Skip to content

build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.5#33

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/mcp-contextforge-gateway-1.0.5
Open

build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.5#33
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/mcp-contextforge-gateway-1.0.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps mcp-contextforge-gateway from 1.0.0rc1 to 1.0.5.

Release notes

Sourced from mcp-contextforge-gateway's releases.

v1.0.5 - API Versioning, Auth Hardening, A2A Compatibility, and Build Consolidation

[1.0.5] - 2026-07-07 - API Versioning, Auth Hardening, A2A Compatibility, and Build Consolidation

Overview

Release 1.0.5 consolidates 60 PRs focused on API versioning and schema generation, security and auth hardening, A2A and MCP transport compatibility, Admin UI stability, and container/CI reliability. This release introduces the /v1 API surface, improves external identity-provider token handling, tightens sensitive-header behavior, and consolidates image build paths:

  • Security & Auth - Environment-bound JWT validation, external OIDC bearer-token support, session-token admin bypass fixes, inbound passthrough-header denylist expansion, CSRF issuance fixes, and suppressed Pydantic validation details in HTTP responses.
  • API & MCP - /v1 API prefix support with legacy route aliases, OpenAPI-to-MCP tool schema generation, MCP tool title serialization, gateway transport validation, and gateway refresh validation-error propagation.
  • A2A & Transport - JSON-RPC passthrough endpoint for SDK compatibility, A2A sensitive-header passthrough feature flag, A2A echo streaming and v1 agent card support, dataplane passthrough-header normalization, and MCP traceparent synchronization.
  • Admin UI & Tests - Fixes for Firefox blur handling, roots panel menu state, registry partial registrations, maintenance panel CSP parser errors, flaky iframe team-selector tests, and broader plugin E2E coverage.
  • Build, Containers & CI - Single Containerfile consolidation, UBI-minimal Rust runtime images, Python version updates, Rust lockfile checks, merge-queue Docker validation improvements, Slack merge-queue notifications, and package verification fixes.
  • Dependencies & Release Maintenance - NPM audit fixes, undici upgrade, prometheus-fastapi-instrumentator bump, CPEX plugin package updates, and 1.0.5 release package refresh.

Added

API & MCP

  • OpenAPI to MCP Tool Schema Generation (#5261, #5142) - Added POST /v1/tools/generate-schemas-from-openapi for generating MCP tool schemas from OpenAPI specifications without Admin UI dependencies.
  • MCP Tool Title Serialization (#5019) - Added title field support to MCP tool serialization paths.
  • Versioned API Prefix (#4403) - Served API endpoints under the /v1 prefix, with compatibility work in follow-up fixes for legacy unversioned aliases.

A2A & Transport

  • A2A JSON-RPC Passthrough (#5313) - Added JSON-RPC passthrough endpoint for SDK compatibility.
  • A2A Sensitive Header Passthrough Flag (#5183) - Added ENABLE_SENSITIVE_HEADER_PASSTHROUGH support for controlled A2A passthrough-header behavior.
  • Fast-Time MCP Transport (#5299) - Added rmcp /mcp transport support plus a legacy SSE shim for the fast-time server.
  • MCP Trace Context Sync (#5465) - Synchronized MCP _meta traceparent values with outbound trace headers.

Security & Auth

  • External OIDC Bearer Tokens (#5200) - Added support for trusted external OIDC bearer tokens on API and MCP endpoints.

Tests

  • CPEX Plugin Gateway E2E Tests (#5332) - Added end-to-end integration tests for CPEX plugins in the gateway.

Changed

Security

  • Environment-Bound JWTs - Fixed cross-environment JWT acceptance (GHSA-vgf8-3685-66j9, CVE pending). Gateway-issued tokens now carry an env claim and reject environment mismatches by default (EMBED_ENVIRONMENT_IN_TOKENS=true, VALIDATE_TOKEN_ENVIRONMENT=true). Added optional DERIVE_KEY_PER_ENVIRONMENT to bind HS* signing keys to the deployment environment, including explicit-secret mints.
  • Upgrade Guidance - Use a distinct JWT_SECRET_KEY per environment and rotate long-lived tokens. Enabling DERIVE_KEY_PER_ENVIRONMENT invalidates tokens issued before it was turned on. RS*/ES* deployments must use distinct key pairs per environment.
  • Inbound Passthrough Header Denylist (#4726) - Expanded inbound passthrough denylist to block protocol-level headers.
  • Recursive Plugin Filter Scanning (#5243) - Added recursive scanning to regex_filter and deny_filter.

Build & Containers

  • Single Containerfile Consolidation (#5468) - Consolidated container builds to a single Containerfile.
  • UBI-Minimal Rust Runtime Images (#5404) - Migrated Rust server runtime images from debian:trixie-slim to ubi-minimal.

... (truncated)

Changelog

Sourced from mcp-contextforge-gateway's changelog.

