From 281e33b861161ac04df5206572a8f1c1143ff54a Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 12 May 2026 09:06:36 +0000 Subject: [PATCH 1/4] Bump deps to clear security advisories - @modelcontextprotocol/sdk 1.15.1 -> ^1.29.0 (ReDoS, cross-client leak, DNS rebinding) - @anthropic-ai/mcpb 1.1.1 -> ^2.1.2 (devDep) - undici 7.16 -> ^7.25 (devDep; staying on 7.x keeps the MockAgent API used by tests stable) - zod 3.24 -> ^4.1.8 (the new SDK's zod-compat types caused TS2589 with zod 3 due to the dual zod/v3+zod/v4/core import paths) - overrides.tmp ^0.2.5 to clear the last transitive low-sev advisory coming through mcpb's @inquirer/prompts chain npm audit is now clean; build and the 31-test suite pass. --- CHANGELOG.md | 8 ++ package-lock.json | 346 +++++++++++++++++++++++++++++----------------- package.json | 11 +- 3 files changed, 232 insertions(+), 133 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc17707..1aef90e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Fixed image MIME type detection by inspecting binary magic bytes instead of trusting HTTP headers or fallback values +### Security +- Bumped `@modelcontextprotocol/sdk` to `^1.29.0` to address ReDoS (GHSA-8r9q-7v3j-jr4g), cross-client data leak (GHSA-345p-7cg4-v4c7), and missing default DNS rebinding protection (GHSA-w48q-cv73-mx4w) +- Bumped `@anthropic-ai/mcpb` (devDep) to `^2.1.2` +- Bumped `undici` (devDep) to `^7.25.0` to address WebSocket/HTTP smuggling and decompression DoS advisories (stays on the 7.x line to keep the test `MockAgent` API) +- Bumped `zod` to `^4.1.8` (required by the new SDK's compat layer; also resolves a TypeScript deep-instantiation error) +- Added `tmp` override to `^0.2.5` to clear the remaining transitive low-severity advisory (GHSA-52f5-9888-hmc6) coming through the `mcpb` build tool +- `npm audit` is now clean (0 vulnerabilities) + ## [1.6.0] - 2025-11-25 ### Added diff --git a/package-lock.json b/package-lock.json index 766ff69..a849bf9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,26 +1,26 @@ { "name": "@hauptsache.net/clickup-mcp", - "version": "1.6.0", + "version": "1.6.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@hauptsache.net/clickup-mcp", - "version": "1.6.0", + "version": "1.6.1", "license": "MIT", "dependencies": { - "@modelcontextprotocol/sdk": "1.15.1", + "@modelcontextprotocol/sdk": "^1.29.0", "fuse.js": "^7.1.0", "remark-gfm": "^4.0.1", "remark-parse": "^11.0.0", "unified": "^11.0.5", - "zod": "^3.24.2" + "zod": "^4.1.8" }, "bin": { "clickup-mcp": "dist/index.js" }, "devDependencies": { - "@anthropic-ai/mcpb": "^1.1.1", + "@anthropic-ai/mcpb": "^2.1.2", "@types/mdast": "^4.0.4", "@types/node": "^22.14.1", "dotenv": "^16.5.0", @@ -28,16 +28,16 @@ "prettier": "^3.5.3", "ts-node": "^10.9.2", "typescript": "^5.8.3", - "undici": "^7.16.0" + "undici": "^7.25.0" }, "engines": { "node": ">=16.0.0" } }, "node_modules/@anthropic-ai/mcpb": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/@anthropic-ai/mcpb/-/mcpb-1.2.0.tgz", - "integrity": "sha512-XYVCxQJsr4D4ZecEXVe9PvBpKj2T31KgEiT8K4thoi7krPFIQjXj4yOolAXP8hGSJHrW1Nf4odZES1kjLNDVkg==", + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/@anthropic-ai/mcpb/-/mcpb-2.1.2.tgz", + "integrity": "sha512-goRbBC8ySo7SWb7tRzr+tL6FxDc4JPTRCdgfD2omba7freofvjq5rom1lBnYHZHo6Mizs1jAHJeN53aZbDoy8A==", "dev": true, "license": "MIT", "dependencies": { @@ -46,7 +46,7 @@ "fflate": "^0.8.2", "galactus": "^1.0.0", "ignore": "^7.0.5", - "node-forge": "^1.3.1", + "node-forge": "^1.3.2", "pretty-bytes": "^5.6.0", "zod": "^3.25.67", "zod-to-json-schema": "^3.24.6" @@ -55,6 +55,16 @@ "mcpb": "dist/cli/cli.js" } }, + "node_modules/@anthropic-ai/mcpb/node_modules/zod": { + "version": "3.25.76", + "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz", + "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/colinhacks" + } + }, "node_modules/@cspotcode/source-map-support": { "version": "0.8.1", "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz", @@ -68,6 +78,18 @@ "node": ">=12" } }, + "node_modules/@hono/node-server": { + "version": "1.19.14", + "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.14.tgz", + "integrity": "sha512-GwtvgtXxnWsucXvbQXkRgqksiH2Qed37H9xHZocE5sA3N8O8O8/8FA3uclQXxXVzc9XBZuEOMK7+r02FmSpHtw==", + "license": "MIT", + "engines": { + "node": ">=18.14.1" + }, + "peerDependencies": { + "hono": "^4" + } + }, "node_modules/@inquirer/checkbox": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/@inquirer/checkbox/-/checkbox-3.0.1.tgz", @@ -318,26 +340,43 @@ } }, "node_modules/@modelcontextprotocol/sdk": { - "version": "1.15.1", - "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.15.1.tgz", - "integrity": "sha512-W/XlN9c528yYn+9MQkVjxiTPgPxoxt+oczfjHBDsJx0+59+O7B75Zhsp0B16Xbwbz8ANISDajh6+V7nIcPMc5w==", + "version": "1.29.0", + "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.29.0.tgz", + "integrity": "sha512-zo37mZA9hJWpULgkRpowewez1y6ML5GsXJPY8FI0tBBCd77HEvza4jDqRKOXgHNn867PVGCyTdzqpz0izu5ZjQ==", "license": "MIT", "dependencies": { - "ajv": "^6.12.6", + "@hono/node-server": "^1.19.9", + "ajv": "^8.17.1", + "ajv-formats": "^3.0.1", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", - "express": "^5.0.1", - "express-rate-limit": "^7.5.0", + "express": "^5.2.1", + "express-rate-limit": "^8.2.1", + "hono": "^4.11.4", + "jose": "^6.1.3", + "json-schema-typed": "^8.0.2", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", - "zod": "^3.23.8", - "zod-to-json-schema": "^3.24.1" + "zod": "^3.25 || ^4.0", + "zod-to-json-schema": "^3.25.1" }, "engines": { "node": ">=18" + }, + "peerDependencies": { + "@cfworker/json-schema": "^4.1.1", + "zod": "^3.25 || ^4.0" + }, + "peerDependenciesMeta": { + "@cfworker/json-schema": { + "optional": true + }, + "zod": { + "optional": false + } } }, "node_modules/@tsconfig/node10": { @@ -465,21 +504,38 @@ } }, "node_modules/ajv": { - "version": "6.12.6", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", - "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "version": "8.20.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz", + "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==", "license": "MIT", "dependencies": { - "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", - "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "fast-deep-equal": "^3.1.3", + "fast-uri": "^3.0.1", + "json-schema-traverse": "^1.0.0", + "require-from-string": "^2.0.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, + "node_modules/ajv-formats": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-3.0.1.tgz", + "integrity": "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==", + "license": "MIT", + "dependencies": { + "ajv": "^8.0.0" + }, + "peerDependencies": { + "ajv": "^8.0.0" + }, + "peerDependenciesMeta": { + "ajv": { + "optional": true + } + } + }, "node_modules/ansi-escapes": { "version": "4.3.2", "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-4.3.2.tgz", @@ -574,9 +630,9 @@ } }, "node_modules/body-parser": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.1.tgz", - "integrity": "sha512-nfDwkulwiZYQIGwxdy0RUmowMhKcFVcYXUU7m4QlKYim1rUtg83xm2yjZ40QjDuc291AJjjeSc9b++AWHSgSHw==", + "version": "2.2.2", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.2.tgz", + "integrity": "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==", "license": "MIT", "dependencies": { "bytes": "^3.1.2", @@ -585,7 +641,7 @@ "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", - "qs": "^6.14.0", + "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" }, @@ -598,9 +654,9 @@ } }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "dev": true, "license": "MIT", "dependencies": { @@ -759,9 +815,9 @@ "license": "MIT" }, "node_modules/content-disposition": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz", - "integrity": "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.1.0.tgz", + "integrity": "sha512-5jRCH9Z/+DRP7rkvY83B+yGIGX96OYdJmzngqnw2SBSxqCFPd0w2km3s5iawpGX8krnwSGmF0FW5Nhr0Hfai3g==", "license": "MIT", "engines": { "node": ">=18" @@ -894,9 +950,9 @@ } }, "node_modules/diff": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", - "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.4.tgz", + "integrity": "sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==", "dev": true, "license": "BSD-3-Clause", "engines": { @@ -1074,10 +1130,13 @@ } }, "node_modules/express-rate-limit": { - "version": "7.5.1", - "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz", - "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==", + "version": "8.5.