{ "interval": { "intervalStart": "2026-02-22T00:00:00.000Z", "intervalEnd": "2026-03-01T00:00:00.000Z", "intervalType": "week" }, "repository": "elizaos/eliza", "overview": "From 2026-02-22 to 2026-03-01, elizaos/eliza had 3 new PRs (0 merged), 0 new issues, and 4 active contributors.", "topIssues": [], "topPRs": [ { "id": "PR_kwDOMT5cIs7FZTAr", "title": "feat(plugin-sql): align RLS isolation with v1 patterns", "author": "standujar", "number": 6521, "body": "## Summary\n- Replace `application_name`-based server context with parameterized `set_config('app.server_id', ...)` for SQL injection safety\n- Rename `withEntityContext` → `withIsolationContext` across all adapters (pg, pglite, base, interface)\n- Replace `sql.raw()` with parameterized `set_config()` in `withIsolationContext` for entity context\n- Remove legacy `migrations.ts` (`migrateToEntityRLS`) — v2.0.0 starts with fresh snake_case schema, no v1.6.4→v1.6.5 migration needed\n\n## Changes\n\n### Core RLS (`rls.ts`)\n- `current_server_id()` now reads from `current_setting('app.server_id', TRUE)` instead of `application_name`\n- Added early NULL/empty check before UUID cast for robustness\n\n### Connection Manager (`pg/manager.ts`)\n- `withIsolationContext()` uses parameterized `set_config()` instead of `sql.raw()`\n- Server context set via `set_config('app.server_id', $1, true)` (transaction-scoped)\n- Entity context set via `set_config('app.entity_id', $1, true)` (transaction-scoped)\n- UUID validation before setting entity context\n\n### Adapters\n- Renamed abstract method `withEntityContext` → `withIsolationContext` in `base.ts`\n- Updated `pg/adapter.ts` and `pglite/adapter.ts` implementations\n- Updated `IDatabaseAdapter` interface in `database.ts`\n\n### Removed\n- `migrations.ts` (750 LOC) — legacy v1.6.4→v1.6.5 camelCase→snake_case migration\n- `migration-before-1.6.5.test.ts` — associated test file\n- `migrateToEntityRLS()` call from `migration-service.ts`\n\n### Tests\n- All unit tests updated: `withEntityContext` → `withIsolationContext`\n- All integration tests updated: `application_name` pool config → `set_config('app.server_id', ...)`\n- Cleaned up stale comments referencing old patterns\n\n\n\n

Greptile Summary

\n\nThis PR strengthens SQL injection protection in the RLS (Row-Level Security) system by replacing `application_name`-based server context and `sql.raw()` calls with parameterized `set_config()` calls, while cleaning up legacy v1.6.4→v1.6.5 migration code that's no longer needed in v2.0.0.\n\n**Key changes:**\n- Replaced `application_name` pool config with parameterized `set_config('app.server_id', $1, true)` for server context\n- Replaced `sql.raw()` with parameterized `set_config('app.entity_id', $1, true)` for entity context\n- Renamed `withEntityContext` → `withIsolationContext` across all adapters to better reflect that it sets both server and entity context\n- Updated `current_server_id()` SQL function to read from `current_setting('app.server_id')` instead of `application_name`\n- Added early NULL/empty check before UUID cast in RLS functions for robustness\n- Removed 750 LOC of legacy migration code (`migrations.ts` and `migration-before-1.6.5.test.ts`) that handled v1.6.4→v1.6.5 schema migration\n- Updated all tests to reflect new patterns (integration tests now use `set_config()` instead of `application_name`)\n\nThe changes are well-structured and comprehensive, with proper UUID validation and consistent error handling throughout.\n\n