[1.0.5] - 2026-07-07 - API Versioning, Auth Hardening, A2A Compatibility, and Build Consolidation

Overview

Release 1.0.5 consolidates 60 PRs focused on API versioning and schema generation, security and auth hardening, A2A and MCP transport compatibility, Admin UI stability, and container/CI reliability. This release introduces the /v1 API surface, improves external identity-provider token handling, tightens sensitive-header behavior, and consolidates image build paths:

  • Security & Auth - Environment-bound JWT validation, external OIDC bearer-token support, session-token admin bypass fixes, inbound passthrough-header denylist expansion, CSRF issuance fixes, and suppressed Pydantic validation details in HTTP responses.
  • API & MCP - /v1 API prefix support with legacy route aliases, OpenAPI-to-MCP tool schema generation, MCP tool title serialization, gateway transport validation, and gateway refresh validation-error propagation.
  • A2A & Transport - JSON-RPC passthrough endpoint for SDK compatibility, A2A sensitive-header passthrough feature flag, A2A echo streaming and v1 agent card support, dataplane passthrough-header normalization, and MCP traceparent synchronization.
  • Admin UI & Tests - Fixes for Firefox blur handling, roots panel menu state, registry partial registrations, maintenance panel CSP parser errors, flaky iframe team-selector tests, and broader plugin E2E coverage.
  • Build, Containers & CI - Single Containerfile consolidation, UBI-minimal Rust runtime images, Python version updates, Rust lockfile checks, merge-queue Docker validation improvements, Slack merge-queue notifications, and package verification fixes.
  • Dependencies & Release Maintenance - NPM audit fixes, undici upgrade, prometheus-fastapi-instrumentator bump, CPEX plugin package updates, and 1.0.5 release package refresh.

Added

API & MCP

  • OpenAPI to MCP Tool Schema Generation (#5261, #5142) - Added POST /v1/tools/generate-schemas-from-openapi for generating MCP tool schemas from OpenAPI specifications without Admin UI dependencies.
  • MCP Tool Title Serialization (#5019) - Added title field support to MCP tool serialization paths.
  • Versioned API Prefix (#4403) - Served API endpoints under the /v1 prefix, with compatibility work in follow-up fixes for legacy unversioned aliases.

A2A & Transport

  • A2A JSON-RPC Passthrough (#5313) - Added JSON-RPC passthrough endpoint for SDK compatibility.
  • A2A Sensitive Header Passthrough Flag (#5183) - Added ENABLE_SENSITIVE_HEADER_PASSTHROUGH support for controlled A2A passthrough-header behavior.
  • Fast-Time MCP Transport (#5299) - Added rmcp /mcp transport support plus a legacy SSE shim for the fast-time server.
  • MCP Trace Context Sync (#5465) - Synchronized MCP _meta traceparent values with outbound trace headers.

Security & Auth

  • External OIDC Bearer Tokens (#5200) - Added support for trusted external OIDC bearer tokens on API and MCP endpoints.

Tests

  • CPEX Plugin Gateway E2E Tests (#5332) - Added end-to-end integration tests for CPEX plugins in the gateway.

Changed

Security

  • Environment-Bound JWTs - Fixed cross-environment JWT acceptance (GHSA-vgf8-3685-66j9, CVE pending). Gateway-issued tokens now carry an env claim and reject environment mismatches by default (EMBED_ENVIRONMENT_IN_TOKENS=true, VALIDATE_TOKEN_ENVIRONMENT=true). Added optional DERIVE_KEY_PER_ENVIRONMENT to bind HS* signing keys to the deployment environment, including explicit-secret mints.
  • Upgrade Guidance - Use a distinct JWT_SECRET_KEY per environment and rotate long-lived tokens. Enabling DERIVE_KEY_PER_ENVIRONMENT invalidates tokens issued before it was turned on. RS*/ES* deployments must use distinct key pairs per environment.
  • Inbound Passthrough Header Denylist (#4726) - Expanded inbound passthrough denylist to block protocol-level headers.
  • Recursive Plugin Filter Scanning (#5243) - Added recursive scanning to regex_filter and deny_filter.

Build & Containers

  • Single Containerfile Consolidation (#5468) - Consolidated container builds to a single Containerfile.
  • UBI-Minimal Rust Runtime Images (#5404) - Migrated Rust server runtime images from debian:trixie-slim to ubi-minimal.
  • Python Version Updates (#5416) - Updated supported Python versions.

... (truncated)

Commits
  • af178ee ci: temporarily disable s390x builds on push to main (#5545)
  • 932d2a3 Release/v1.0.5 (#5509)
  • d3ead30 Fix admin CSRF issuance for non-email platform-admin sessions by bind… (#5497)
  • 99d864d Sync MCP meta traceparent with outbound header (#5465)
  • 68cf649 fix: removed double mounter /v1/v1 prefix to /v1 and also preserved the legac...
  • d5c8c94 fix(loadtest): eliminate harness false-positives across 30+ admin endpoints (...
  • 717c30b feat(a2a): add JSON-RPC passthrough endpoint for SDK compatibility (#5313)
  • 01278c4 cleanup/2373-sonar-code-duplication-list-tools (#4695)
  • a1f5e8a bugfix/5152-firefox-closest-blur (#5315)
  • b5d53ae refactor: consolidate to single Containerfile (#5468)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [mcp-contextforge-gateway](https://github.com/IBM/mcp-context-forge) from 1.0.0rc1 to 1.0.5.
- [Release notes](https://github.com/IBM/mcp-context-forge/releases)
- [Changelog](https://github.com/IBM/mcp-context-forge/blob/main/CHANGELOG.md)
- [Commits](IBM/mcp-context-forge@v1.0.0-RC1...v1.0.5)

---
updated-dependencies:
- dependency-name: mcp-contextforge-gateway
  dependency-version: 1.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants