chore: add CVE-2026-4926 to CHANGELOG (#96)

mattpodwysocki · claude · web-flow · commit e8ae69e3fe70 · 2026-04-01T16:42:08.000-04:00
* chore: add CVE-2026-4926 entry to CHANGELOG Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: add GHSA and mxjg to cspell wordlist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+### Security
+
+- **CVE-2026-4926**: Upgraded `@modelcontextprotocol/sdk` to `^1.29.0`, resolving `path-to-regexp` to `8.4.1` and fixing the ReDoS vulnerability [GHSA-j3q9-mxjg-w52f](https://github.com/advisories/GHSA-j3q9-mxjg-w52f); regenerated output-validation patch for the new version
+
 ### Public API
 
 - **Add `getAllTools` and `getVersionInfo` to public exports** — `getAllTools` is now re-exported from `@mapbox/mcp-devkit-server/tools` and `getVersionInfo` (plus `VersionInfo` type) from `@mapbox/mcp-devkit-server/utils`. These are needed by `hosted-mcp-server` to import server functionality via npm packages instead of submodule filesystem paths.
diff --git a/cspell.config.json b/cspell.config.json
@@ -7,7 +7,9 @@
     "isochrone",
     "mapbox",
     "mmss",
-    "tilequery"
+    "tilequery",
+    "GHSA",
+    "mxjg"
   ],
   "ignorePaths": [
     "node_modules",