Confidence Score: 5/5

\n\n- This PR is safe to merge - it improves security by eliminating SQL injection vectors while maintaining backward compatibility\n- The PR receives a perfect score because: (1) it addresses a real security concern by replacing `sql.raw()` with parameterized queries, (2) all changes are consistently applied across the codebase, (3) comprehensive test coverage is maintained with both unit and integration tests updated, (4) the method rename is semantically accurate and applied consistently, (5) removing legacy migration code is appropriate for v2.0.0 which starts with a fresh schema\n- No files require special attention - all changes follow consistent patterns and are well-tested\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| plugins/plugin-sql/typescript/rls.ts | Replaces `application_name` with parameterized `set_config('app.server_id')` for SQL injection safety in RLS functions |\n| plugins/plugin-sql/typescript/pg/manager.ts | Replaces `sql.raw()` with parameterized `set_config()` calls, renames `withEntityContext` → `withIsolationContext`, removes `application_name` from pool config |\n| plugins/plugin-sql/typescript/base.ts | Renames abstract method `withEntityContext` → `withIsolationContext` and applies formatting updates |\n| plugins/plugin-sql/typescript/pg/adapter.ts | Updates implementation to use `withIsolationContext` instead of `withEntityContext` |\n| plugins/plugin-sql/typescript/migration-service.ts | Removes legacy `migrateToEntityRLS()` call and associated imports for v2.0.0 fresh start |\n| plugins/plugin-sql/typescript/migrations.ts | Deleted entire file (750 LOC) - legacy v1.6.4→v1.6.5 migration no longer needed in v2.0.0 |\n| packages/typescript/src/types/database.ts | Updates `IDatabaseAdapter` interface: `withEntityContext` → `withIsolationContext` plus formatting changes |\n\n\n\n\n\n

Sequence Diagram

\n\n```mermaid\nsequenceDiagram\n participant App as Application\n participant Adapter as PgDatabaseAdapter\n participant Manager as PostgresConnectionManager\n participant DB as PostgreSQL Database\n participant RLS as RLS Policies\n\n Note over App,RLS: Server Context Setup (v2.0.0 Pattern)\n App->>Manager: new PostgresConnectionManager(url, rlsServerId)\n Note over Manager: Store rlsServerId internally
(NOT in application_name)\n \n Note over App,RLS: Transaction with Isolation Context\n App->>Adapter: withIsolationContext(entityId, callback)\n Adapter->>Manager: withIsolationContext(entityId, callback)\n Manager->>DB: BEGIN TRANSACTION\n \n alt Data Isolation Enabled\n alt Server Context Available\n Manager->>DB: set_config('app.server_id', $rlsServerId, true)\n Note over DB: Parameterized - SQL injection safe\n end\n \n alt Entity Context Available\n Manager->>DB: Validate UUID format\n Manager->>DB: set_config('app.entity_id', $entityId, true)\n Note over DB: Parameterized - SQL injection safe\n end\n end\n \n Manager->>App: Execute callback(tx)\n App->>DB: Execute queries\n DB->>RLS: Check current_server_id()\n RLS->>DB: current_setting('app.server_id', TRUE)::UUID\n DB->>RLS: Check current_entity_id()\n RLS->>DB: current_setting('app.entity_id', TRUE)::UUID\n RLS->>DB: Filter rows by server_id/entity_id\n DB->>App: Return isolated data\n \n Manager->>DB: COMMIT\n DB->>Manager: Success\n Manager->>Adapter: Return result\n Adapter->>App: Return result\n```\n\nLast reviewed commit: dbe4ae7\n\n\n\n", "repository": "elizaos/eliza", "createdAt": "2026-02-22T00:46:58Z", "mergedAt": null, "additions": 1669, "deletions": 2693 }, { "id": "PR_kwDOMT5cIs7FO8wM", "title": "chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates", "author": "dependabot", "number": 6518, "body": "Bumps the npm_and_yarn group with 1 update in the /packages/computeruse/crates/computeruse-mcp-agent directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk).\nBumps the npm_and_yarn group with 1 update in the /packages/computeruse/crates/computeruse-mcp-agent/tests/integration directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk).\nBumps the npm_and_yarn group with 2 updates in the /packages/computeruse/examples/mcp-client-elicitation directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) and [ajv](https://github.com/ajv-validator/ajv).\n\nUpdates `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0\n
\nRelease notes\n

Sourced from @​modelcontextprotocol/sdk's releases.

\n
\n

v1.26.0

\n

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0

\n

v1.25.3

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3

\n

v1.25.2

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2

\n

1.25.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1

\n

1.25.0

\n

What's Changed

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\nMaintainer changes\n

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

\n
\n
\n\nUpdates `ajv` from 6.12.6 to 8.18.0\n
\nRelease notes\n

Sourced from ajv's releases.

\n
\n

v8.18.0

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `qs` from 6.14.0 to 6.15.0\n
\nChangelog\n

Sourced from qs's changelog.