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.5.1.tgz", + "integrity": "sha512-5O6KYmyJEpuPJV5hNTXKbAHWRqrzyu+OI3vUnSd2kXFubIVpG7ezpgxQy76Zo5GQZtrQBg86hF+CM/NX+cioiQ==", "license": "MIT", + "dependencies": { + "ip-address": "^10.2.0" + }, "engines": { "node": ">= 16" }, @@ -1128,11 +1187,21 @@ "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", "license": "MIT" }, - "node_modules/fast-json-stable-stringify": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", - "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==", - "license": "MIT" + "node_modules/fast-uri": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/fastify" + }, + { + "type": "opencollective", + "url": "https://opencollective.com/fastify" + } + ], + "license": "BSD-3-Clause" }, "node_modules/fflate": { "version": "0.8.2", @@ -1362,9 +1431,9 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz", + "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==", "license": "MIT", "dependencies": { "function-bind": "^1.1.2" @@ -1373,6 +1442,15 @@ "node": ">= 0.4" } }, + "node_modules/hono": { + "version": "4.12.18", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.18.tgz", + "integrity": "sha512-RWzP96k/yv0PQfyXnWjs6zot20TqfpfsNXhOnev8d1InAxubW93L11/oNUc3tQqn2G0bSdAOBpX+2uDFHV7kdQ==", + "license": "MIT", + "engines": { + "node": ">=16.9.0" + } + }, "node_modules/http-errors": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", @@ -1394,9 +1472,9 @@ } }, "node_modules/iconv-lite": { - "version": "0.7.0", - "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.0.tgz", - "integrity": "sha512-cf6L2Ds3h57VVmkZe+Pn+5APsT7FpqJtEhhieDCvrE2MK5Qk9MyffgQyuxQTm6BChfeZNtcOLHp9IcWRVcIcBQ==", + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz", + "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==", "license": "MIT", "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" @@ -1432,6 +1510,15 @@ "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", "license": "ISC" }, + "node_modules/ip-address": { + "version": "10.2.0", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz", + "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==", + "license": "MIT", + "engines": { + "node": ">= 12" + } + }, "node_modules/ipaddr.js": { "version": "1.9.1", "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", @@ -1521,12 +1608,27 @@ "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", "license": "ISC" }, + "node_modules/jose": { + "version": "6.2.3", + "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.3.tgz", + "integrity": "sha512-YYVDInQKFJfR/xa3ojUTl8c2KoTwiL1R5Wg9YCydwH0x0B9grbzlg5HC7mMjCtUJjbQ/YnGEZIhI5tCgfTb4Hw==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/json-schema-traverse": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", - "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz", + "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==", "license": "MIT" }, + "node_modules/json-schema-typed": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/json-schema-typed/-/json-schema-typed-8.0.2.tgz", + "integrity": "sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA==", + "license": "BSD-2-Clause" + }, "node_modules/jsonfile": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.2.0.tgz", @@ -2375,9 +2477,9 @@ } }, "node_modules/minimatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", - "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "version": "3.1.