From 03ef59352d06d53897aac8f3b6c0c7ceee24a163 Mon Sep 17 00:00:00 2001 From: Paradoxbound Date: Fri, 27 Mar 2026 10:10:44 +0000 Subject: [PATCH] ci: add checkout to scan job for vex.json + bump to v2.6.3 The release scan job runs `trivy image --vex vex.json` but had no checkout step, so vex.json was missing and CRITICAL scan always failed. Add a sparse checkout of vex.json only. Also adds missing CHANGELOG entries for v2.6.2 (security fix) and v2.6.3. Signed-off-by: Jim Co-Authored-By: Claude Opus 4.6 --- .github/workflows/docker-publish.yml | 6 ++++++ CHANGELOG.md | 20 +++++++++++++++++++- package-lock.json | 2 +- packages/stdio/package.json | 2 +- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f594b4c..2757ae8 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -205,6 +205,12 @@ jobs: with: egress-policy: audit + - name: Check out repository (for vex.json) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: vex.json + sparse-checkout-cone-mode: false + - name: Log in to GitHub Container Registry uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: diff --git a/CHANGELOG.md b/CHANGELOG.md index bfe3f31..ce363e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [2.6.3] - 2026-03-27 + +### Fixed +- CI: Add checkout step to release scan job so `vex.json` is available for Trivy VEX filtering — previously blocked all version releases (#113 follow-up) + +## [2.6.2] - 2026-03-27 + +### Security +- Restrict `upload_attachment` to a configurable upload root directory (`BOOKSTACK_UPLOAD_ROOT` env var, defaults to cwd) — prevents arbitrary filesystem reads via path traversal when write mode is enabled (#113) + +### Dependencies +- Upgraded Zod from 3.x to 4.3.6 — MCP SDK now supports Zod 4 (#111) +- Bumped the npm-core group in packages/core: vitest, @vitest/coverage-v8, vite, typescript (#105) +- Bumped GitHub Actions: actions/checkout v6.0.2, actions/setup-node v6, ossf/scorecard-action v2.4.3, and 8 others (#109) +- Bumped Node base image digest (#81) + ## [2.6.1] - 2026-03-08 ### Added @@ -116,7 +132,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Response enhancement: URLs, content previews, human-friendly dates, word counts - LibreChat and Claude Desktop integration -[Unreleased]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.1...HEAD +[Unreleased]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.3...HEAD +[2.6.3]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.2...v2.6.3 +[2.6.2]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.1...v2.6.2 [2.6.1]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.0...v2.6.1 [2.6.0]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.6...v2.6.0 [2.5.6]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.4...v2.5.6 diff --git a/package-lock.json b/package-lock.json index 4e7735c..02c29e2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2836,7 +2836,7 @@ }, "packages/stdio": { "name": "bookstack-mcp-stdio", - "version": "2.6.1", + "version": "2.6.3", "dependencies": { "@bookstack-mcp/core": "2.5.0", "@modelcontextprotocol/sdk": "^1.25.3", diff --git a/packages/stdio/package.json b/packages/stdio/package.json index 3a0ad22..49039f6 100644 --- a/packages/stdio/package.json +++ b/packages/stdio/package.json @@ -1,6 +1,6 @@ { "name": "bookstack-mcp-stdio", - "version": "2.6.2", + "version": "2.6.3", "description": "BookStack MCP server (stdio transport)", "type": "module", "main": "dist/index.js",