\n
\n

6.15.0

\n\n

6.14.2

\n\n

6.14.1

\n\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0\n
\nRelease notes\n

Sourced from @​modelcontextprotocol/sdk's releases.

\n
\n

v1.26.0

\n

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0

\n

v1.25.3

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3

\n

v1.25.2

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2

\n

1.25.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1

\n

1.25.0

\n

What's Changed

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\nMaintainer changes\n

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

\n
\n
\n\nUpdates `ajv` from 6.12.6 to 8.18.0\n
\nRelease notes\n

Sourced from ajv's releases.

\n
\n

v8.18.0

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `qs` from 6.14.0 to 6.15.0\n
\nChangelog\n

Sourced from qs's changelog.

\n
\n

6.15.0

\n\n

6.14.2

\n\n

6.14.1

\n\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `@modelcontextprotocol/sdk` from 1.25.1 to 1.26.0\n
\nRelease notes\n

Sourced from @​modelcontextprotocol/sdk's releases.

\n
\n

v1.26.0

\n

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0

\n

v1.25.3

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3

\n

v1.25.2

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2

\n

1.25.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1

\n

1.25.0

\n

What's Changed

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\nMaintainer changes\n

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

\n
\n
\n\nUpdates `ajv` from 8.17.1 to 8.18.0\n
\nRelease notes\n

Sourced from ajv's releases.

\n
\n

v8.18.0

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `qs` from 6.14.0 to 6.15.0\n
\nChangelog\n

Sourced from qs's changelog.

\n
\n

6.15.0

\n\n

6.14.2

\n\n

6.14.1

\n\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `hono` from 4.11.1 to 4.12.0\n
\nRelease notes\n

Sourced from hono's releases.

\n
\n

v4.12.0

\n

Release Notes

\n

Hono v4.12.0 is now available!

\n

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

\n

$path for Hono Client

\n

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

\n
const client = hc<typeof app>('http://localhost:8787')\n
// Get the path string\nconst path = client.api.posts.$path()\n// => '/api/posts'
\n
// With path parameters\nconst postPath = client.api.posts[':id'].$path({\nparam: { id: '123' },\n})\n// => '/api/posts/123'
\n
// With query parameters\nconst searchPath = client.api.posts.$path({\nquery: { filter: 'test' },\n})\n// => '/api/posts?filter=test'\n

\n

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

\n

Thanks @​ShaMan123!

\n

ApplyGlobalResponse Type Helper for RPC Client

\n

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

\n
const app = new Hono()\n  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))\n  .onError((err, c) => c.json({ error: err.message }, 500))\n
type AppWithErrors = ApplyGlobalResponse<\ntypeof app,\n{\n401: { json: { error: string; message: string } }\n500: { json: { error: string; message: string } }\n}\n</tr></table>\n

\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/elizaOS/eliza/network/alerts).\n\n
\n\n\n\n

Greptile Summary

\n\nThis PR updates npm dependencies across 3 directories in the computeruse package, primarily updating `@modelcontextprotocol/sdk` from various versions (1.17.3, 1.25.0) to 1.26.0. The update includes critical security fixes and addresses multiple vulnerabilities.\n\n**Key Security Improvements:**\n- **`@modelcontextprotocol/sdk` 1.26.0**: Fixes GHSA-345p-7cg4-v4c7 (cross-client response data leak vulnerability), prevents ReDoS attacks in UriTemplate regex patterns, and resolves npm audit vulnerabilities\n- **`ajv` 6.12.6→8.18.0**: Major version upgrade with CVE-2025-69873 fix (ReDoS mitigation in pattern validation with $data keyword)\n- **`qs` 6.14.0→6.15.0**: Minor update with bug fixes for arrayLimit handling and strictMerge option\n- **`hono` 4.11.1→4.12.0**: Minor update with performance improvements (transitive dependency)\n\n**Breaking Change Analysis:**\nThe `ajv` major version bump (v6→v8) is a transitive dependency change brought in by `@modelcontextprotocol/sdk`. Since the codebase does not directly import or use `ajv` (verified via code search), this breaking change is internally handled by the SDK and poses no risk to the application code.\n\n**Compatibility:**\nThe MCP SDK v1.26.0 maintains backward compatibility with v1.x APIs. The update includes type fixes and additional features (client credentials scopes support, schema validation improvements) without breaking existing usage patterns.\n\n

