v1.8.2

Patch Changes

• #199 68ec816 - Refactor CI/CD workflows and improve Docker security

  CI/CD Improvements

  • Unified Build Process: Consolidated build into single job that creates reusable artifacts
  • Build Artifacts: Generated once and reused throughout workflow for consistency
  • Build Manifest: Added metadata tracking (SHA, timestamp, dependencies)
  • Tag Creation: Tags now created before building artifacts for better traceability
  • Artifact Naming: Include commit SHA for consistent naming across workflows

  Docker Support

  • Multi-Platform Builds: Added support for linux/amd64 and linux/arm64
  • Docker Workflow: New reusable workflow for container image builds
  • Configuration: Docker releases controlled via ENABLE_DOCKER_RELEASE variable

  Security Enhancements

  • CodeQL Integration: Added dedicated security scanning workflow
  • Consolidated Scanning: Unified security checks in reusable workflow
  • Docker Security: Container images run as non-root user (nodejs:1001)
  • Trivy Scanning: Automated vulnerability detection in container images
  • Dependency Scanning: Enhanced vulnerability reporting

  Developer Experience

  • Issue Templates: Added bug report and feature request templates
  • PR Template: Comprehensive pull request template with checklist
  • Workflow Documentation: Enhanced comments for better maintainability
  • Better Validation: Improved changeset validation in PR workflow

  Infrastructure

  • NPM Packaging: Dedicated job for package preparation with attestations
  • SLSA Provenance: Generate attestations for supply chain security
  • Improved Permissions: Updated for container registry access
  • DeepSource Integration: Maintained test coverage reporting

  Technical Details

  • Removed redundant reusable-setup.yml (merged into other workflows)
  • Better job dependency graph for parallel execution
  • Consistent secret passing (DEEPSOURCE_DSN)
  • Enhanced artifact retention strategies

v1.8.1

Patch Changes

• #195 5c32dad - Refactor CI/CD workflows and improve Docker security

  CI/CD Improvements

  • Unified Build Process: Consolidated build into single job that creates reusable artifacts
  • Build Artifacts: Generated once and reused throughout workflow for consistency
  • Build Manifest: Added metadata tracking (SHA, timestamp, dependencies)
  • Tag Creation: Tags now created before building artifacts for better traceability
  • Artifact Naming: Include commit SHA for consistent naming across workflows

  Docker Support

  • Multi-Platform Builds: Added support for linux/amd64 and linux/arm64
  • Docker Workflow: New reusable workflow for container image builds
  • Configuration: Docker releases controlled via ENABLE_DOCKER_RELEASE variable

  Security Enhancements

  • CodeQL Integration: Added dedicated security scanning workflow
  • Consolidated Scanning: Unified security checks in reusable workflow
  • Docker Security: Container images run as non-root user (nodejs:1001)
  • Trivy Scanning: Automated vulnerability detection in container images
  • Dependency Scanning: Enhanced vulnerability reporting

  Developer Experience

  • Issue Templates: Added bug report and feature request templates
  • PR Template: Comprehensive pull request template with checklist
  • Workflow Documentation: Enhanced comments for better maintainability
  • Better Validation: Improved changeset validation in PR workflow

  Infrastructure

  • NPM Packaging: Dedicated job for package preparation with attestations
  • SLSA Provenance: Generate attestations for supply chain security
  • Improved Permissions: Updated for container registry access
  • DeepSource Integration: Maintained test coverage reporting

  Technical Details

  • Removed redundant reusable-setup.yml (merged into other workflows)
  • Better job dependency graph for parallel execution
  • Consistent secret passing (DEEPSOURCE_DSN)
  • Enhanced artifact retention strategies

v1.8.0

Minor Changes

• #188 1f08756 - Consolidate to single canonical entrypoint and registry

  This refactoring consolidates multiple entry points and tool registry implementations into a single, feature-flag-controlled architecture, addressing technical debt and simplifying the codebase.

  New Features

  • Feature Flags System: Control experimental features via environment variables
    • FEATURE_TOOL_DISCOVERY: Enable automatic tool discovery from filesystem
    • FEATURE_ENHANCED_LOGGING: Enable additional debug information
    • FEATURE_METRICS: Enable metrics collection (future)
    • FEATURE_CACHE: Enable caching layer (future)
  • Unified Tool Registry: All registry functionality now in single ToolRegistry class
    • Tool discovery (when feature flag enabled)
    • Metadata support for categorization and filtering
    • Enhanced tool information methods
  • Consolidated Configuration: Centralized configuration management
    • config/features.ts: Feature flag management
    • config/default.ts: Default configurations
    • Environment-specific settings

  Improvements

  • Single entry point (src/index.ts) for all server startup scenarios
  • Consistent module structure with clear boundaries
  • Reduced code duplication and maintenance burden
  • Better separation between core and experimental features
  • Improved testability with feature flag control

  Deprecations (Backward Compatible)

  The following are deprecated but still functional with warnings:

  • src/index-registry.ts → Use src/index.ts
  • src/server/index-enhanced.ts → Features integrated into main server
  • src/server/tool-registry-enhanced.ts → Features merged into ToolRegistry
  • validateEnvironment() → Use getConfig() from config/index.js
  • createAndConfigureToolRegistry() → Use DeepSourceMCPServer.create()

