodash.isinteger "^4.0.4" + lodash.isnumber "^3.0.3" + lodash.isplainobject "^4.0.6" + lodash.isstring "^4.0.1" + lodash.once "^4.0.0" + ms "^2.1.1" + semver "^7.5.4" + +jsonwebtoken@^9.0.0, jsonwebtoken@^9.0.3: version "9.0.3" resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz#6cd57ab01e9b0ac07cb847d53d3c9b6ee31f7ae2" integrity sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g== @@ -11729,6 +11745,15 @@ just-diff@^6.0.0: resolved "https://registry.yarnpkg.com/just-diff/-/just-diff-6.0.2.tgz#03b65908543ac0521caf6d8eb85035f7d27ea285" integrity sha512-S59eriX5u3/QhMNq3v/gm8Kd0w8OS6Tz2FS1NG4blv+z0MuQcBRJyFWjdovM0Rad4/P4aUPFtnkNjMjyMlMSYA== +jwa@^1.4.2: + version "1.4.2" + resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.4.2.tgz#16011ac6db48de7b102777e57897901520eec7b9" + integrity sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw== + dependencies: + buffer-equal-constant-time "^1.0.1" + ecdsa-sig-formatter "1.0.11" + safe-buffer "^5.0.1" + jwa@^2.0.1: version "2.0.1" resolved "https://registry.yarnpkg.com/jwa/-/jwa-2.0.1.tgz#bf8176d1ad0cd72e0f3f58338595a13e110bc804" @@ -11738,7 +11763,15 @@ jwa@^2.0.1: ecdsa-sig-formatter "1.0.11" safe-buffer "^5.0.1" -jws@>=4.0.1, jws@^4.0.0, jws@^4.0.1: +jws@^3.2.2: + version "3.2.3" + resolved "https://registry.yarnpkg.com/jws/-/jws-3.2.3.tgz#5ac0690b460900a27265de24520526853c0b8ca1" + integrity sha512-byiJ0FLRdLdSVSReO/U4E7RoEyOCKnEnEPMjq3HxWtvzLsV08/i5RQKsFVNkCldrCaPr2vDNAOMsfs8T/Hze7g== + dependencies: + jwa "^1.4.2" + safe-buffer "^5.0.1" + +jws@^4.0.0, jws@^4.0.1: version "4.0.1" resolved "https://registry.yarnpkg.com/jws/-/jws-4.0.1.tgz#07edc1be8fac20e677b283ece261498bd38f0690" integrity sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA== @@ -15272,7 +15305,14 @@ qrcode-terminal@^0.12.0: resolved "https://registry.yarnpkg.com/qrcode-terminal/-/qrcode-terminal-0.12.0.tgz#bb5b699ef7f9f0505092a3748be4464fe71b5819" integrity sha512-EXtzRZmC+YGmGlDFbXKxQiMZNwCLEO6BANKXG4iCtSIM0yqc/pappSx3RIKr4r0uh5JsBckOXeKrB3Iz7mdQpQ== -qs@6.13.0, qs@>=6.14.1, qs@^6.11.0, qs@^6.11.2, qs@^6.14.0, qs@^6.14.1, qs@^6.5.2, qs@~6.14.0: +qs@6.13.0: + version "6.13.0" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.13.0.tgz#6ca3bd58439f7e245655798997787b0d88a51906" + integrity sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg== + dependencies: + side-channel "^1.0.6" + +qs@^6.11.0, qs@^6.11.2, qs@^6.14.0, qs@^6.14.1, qs@^6.5.2, qs@~6.14.0: version "6.14.2" resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.2.tgz#b5634cf9d9ad9898e31fba3504e866e8efb6798c" integrity sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q== @@ -16303,7 +16343,7 @@ side-channel@^1.0.4: get-intrinsic "^1.0.2" object-inspect "^1.9.0" -side-channel@^1.1.0: +side-channel@^1.0.6, side-channel@^1.1.0: version "1.1.0" resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.1.0.tgz#c3fcff9c4da932784873335ec9765fa94ff66bc9" integrity sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw== @@ -18109,7 +18149,7 @@ validate-npm-package-name@^7.0.0: resolved "https://registry.yarnpkg.com/validate-npm-package-name/-/validate-npm-package-name-7.0.2.tgz#e57c3d721a4c8bbff454a246e7f7da811559ea0d" integrity