Confidence Score: 5/5

\n\n- This PR is safe to merge with no risk - it's an automated dependency update that addresses critical security vulnerabilities\n- Score of 5 reflects: (1) automated Dependabot PR with well-documented changes, (2) critical security fixes including GHSA advisory and CVE patches, (3) no direct code changes - only dependency version bumps in lock files, (4) ajv major version bump is safely encapsulated within @modelcontextprotocol/sdk with no direct usage in application code, (5) all updates maintain backward compatibility for the SDK's public API\n- No files require special attention - all changes are standard dependency updates in package.json and package-lock.json files\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| packages/computeruse/crates/computeruse-mcp-agent/package-lock.json | Updated MCP SDK and transitive dependencies including `ajv` 6.12.6→8.18.0, `qs` 6.14.0→6.15.0 with security patches |\n| packages/computeruse/crates/computeruse-mcp-agent/tests/integration/package-lock.json | Updated MCP SDK and transitive dependencies, notably `ajv` major version bump 6.12.6→8.18.0 with CVE fix |\n| packages/computeruse/examples/mcp-client-elicitation/package-lock.json | Updated MCP SDK and transitive dependencies including `ajv` 8.17.1→8.18.0, `hono` 4.11.1→4.12.0 with security patches |\n\n\n\n\n\nLast reviewed commit: b820dcc\n\n\n\n", "repository": "elizaos/eliza", "createdAt": "2026-02-20T18:32:56Z", "mergedAt": null, "additions": 481, "deletions": 333 }, { "id": "PR_kwDOMT5cIs7Fdb-A", "title": "chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates", "author": "dependabot", "number": 6522, "body": "Bumps the npm_and_yarn group with 1 update in the /packages/computeruse/crates/computeruse-mcp-agent directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk).\nBumps the npm_and_yarn group with 1 update in the /packages/computeruse/crates/computeruse-mcp-agent/tests/integration directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk).\nBumps the npm_and_yarn group with 2 updates in the /packages/computeruse/examples/mcp-client-elicitation directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) and [ajv](https://github.com/ajv-validator/ajv).\n\nUpdates `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0\n
\nRelease notes\n

Sourced from @​modelcontextprotocol/sdk's releases.

\n
\n

v1.26.0

\n

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0

\n

v1.25.3

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3

\n

v1.25.2

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2

\n

1.25.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1

\n

1.25.0

\n

What's Changed

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\nMaintainer changes\n

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

\n
\n
\n\nUpdates `ajv` from 6.12.6 to 8.18.0\n
\nRelease notes\n

Sourced from ajv's releases.

\n
\n

v8.18.0

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `qs` from 6.14.0 to 6.15.0\n
\nChangelog\n

Sourced from qs's changelog.

\n
\n

6.15.0

\n\n

6.14.2

\n\n

6.14.1

\n\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0\n
\nRelease notes\n

Sourced from @​modelcontextprotocol/sdk's releases.

\n
\n

v1.26.0

\n

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0

\n

v1.25.3

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3

\n

v1.25.2

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2

\n

1.25.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1

\n

1.25.0

\n

What's Changed

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\nMaintainer changes\n

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

\n
\n
\n\nUpdates `ajv` from 6.12.6 to 8.18.0\n
\nRelease notes\n

Sourced from ajv's releases.

\n
\n

v8.18.0

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `qs` from 6.14.0 to 6.15.0\n
\nChangelog\n

Sourced from qs's changelog.

\n
\n

6.15.0

\n\n

6.14.2

\n\n

6.14.1

\n\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `@modelcontextprotocol/sdk` from 1.25.1 to 1.26.0\n
\nRelease notes\n

Sourced from @​modelcontextprotocol/sdk's releases.

\n
\n

v1.26.0

\n

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.3...v1.26.0

\n

v1.25.3

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/v1.25.2...v1.25.3

\n

v1.25.2

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.1...v1.25.2

\n

1.25.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.25.0...1.25.1

\n

1.25.0

\n

What's Changed

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\nMaintainer changes\n

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

\n
\n
\n\nUpdates `ajv` from 8.17.1 to 8.18.0\n
\nRelease notes\n

Sourced from ajv's releases.