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", + "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "dev": true, "license": "ISC", "dependencies": { @@ -2413,9 +2515,9 @@ } }, "node_modules/node-forge": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.2.tgz", - "integrity": "sha512-6xKiQ+cph9KImrRh0VsjH2d8/GXA4FIMlgU4B757iI1ApvcyA9VlouP0yZJha01V+huImO+kKMU7ih+2+E14fw==", + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.4.0.tgz", + "integrity": "sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==", "dev": true, "license": "(BSD-3-Clause OR GPL-2.0)", "engines": { @@ -2503,16 +2605,6 @@ "wrappy": "1" } }, - "node_modules/os-tmpdir": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz", - "integrity": "sha512-D2FR03Vir7FIu45XBY20mTb+/ZSWB00sjU9jdQXt83gDrI4Ztz5Fs7/yy74g2N5SVQY4xY1qDr4rNddwYRVX0g==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/parseurl": { "version": "1.3.3", "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", @@ -2532,9 +2624,9 @@ } }, "node_modules/path-to-regexp": { - "version": "8.3.0", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz", - "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==", + "version": "8.4.2", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.2.tgz", + "integrity": "sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA==", "license": "MIT", "funding": { "type": "opencollective", @@ -2542,9 +2634,9 @@ } }, "node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", "dev": true, "license": "MIT", "engines": { @@ -2612,19 +2704,10 @@ "dev": true, "license": "MIT" }, - "node_modules/punycode": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", - "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", - "license": "MIT", - "engines": { - "node": ">=6" - } - }, "node_modules/qs": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", - "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "version": "6.15.1", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz", + "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==", "license": "BSD-3-Clause", "dependencies": { "side-channel": "^1.1.0" @@ -2722,6 +2805,15 @@ "url": "https://opencollective.com/unified" } }, + "node_modules/require-from-string": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", + "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/router": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", @@ -2758,31 +2850,35 @@ } }, "node_modules/send": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", - "integrity": "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.1.tgz", + "integrity": "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==", "license": "MIT", "dependencies": { - "debug": "^4.3.5", + "debug": "^4.4.3", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", - "http-errors": "^2.0.0", - "mime-types": "^3.0.1", + "http-errors": "^2.0.1", + "mime-types": "^3.0.2", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", - "statuses": "^2.0.1" + "statuses": "^2.0.2" }, "engines": { "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/serve-static": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.0.tgz", - "integrity": "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==", + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz", + "integrity": "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==", "license": "MIT", "dependencies": { "encodeurl": "^2.0.0", @@ -2792,6 +2888,10 @@ }, "engines": { "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/setprototypeof": { @@ -2841,13 +2941,13 @@ } }, "node_modules/side-channel-list": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", - "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz", + "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==", "license": "MIT", "dependencies": { "es-errors": "^1.3.0", - "object-inspect": "^1.13.3" + "object-inspect": "^1.13.4" }, "engines": { "node": ">= 0.4" @@ -2970,16 +3070,13 @@ } }, "node_modules/tmp": { - "version": "0.0.33", - "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz", - "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==", + "version": "0.2.5", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz", + "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==", "dev": true, "license": "MIT", - "dependencies": { - "os-tmpdir": "~1.0.2" - }, "engines": { - "node": ">=0.6.0" + "node": ">=14.14" } }, "node_modules/to-regex-range": { @@ -3117,9 +3214,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.16.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.16.0.tgz", - "integrity": "sha512-QEg3HPMll0o3t2ourKwOeUAZ159Kn9mx5pnzHRQO8+Wixmh88YdZRiIwat0iNzNNXn0yoEtXJqFpyW7eM8BV7g==", + "version": "7.25.