Release 0.7.0 (#104)

zmofei · web-flow · commit 53ff4201dffc · 2026-05-05T16:15:58.000+03:00
* 0.7.0

* Release v0.7.0

* chore: bump version to 0.7.0-beta.1

* chore: bump version to 0.7.0-beta1

* chore: bump version to 0.7.0-dev

* chore: bump version to 0.7.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 ## Unreleased
 
+## 0.7.0 - 2026-05-05
+
+### Security
+
+- **Prevent path traversal in style and tileset tool URL construction** (#103) — Five tools (`RetrieveStyle`, `DeleteStyle`, `UpdateStyle`, `PreviewStyle`, `TilequeryTool`) concatenated user-supplied path parameters directly into Mapbox API URLs without validation. Because Node.js fetch uses the WHATWG URL parser, `../` sequences were normalized before sending, allowing requests to reach unintended API endpoints.
+  - Added shared `styleIdSchema` with allowlist regex rejecting path separators, dots, percent-encoded sequences, and null bytes (`src/tools/shared/styleId.schema.ts`)
+  - Added `owner.name` format validation to `TilequeryTool` tilesetId
+  - Wrapped username and styleId/tilesetId in `encodeURIComponent` at every URL construction site (defense-in-depth)
+  - Replaced silent fallback in output schema validation with explicit `isError: true` responses across all API tools — prevents unintended API responses from being forwarded to callers
+  - Removed unused `BaseTool.validateOutput()` method
+  - Added `test/security/path-traversal.test.ts` with 52 tests covering schema rejection, valid ID acceptance, URL encoding, and response schema mismatch behavior
+- **Reject cross-origin Link headers** (#103) — Pagination `next-page` URLs from `Link` response headers are now validated to share the same origin as the configured API endpoint; cross-origin URLs are rejected to prevent access token exfiltration via crafted API responses
+- **Redact tokens from logs** (#103) — Added `redactToken()` utility that strips `access_token` query parameter values from strings before they reach log output or MCP client error responses (network errors include the full request URL which would otherwise expose the token)
+
 ### Removed
 
 - **`get_latest_mapbox_docs_tool` and `get_reference_tool` removed** — documentation fetching has moved to [mcp-docs-server](https://github.com/mapbox/mcp-docs-server). Use mcp-docs-server alongside this server for Mapbox documentation access. Static reference data (style layers, Streets v8 fields, token scopes, layer type mapping) remains available as MCP Resources.
diff --git a/manifest.json b/manifest.json
@@ -2,7 +2,7 @@
   "dxt_version": "0.1",
   "name": "@mapbox/mcp-devkit-server",
   "display_name": "Mapbox MCP DevKit Server",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Mapbox MCP devkit server",
   "author": {
     "name": "Mapbox, Inc."
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@mapbox/mcp-devkit-server",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Mapbox MCP devkit server",
   "mcpName": "io.github.mapbox/mcp-devkit-server",
   "main": "./dist/commonjs/index.js",
diff --git a/server.json b/server.json
@@ -6,13 +6,13 @@
     "url": "https://github.com/mapbox/mcp-devkit-server",
     "source": "github"
   },
-  "version": "0.6.0",
+  "version": "0.7.0",
   "packages": [
     {
       "registryType": "npm",
       "registryBaseUrl": "https://registry.npmjs.org",
       "runtimeHint": "npx",
-      "version": "0.6.0",
+      "version": "0.7.0",
       "identifier": "@mapbox/mcp-devkit-server",
       "transport": {
         "type": "stdio"

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@mapbox/mcp-devkit-server",`
`3`		`- "version": "0.6.0",`
	`3`	`+ "version": "0.7.0",`
`4`	`4`	`"description": "Mapbox MCP devkit server",`
`5`	`5`	`"mcpName": "io.github.mapbox/mcp-devkit-server",`
`6`	`6`	`"main": "./dist/commonjs/index.js",`