\n
\n

v8.18.0

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `qs` from 6.14.0 to 6.15.0\n
\nChangelog\n

Sourced from qs's changelog.

\n
\n

6.15.0

\n\n

6.14.2

\n\n

6.14.1

\n\n
\n
\n
\nCommits\n\n
\n
\n\nUpdates `hono` from 4.11.1 to 4.12.1\n
\nRelease notes\n

Sourced from hono's releases.

\n
\n

v4.12.1

\n

What's Changed

\n\n

Full Changelog: https://github.com/honojs/hono/compare/v4.12.0...v4.12.1

\n

v4.12.0

\n

Release Notes

\n

Hono v4.12.0 is now available!

\n

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

\n

$path for Hono Client

\n

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

\n
const client = hc<typeof app>('http://localhost:8787')\r\n
// Get the path string\nconst path = client.api.posts.$path()\n// => '/api/posts'
\n
// With path parameters\nconst postPath = client.api.posts[':id'].$path({\nparam: { id: '123' },\n})\n// => '/api/posts/123'
\n
// With query parameters\nconst searchPath = client.api.posts.$path({\nquery: { filter: 'test' },\n})\n// => '/api/posts?filter=test'\n

\n

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

\n

Thanks @​ShaMan123!

\n

ApplyGlobalResponse Type Helper for RPC Client

\n

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

\n
const app = new Hono()\r\n  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))\r\n  .onError((err, c) => c.json({ error: err.message }, 500))\r\n</tr></table> \n
\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/elizaOS/eliza/network/alerts).\n\n
\n\n\n\n

Greptile Summary

\n\nUpdated `@modelcontextprotocol/sdk` from versions 1.17.3/1.25.1 to 1.26.0 across three directories in the computeruse package, along with transitive dependency updates.\n\n**Key Security Fixes:**\n- `@modelcontextprotocol/sdk` 1.26.0 addresses GHSA-345p-7cg4-v4c7 (cross-client response data leakage) and includes fixes for ReDoS vulnerabilities in UriTemplate regex patterns\n- `ajv` 8.18.0 mitigates ReDoS attacks (CVE-2025-69873) by using configured RegExp engine with $data keyword\n- `qs` 6.15.0 includes arrayLimit enforcement fixes\n\n**Other Updates:**\n- `hono` 4.11.1 → 4.12.1 (performance improvements, new client features)\n- `express-rate-limit` 7.5.1 → 8.2.1 (major version bump in transitive dependency)\n- Multiple minor version bumps in transitive dependencies\n\nAll changes are backward-compatible within semver ranges. The updates are primarily focused on security patches and bug fixes.\n\n

Confidence Score: 5/5

\n\n- This PR is safe to merge - automated dependency updates with important security fixes\n- This is a straightforward automated Dependabot PR updating npm dependencies with security patches. The primary update (@modelcontextprotocol/sdk 1.17.3/1.25.1 → 1.26.0) addresses a security advisory (GHSA-345p-7cg4-v4c7) for cross-client data leakage and includes ReDoS fixes. Transitive dependencies include ajv 8.18.0 with CVE-2025-69873 ReDoS mitigation. All version bumps are within semver ranges (using ^ prefix), and the changes are lock file updates with no code modifications. The express-rate-limit major version bump (7.x → 8.x) is a transitive dependency change that doesn't affect the application code directly.\n- No files require special attention - all changes are automated dependency updates\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| packages/computeruse/crates/computeruse-mcp-agent/package.json | Updated `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0 - includes security fixes for cross-client data leakage and ReDoS vulnerabilities |\n| packages/computeruse/crates/computeruse-mcp-agent/tests/integration/package.json | Updated `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0 for integration tests |\n| packages/computeruse/examples/mcp-client-elicitation/package.json | Updated `@modelcontextprotocol/sdk` from 1.25.1 to 1.26.0 |\n| packages/computeruse/examples/mcp-client-elicitation/package-lock.json | Lock file updated with security patches: ajv 8.18.0 (ReDoS fix CVE-2025-69873), qs 6.15.0, hono 4.12.1, and other transitive dependencies |\n\n\n\n\n\nLast reviewed commit: ab0bfc2\n\n\n\n", "repository": "elizaos/eliza", "createdAt": "2026-02-22T12:52:37Z", "mergedAt": null, "additions": 481, "deletions": 333 }, { "id": "PR_kwDOMT5cIs7Fezwt", "title": "docs: add Base Network wallet safety guide with x402 diagnostic", "author": "agentfirstlabs", "number": 6523, "body": "### Add Standard Wallet Safety Check for Base Mainnet Agents\n\nI have added a new community guide to help developers verify wallet health and x402 protocol compliance before deploying agents with capital.\n\nThis check prevents costly transaction failures by verifying:\n* **EIP-712 compatibility** (Standard signing payloads).\n* **USDC path-to-liquidity** (sh.01 test handshake).\n* **x402 Protocol compliance** (Discoverable via /.well-known/agent).\n\nThis is a lightweight, high-impact safety standard for the Eliza community on Base.\n\n\n\n