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz", + "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==", "dev": true, "license": "MIT", "engines": { @@ -3226,15 +3323,6 @@ "node": ">= 0.8" } }, - "node_modules/uri-js": { - "version": "4.4.1", - "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", - "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", - "license": "BSD-2-Clause", - "dependencies": { - "punycode": "^2.1.0" - } - }, "node_modules/v8-compile-cache-lib": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz", @@ -3339,21 +3427,21 @@ } }, "node_modules/zod": { - "version": "3.25.76", - "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz", - "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==", + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/zod/-/zod-4.4.3.tgz", + "integrity": "sha512-ytENFjIJFl2UwYglde2jchW2Hwm4GJFLDiSXWdTrJQBIN9Fcyp7n4DhxJEiWNAJMV1/BqWfW/kkg71UDcHJyTQ==", "license": "MIT", "funding": { "url": "https://github.com/sponsors/colinhacks" } }, "node_modules/zod-to-json-schema": { - "version": "3.25.0", - "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.25.0.tgz", - "integrity": "sha512-HvWtU2UG41LALjajJrML6uQejQhNJx+JBO9IflpSja4R03iNWfKXrj6W2h7ljuLyc1nKS+9yDyL/9tD1U/yBnQ==", + "version": "3.25.2", + "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.25.2.tgz", + "integrity": "sha512-O/PgfnpT1xKSDeQYSCfRI5Gy3hPf91mKVDuYLUHZJMiDFptvP41MSnWofm8dnCm0256ZNfZIM7DSzuSMAFnjHA==", "license": "ISC", "peerDependencies": { - "zod": "^3.25 || ^4" + "zod": "^3.25.28 || ^4" } }, "node_modules/zwitch": { diff --git a/package.json b/package.json index 13b719a..27738f2 100644 --- a/package.json +++ b/package.json @@ -40,15 +40,15 @@ }, "license": "MIT", "dependencies": { - "@modelcontextprotocol/sdk": "1.15.1", + "@modelcontextprotocol/sdk": "^1.29.0", "fuse.js": "^7.1.0", "remark-gfm": "^4.0.1", "remark-parse": "^11.0.0", "unified": "^11.0.5", - "zod": "^3.24.2" + "zod": "^4.1.8" }, "devDependencies": { - "@anthropic-ai/mcpb": "^1.1.1", + "@anthropic-ai/mcpb": "^2.1.2", "@types/mdast": "^4.0.4", "@types/node": "^22.14.1", "dotenv": "^16.5.0", @@ -56,11 +56,14 @@ "prettier": "^3.5.3", "ts-node": "^10.9.2", "typescript": "^5.8.3", - "undici": "^7.16.0" + "undici": "^7.25.0" }, "engines": { "node": ">=16.0.0" }, + "overrides": { + "tmp": "^0.2.5" + }, "repository": { "type": "git", "url": "git+https://github.com/hauptsacheNet/clickup-mcp.git" From 4ef87bd77bd563d25dbdf15bf562c53a3a155047 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 12 May 2026 09:17:28 +0000 Subject: [PATCH 2/4] Update cli.ts for MCP SDK 1.29 + zod 4 The SDK renamed the registered-tool field from `callback` to `handler` and now passes a second `extra` argument. Zod 4 also moved schema internals from `_def.shape` to `_zod.def.shape` and `safeParse` is now exposed via `zod/v4/core`. Adds small zod3/zod4 compat helpers so the CLI works against both shapes. Verified end-to-end against live ClickUp: searchSpaces, searchTasks, getTaskById, getListInfo, getTimeEntries, readDocument. --- src/cli.ts | 84 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 53 insertions(+), 31 deletions(-) diff --git a/src/cli.ts b/src/cli.ts index 85d40b0..30d58a3 100644 --- a/src/cli.ts +++ b/src/cli.ts @@ -3,6 +3,33 @@ import 'dotenv/config'; // Load .env file import { z } from "zod"; import { serverPromise } from "./index"; +function extractShape(schema: any): Record | null { + if (!schema) return null; + if (schema._def?.shape) { + return typeof schema._def.shape === "function" ? schema._def.shape() : schema._def.shape; + } + if (schema._zod?.def?.shape) { + return schema._zod.def.shape; + } + if (schema.shape) { + return typeof schema.shape === "function" ? schema.shape() : schema.shape; + } + return null; +} + +function safeParseSchema(schema: any, data: unknown): + | { success: true; data: unknown } + | { success: false; error: any } { + if (typeof schema.safeParse === "function") { + return schema.safeParse(data); + } + if (schema._zod) { + const { safeParse } = require("zod/v4/core") as typeof import("zod/v4/core"); + return safeParse(schema, data) as any; + } + return { success: true, data }; +} + async function