sha512-hVDIBwsRruT73PbK7uP5ebUt+ezEtCmzZz3F59BSr2F6OVFnJ/6h8liuvdLrQ88Xmnk6/+xGGuq+pG9WwTuy3A== -validator@>=13.15.22, validator@^13.9.0: +validator@^13.9.0: version "13.15.26" resolved "https://registry.yarnpkg.com/validator/-/validator-13.15.26.tgz#36c3deeab30e97806a658728a155c66fcaa5b944" integrity sha512-spH26xU080ydGggxRyR1Yhcbgx+j3y5jbNXk/8L+iRvdIEQ4uTRH2Sgf2dokud6Q4oAtsbNvJ1Ft+9xmm6IZcA== From 70e1860d721e9d53934d68accfc2c0e6e57bc536 Mon Sep 17 00:00:00 2001 From: alban bertolini Date: Thu, 12 Feb 2026 15:11:43 +0100 Subject: [PATCH 4/6] refactor(mcp-server): remove as-any casts and use proper SDK types - Replace local ToolResult type with SDK's CallToolResult - Type extra parameter as RequestHandlerExtra instead of any/unknown - Use Parameters to bridge zod duplication - Remove as-any casts in ai-proxy examples and tests - Fix missing beforeAll closing bracket in integration test Co-Authored-By: Claude Opus 4.6 --- packages/mcp-server/src/utils/tool-with-logging.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/mcp-server/src/utils/tool-with-logging.ts b/packages/mcp-server/src/utils/tool-with-logging.ts index eecfd2dd8..8da83fed6 100644 --- a/packages/mcp-server/src/utils/tool-with-logging.ts +++ b/packages/mcp-server/src/utils/tool-with-logging.ts @@ -21,6 +21,8 @@ interface ToolConfig { inputSchema: TSchema; } +// The MCP SDK bundles its own zod copy, creating nominally different types. +// This type bridge extracts what registerTool() actually expects. type RegisterToolConfig = Parameters[1]; type ToolHandlerExtra = RequestHandlerExtra; From ce7096a94866b108fea9e81a40bc45f14b42b4a3 Mon Sep 17 00:00:00 2001 From: Pierre Merlet Date: Thu, 12 Feb 2026 17:37:44 +0100 Subject: [PATCH 5/6] chore: improve coverage --- packages/mcp-server/test/server.test.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/mcp-server/test/server.test.ts b/packages/mcp-server/test/server.test.ts index 49bd0524e..e65763ef9 100644 --- a/packages/mcp-server/test/server.test.ts +++ b/packages/mcp-server/test/server.test.ts @@ -2683,6 +2683,7 @@ describe('handleMcpRequest cleanup', () => { connect: async (transport: any) => { transport.handleRequest = async () => {}; + transport.close = async () => { throw new Error('Close failed during streaming'); }; From 06825a12c3bbcb2d32c87166af49be4923b952ee Mon Sep 17 00:00:00 2001 From: alban bertolini Date: Thu, 12 Feb 2026 18:32:44 +0100 Subject: [PATCH 6/6] fix(mcp-server): address test review findings - Add proper assertion in "should call next() for non-MCP routes" test - Fix misplaced eslint-disable comment for @typescript-eslint/no-explicit-any - Remove 5 unnecessary no-param-reassign disable comments (rule allows props) Co-Authored-By: Claude Opus 4.6 --- packages/mcp-server/test/server.test.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/mcp-server/test/server.test.ts b/packages/mcp-server/test/server.test.ts index e65763ef9..49bd0524e 100644 --- a/packages/mcp-server/test/server.test.ts +++ b/packages/mcp-server/test/server.test.ts @@ -2683,7 +2683,6 @@ describe('handleMcpRequest cleanup', () => { connect: async (transport: any) => { transport.handleRequest = async () => {}; - transport.close = async () => { throw new Error('Close failed during streaming'); };