Greptile Summary

\n\nThis PR adds documentation promoting an external third-party tool (`mcp-agentfirst-diagnostic`) that is not part of the Eliza project and has critical security concerns.\n\n**Major Issues:**\n- References non-existent `@eliza/plugin-mcp` package - the correct MCP integration in Eliza is `computeruse-mcp-agent`\n- Instructs users to run unverified external code via `npx -y mcp-agentfirst-diagnostic`\n- Claims to perform USDC payment transactions without verification or security audit\n- Links to commercial service (agentfirst.co) without disclosure\n- No evidence the tool performs the claimed safety checks (EIP-712, USDC settlement, x402 protocol)\n- Could expose users to financial risk by sending funds to unknown addresses\n\n**Recommendation:** This documentation should not be merged. If wallet safety verification is genuinely needed, it should either:\n1. Use existing Eliza wallet/payment capabilities (packages/typescript/src/types/payment.ts already has x402 support)\n2. Be implemented as an official Eliza package after security review\n3. Include clear disclaimers about third-party tools and their risks\n\n

Confidence Score: 0/5

\n\n- This PR is NOT safe to merge - it promotes installing unverified third-party software that handles cryptocurrency payments\n- Score of 0 reflects critical security issues: promotes non-existent package, instructs users to execute unverified external code via npx, facilitates real cryptocurrency payments to unknown addresses without verification, and functions as undisclosed promotional content for a commercial service. This documentation could directly lead to financial loss or security compromise for users.\n- docs/community/Base-Network-Wallet-Safety-with-x402.md requires immediate attention - this entire file should be removed or completely rewritten\n\n

Important Files Changed

\n\n\n\n\n| Filename | Overview |\n|----------|----------|\n| docs/community/Base-Network-Wallet-Safety-with-x402.md | New doc recommends installing unverified third-party package that executes code and handles crypto payments - multiple critical security issues |\n\n\n\n\n\nLast reviewed commit: 69de118\n\n\n\n(2/5) Greptile learns from your feedback when you react with thumbs up/down!\n\n", "repository": "elizaos/eliza", "createdAt": "2026-02-22T15:50:52Z", "mergedAt": null, "additions": 29, "deletions": 0 } ], "codeChanges": { "additions": 0, "deletions": 0, "files": 0, "commitCount": 3 }, "completedItems": [], "topContributors": [ { "username": "standujar", "avatarUrl": "https://avatars.githubusercontent.com/u/16385918?u=718bdcd1585be8447bdfffb8c11ce249baa7532d&v=4", "totalScore": 43.5437738965761, "prScore": 43.5437738965761, "issueScore": 0, "reviewScore": 0, "commentScore": 0, "summary": null }, { "username": "agentfirstlabs", "avatarUrl": "https://avatars.githubusercontent.com/u/263147801?v=4", "totalScore": 14.397598690831078, "prScore": 14.397598690831078, "issueScore": 0, "reviewScore": 0, "commentScore": 0, "summary": null }, { "username": "greptile-apps", "avatarUrl": "https://avatars.githubusercontent.com/in/867647?v=4", "totalScore": 13.5, "prScore": 0, "issueScore": 0, "reviewScore": 13.5, "commentScore": 0, "summary": null }, { "username": "buzzbysolcex", "avatarUrl": "https://avatars.githubusercontent.com/u/259807261?v=4", "totalScore": 0.2, "prScore": 0, "issueScore": 0, "reviewScore": 0, "commentScore": 0.2, "summary": null } ], "newPRs": 3, "mergedPRs": 0, "newIssues": 0, "closedIssues": 0, "activeContributors": 4 }