Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Supply-chain hardening: ignore versions younger than 7 days during dependency
# resolution. Most malicious npm packages are detected/yanked within hours, so a
# week-long cooldown trades a small amount of freshness for a meaningful drop in
# zero-day exposure when bumping deps.
#
# Requires npm CLI >= 11.10.0 (silently ignored by older npm). Only affects
# `npm install` (resolution); `npm ci` installs exactly what's in the lockfile.
# Use `npm install --no-min-release-age` for an explicit override (e.g. an
# urgent security patch).
min-release-age=7
22 changes: 22 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Security
- Bumped `@modelcontextprotocol/sdk` to `^1.29.0` to address ReDoS (GHSA-8r9q-7v3j-jr4g), cross-client data leak (GHSA-345p-7cg4-v4c7), and missing default DNS rebinding protection (GHSA-w48q-cv73-mx4w)
- Bumped `@anthropic-ai/mcpb` (devDep) to `^2.1.2`
- Bumped `undici` (devDep) to `^7.25.0` to address WebSocket/HTTP smuggling and decompression DoS advisories (stays on the 7.x line to keep the test `MockAgent` API)
- Bumped `zod` to `^4.1.8` (required by the new SDK's compat layer; also resolves a TypeScript deep-instantiation error)
- Added `tmp` override to `^0.2.5` to clear the remaining transitive low-severity advisory (GHSA-52f5-9888-hmc6) coming through the `mcpb` build tool
- `npm audit` is now clean (0 vulnerabilities)
- Added `.npmrc` with `min-release-age=7` so `npm install` skips dependency versions less than 7 days old. Mitigates fast-moving supply-chain attacks (à la Shai-Hulud / the March 2026 axios compromise) where malicious uploads are typically detected and yanked within hours. Requires npm CLI ≥ 11.10.0 to take effect (silently ignored on older npm; Node 24 ships with it, Node 22 LTS users need `npm i -g npm@latest`). Only affects `npm install` resolution — `npm ci` continues to install exactly from `package-lock.json`.

### Changed
- Updated `cli.ts` to work with the new MCP SDK / zod 4 internals (registered-tool `callback` → `handler`, handler now takes an `extra` argument, zod schema internals moved from `_def` to `_zod.def`)

## [1.6.2] - 2026-04-17

### Added
- Time entry description is now included in time-tracking output ([#16](https://github.com/hauptsacheNet/clickup-mcp/pull/16) by @sebastienheyd)

### Fixed
- Fixed `searchTasks` crash when `getSpaceDetails` returns 401 ([#21](https://github.com/hauptsacheNet/clickup-mcp/pull/21) by @stucchi)

## [1.6.1] - 2026-02-01

### Added
- Added comparison table in README showing differences between this MCP and the official ClickUp MCP

Expand Down
Loading
Loading