main() { // Wait for server initialization to complete const server = await serverPromise; @@ -94,25 +121,23 @@ async function main() { console.error("\nAvailable tools:"); // @ts-ignore - Accessing private property for testing purposes - const tools = server._registeredTools as Record; - callback: (params: any) => Promise; - }>; - + const tools = server._registeredTools as Record; + if (tools) { for (const [name, tool] of Object.entries(tools)) { console.error(` - ${name}: ${tool.description}`); - if (tool.inputSchema && tool.inputSchema._def && typeof tool.inputSchema._def.shape === 'function') { + const shape = extractShape(tool.inputSchema); + if (shape) { console.error(" Parameters:"); - const shape = tool.inputSchema._def.shape(); for (const [paramName, schema] of Object.entries(shape)) { - // @ts-ignore - Accessing schema description - const description = schema.description || "No description"; + const description = (schema as any)?.description + ?? (schema as any)?._def?.description + ?? (schema as any)?._zod?.def?.description + ?? "No description"; console.error(` - ${paramName}: ${description}`); } } else { - console.error(" Parameters: None"); + console.error(" Parameters: None"); } console.error(""); } @@ -150,43 +175,40 @@ async function main() { try { // @ts-ignore - Accessing private property for testing purposes - const tools = server._registeredTools as Record; - callback: (params: any) => Promise; - }>; - + const tools = server._registeredTools as Record; + if (!tools || !tools[toolName]) { console.error(`Unknown tool: ${toolName}`); process.exit(1); } - + const tool = tools[toolName]; - - // Validate parameters using the tool's schema, if it exists + const handler = tool.handler ?? tool.callback; + if (tool.inputSchema) { - try { - tool.inputSchema.parse(params); - } catch (error) { - const validationError = error as z.ZodError; - console.error("Parameter validation error:", validationError.message); + const result = safeParseSchema(tool.inputSchema, params); + if (!result.success) { + console.error("Parameter validation error:", JSON.stringify(result.error?.issues ?? result.error, null, 2)); process.exit(1); } } else if (Object.keys(params).length > 0) { - // If there's no schema, but parameters were provided, it's an error console.error(`Error: Tool '${toolName}' does not accept any parameters, but parameters were provided.`); process.exit(1); } - - // Mock environment variables for testing if they're not set + if (!process.env.CLICKUP_API_KEY || !process.env.CLICKUP_TEAM_ID) { console.warn("Warning: Using mock API credentials. This will not return real data."); process.env.CLICKUP_API_KEY = process.env.CLICKUP_API_KEY || 'test_api_key'; process.env.CLICKUP_TEAM_ID = process.env.CLICKUP_TEAM_ID || 'test_team_id'; } - - // Call the tool's callback function - const result = await tool.callback(params); + + const extra = { + signal: new AbortController().signal, + requestId: "cli", + sendNotification: async () => {}, + sendRequest: async () => ({}), + } as any; + const result = await handler(params, extra); console.dir(result.content); process.exit(0); } catch (error: unknown) { From aec77e709e2a5e4ba782bcdb1bcea5171f083618 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 12 May 2026 09:21:04 +0000 Subject: [PATCH 3/4] Add 7-day min-release-age to .npmrc Skips dependency versions less than a week old during `npm install` resolution. Most malicious uploads to the npm registry are detected and yanked within hours, so a short cooldown trades a small amount of freshness for a meaningful drop in zero-day exposure when bumping deps (Shai-Hulud-style attacks, the March 2026 axios compromise, etc). Requires npm CLI >= 11.10.0; silently ignored on older npm. Only affects `npm install` (resolution path); `npm ci` keeps installing exactly from package-lock.json. --- .npmrc | 10 ++++++++++ CHANGELOG.md | 1 + 2 files changed, 11 insertions(+) create mode 100644 .npmrc diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..bf17e00 --- /dev/null +++ b/.npmrc @@ -0,0 +1,10 @@ +# Supply-chain hardening: ignore versions younger than 7 days during dependency +# resolution. Most malicious npm