fix(security): bump vulnerable packages by PMerlet · Pull Request #1466 · ForestAdmin/agent-nodejs

PMerlet · 2026-02-12T10:14:27Z

Definition of Done

General

Write an explicit title for the Pull Request, following Conventional Commits specification
Test manually the implemented changes
Validate the code quality (indentation, syntax, style, simplicity, readability)

Security

Consider the security impact of the changes made

qltysh · 2026-02-12T10:20:20Z

Coverage Impact

⬆️ Merging this pull request will increase total coverage on main by 0.37%.

Modified Files with Diff Coverage (1)

Rating	File	% Diff	Uncovered Line #s
	packages/mcp-server/src/server.ts	100.0%
	Total	100.0%

🚦 See full report on Qlty Cloud »

🛟 Help

Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.
Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.
File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)
- Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

package.json

qltysh · 2026-02-12T14:27:47Z

1 new issue

Tool	Category	Rule	Count
qlty	Structure	Function with many parameters (count = 5): registerToolWithLogging	1

- Replace local ToolResult type with SDK's CallToolResult - Type extra parameter as RequestHandlerExtra instead of any/unknown - Use Parameters<McpServer['registerTool']> to bridge zod duplication - Remove as-any casts in ai-proxy examples and tests - Fix missing beforeAll closing bracket in integration test Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- Wrap server.connect/transport.handleRequest in try/finally for cleanup - Await transport.close() and server.close() to prevent unhandled rejections - Clean up immediately when response is already ended (non-streaming) - Catch and log cleanup errors in both paths to avoid replacing original errors - Demote per-request "Registered N tools" log from Info to Debug - Remove remaining as-any in ai-proxy example Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- Add proper assertion in "should call next() for non-MCP routes" test - Fix misplaced eslint-disable comment for @typescript-eslint/no-explicit-any - Remove 5 unnecessary no-param-reassign disable comments (rule allows props) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

## @forestadmin/ai-proxy [1.4.2](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/ai-proxy@1.4.1...@forestadmin/ai-proxy@1.4.2) (2026-02-12) ### Bug Fixes * **security:** bump vulnerable packages ([#1466](#1466)) ([15a9279](15a9279))

## @forestadmin/forestadmin-client [1.37.11](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/forestadmin-client@1.37.10...@forestadmin/forestadmin-client@1.37.11) (2026-02-12) ### Bug Fixes * **security:** bump vulnerable packages ([#1466](#1466)) ([15a9279](15a9279)) ### Dependencies * **@forestadmin/ai-proxy:** upgraded to 1.4.2

## @forestadmin/mcp-server [1.8.2](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/mcp-server@1.8.1...@forestadmin/mcp-server@1.8.2) (2026-02-12) ### Bug Fixes * **security:** bump vulnerable packages ([#1466](#1466)) ([15a9279](15a9279)) ### Dependencies * **@forestadmin/agent-client:** upgraded to 1.4.7 * **@forestadmin/forestadmin-client:** upgraded to 1.37.11

## @forestadmin/agent [1.72.8](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/agent@1.72.7...@forestadmin/agent@1.72.8) (2026-02-12) ### Bug Fixes * **security:** bump vulnerable packages ([#1466](#1466)) ([15a9279](15a9279)) ### Dependencies * **@forestadmin/ai-proxy:** upgraded to 1.4.2 * **@forestadmin/forestadmin-client:** upgraded to 1.37.11 * **@forestadmin/mcp-server:** upgraded to 1.8.2

## @forestadmin/forest-cloud [1.12.88](https://github.com/ForestAdmin/agent-nodejs/compare/@forestadmin/forest-cloud@1.12.87...@forestadmin/forest-cloud@1.12.88) (2026-02-12) ### Bug Fixes * **security:** bump vulnerable packages ([#1466](#1466)) ([15a9279](15a9279)) ### Dependencies * **@forestadmin/agent:** upgraded to 1.72.8

Scra3 reviewed Feb 12, 2026

View reviewed changes

package.json Outdated Show resolved Hide resolved

PMerlet added 4 commits February 12, 2026 15:27

fix(security): bump vulnerable packages

0f305ba

fix: integration tests

7168922

chore: follow mcp server documentation

fbc96bd

fix: remove resolutions at the root level

301e60e

PMerlet and others added 2 commits February 12, 2026 15:28

chore: clean types

bdf0516

Scra3 force-pushed the fix/high-vulnerabilities branch from 5182b91 to f83c1ac Compare February 12, 2026 14:30

Scra3 force-pushed the fix/high-vulnerabilities branch from f83c1ac to 5164b15 Compare February 12, 2026 14:44

PMerlet and others added 2 commits February 12, 2026 17:37

chore: improve coverage

97938e6

Scra3 approved these changes Feb 12, 2026

View reviewed changes

PMerlet merged commit 15a9279 into main Feb 12, 2026
28 checks passed

PMerlet deleted the fix/high-vulnerabilities branch February 12, 2026 18:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(security): bump vulnerable packages#1466

fix(security): bump vulnerable packages#1466
PMerlet merged 9 commits intomainfrom
fix/high-vulnerabilities

PMerlet commented Feb 12, 2026

Uh oh!

qltysh bot commented Feb 12, 2026 •

edited

Loading

Uh oh!

Uh oh!

qltysh bot commented Feb 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

PMerlet commented Feb 12, 2026

Definition of Done

General

Security

Uh oh!

qltysh bot commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

qltysh bot commented Feb 12, 2026

1 new issue

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

qltysh bot commented Feb 12, 2026 •

edited

Loading