packages are detected/yanked within hours, so a +# week-long cooldown trades a small amount of freshness for a meaningful drop in +# zero-day exposure when bumping deps. +# +# Requires npm CLI >= 11.10.0 (silently ignored by older npm). Only affects +# `npm install` (resolution); `npm ci` installs exactly what's in the lockfile. +# Use `npm install --no-min-release-age` for an explicit override (e.g. an +# urgent security patch). +min-release-age=7 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1aef90e..58d6033 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Bumped `zod` to `^4.1.8` (required by the new SDK's compat layer; also resolves a TypeScript deep-instantiation error) - Added `tmp` override to `^0.2.5` to clear the remaining transitive low-severity advisory (GHSA-52f5-9888-hmc6) coming through the `mcpb` build tool - `npm audit` is now clean (0 vulnerabilities) +- Added `.npmrc` with `min-release-age=7` so `npm install` skips dependency versions less than 7 days old. Mitigates fast-moving supply-chain attacks (à la Shai-Hulud / the March 2026 axios compromise) where malicious uploads are typically detected and yanked within hours. Requires npm CLI ≥ 11.10.0 to take effect (silently ignored on older npm; Node 24 ships with it, Node 22 LTS users need `npm i -g npm@latest`). Only affects `npm install` resolution — `npm ci` continues to install exactly from `package-lock.json`. ## [1.6.0] - 2025-11-25 From dd2c50561616ea3bf1598e293cd6549cd9332aa5 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 12 May 2026 09:25:39 +0000 Subject: [PATCH 4/4] Backfill v1.6.1 and v1.6.2 in CHANGELOG The README comparison table and image MIME fix were sitting in [Unreleased] but actually shipped in v1.6.1 (2026-02-01). v1.6.2 (2026-04-17) wasn't represented at all. Recreate both sections from the GitHub releases / commit history; keep only the genuinely upcoming work (security bumps and the cli.ts update for SDK 1.29) under [Unreleased]. --- CHANGELOG.md | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58d6033..9c05fb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,12 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -### Added -- Added comparison table in README showing differences between this MCP and the official ClickUp MCP - -### Fixed -- Fixed image MIME type detection by inspecting binary magic bytes instead of trusting HTTP headers or fallback values - ### Security - Bumped `@modelcontextprotocol/sdk` to `^1.29.0` to address ReDoS (GHSA-8r9q-7v3j-jr4g), cross-client data leak (GHSA-345p-7cg4-v4c7), and missing default DNS rebinding protection (GHSA-w48q-cv73-mx4w) - Bumped `@anthropic-ai/mcpb` (devDep) to `^2.1.2` @@ -22,6 +16,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - `npm audit` is now clean (0 vulnerabilities) - Added `.npmrc` with `min-release-age=7` so `npm install` skips dependency versions less than 7 days old. Mitigates fast-moving supply-chain attacks (à la Shai-Hulud / the March 2026 axios compromise) where malicious uploads are typically detected and yanked within hours. Requires npm CLI ≥ 11.10.0 to take effect (silently ignored on older npm; Node 24 ships with it, Node 22 LTS users need `npm i -g npm@latest`). Only affects `npm install` resolution — `npm ci` continues to install exactly from `package-lock.json`. +### Changed +- Updated `cli.ts` to work with the new MCP SDK / zod 4 internals (registered-tool `callback` → `handler`, handler now takes an `extra` argument, zod schema internals moved from `_def` to `_zod.def`) + +## [1.6.2] - 2026-04-17 + +### Added +- Time entry description is now included in time-tracking output ([#16](https://github.com/hauptsacheNet/clickup-mcp/pull/16) by @sebastienheyd) + +### Fixed +- Fixed `searchTasks` crash when `getSpaceDetails` returns 401 ([#21](https://github.com/hauptsacheNet/clickup-mcp/pull/21) by @stucchi) + +## [1.6.1] - 2026-02-01 + +### Added +- Added comparison table in README showing differences between this MCP and the official ClickUp MCP + +### Fixed +- Fixed image MIME type detection by inspecting binary magic bytes instead of trusting HTTP headers or fallback values + ## [1.6.0] - 2025-11-25 ### Added