  Migration

  • No breaking changes - existing code continues to work
  • See MIGRATION.md for detailed migration instructions
  • Deprecation warnings guide users to new patterns
  • Feature flags default to false for backward compatibility

  Technical Details

  • Eliminates circular dependencies
  • Follows SOLID principles and DRY
  • Maintains 100% backward compatibility
  • Sets foundation for future extensibility

v1.7.1

Patch Changes

• #187 05042a4 - Update dependencies to latest versions

  • Updated production dependencies:
    • @modelcontextprotocol/sdk from 1.18.0 to 1.18.1
  • Updated dev dependencies:
    • @cyclonedx/cdxgen from 11.7.0 to 11.8.0
    • @types/node from 24.5.1 to 24.5.2
    • @typescript-eslint/eslint-plugin from 8.44.0 to 8.44.1
    • @typescript-eslint/parser from 8.44.0 to 8.44.1
    • eslint from 9.35.0 to 9.36.0
    • jsonc-eslint-parser from 2.4.0 to 2.4.1
    • lint-staged from 16.1.6 to 16.2.0
    • vite from 7.1.5 to 7.1.7
  • Maintained zod at v3.25.76 as requested (latest v3 version)

  All tests passing and CI checks green.

v1.7.0

Minor Changes

• #180 4da304e - Add automatic retry with exponential backoff and circuit breaker

  Implements intelligent retry logic with the following features:

  • Exponential backoff with jitter to prevent thundering herd
  • Circuit breaker pattern per endpoint to prevent cascade failures
  • Retry budget management to limit resource consumption
  • Respect for Retry-After headers from the API
  • Automatic handling of transient failures (network, 502, 503, 504)
  • Rate-limited requests (429) are automatically retried with appropriate delays

  Configuration via environment variables:

  • RETRY_MAX_ATTEMPTS: Maximum retry attempts (default: 3)
  • RETRY_BASE_DELAY_MS: Base delay for exponential backoff (default: 1000ms)
  • RETRY_MAX_DELAY_MS: Maximum delay between retries (default: 30000ms)
  • RETRY_BUDGET_PER_MINUTE: Max retries per minute (default: 10)
  • CIRCUIT_BREAKER_THRESHOLD: Failures before opening circuit (default: 5)
  • CIRCUIT_BREAKER_TIMEOUT_MS: Recovery timeout (default: 30000ms)

  Safety features:

  • Only retries idempotent operations (queries/GET requests)
  • Never retries mutations (update operations)
  • Transparent to MCP clients - no user-visible errors during transient failures

Patch Changes

• #180 4da304e - Fix all DeepSource code quality issues

  • JS-0356: Remove unused import in exponential-backoff test file
  • JS-0339: Replace non-null assertions with proper null checks and error handling in circuit-breaker and retry-budget modules
  • JS-0054: Fix lexical declaration scoping in switch case statements by adding block scope braces
  • JS-0105: Make isAxiosError method static in base-client.ts since it doesn't use 'this'
  • JS-0047: Add default cases to switch statements in recordSuccess and recordFailure methods
  • JS-0045: Add explicit return statement in extractRetryAfter arrow function for consistency
  • Update test expectations to match corrected circuit breaker behavior
  • Fix unhandled promise rejection in retry-executor test

• #186 3453343 - Update pnpm from 10.15.1 to 10.17.0

  • Updated packageManager field in package.json
  • Updated pnpm version across all GitHub Actions workflows
  • Ensures consistency and uses latest bug fixes

v1.6.4

Patch Changes

• #178 967a64b - fix: remove redundant client-side filtering in quality metrics handler

  The quality metrics handler was unnecessarily filtering metrics on the client side
  after the GraphQL API had already applied the same filters on the server side.
  This change removes the redundant filtering by using the repository's
  findByProjectWithFilter method when shortcode filters are specified.

v1.6.3

Patch Changes

• #177 a670251 - feat: add script to update GraphQL schema from DeepSource API
  • Add reusable script to fetch and update GraphQL schema via introspection
  • Add 'schema:update' npm script for easy schema updates
  • Install graphql package for schema introspection utilities
  • Update schema to latest version from DeepSource API

v1.6.2

Patch Changes

• #174 b94be08 - chore: replace local changelog generator with @sapientpants/changelog-github-custom package
  • Removed custom changelog implementation in favor of the community package
  • Updated changeset config to use @sapientpants/changelog-github-custom
  • Added @sapientpants/changelog-github-custom as a dev dependency
  • Simplified maintenance by using an established solution

v1.6.1

Patch Changes

• #166 8828190 - Fix changelog format configuration and add custom changelog generator for improved release notes formatting

• #169 1603c83 - fix: add build step before changeset versioning in ci

  • Build TypeScript before running changeset version command to ensure custom changelog generator is available
  • Clean build directory before final release build to ensure SBOM reflects exact release artifacts
  • Fixes CI pipeline failure when using custom changelog generator

• #168 b7ab8d4 - chore: remove unused dependencies and Jest configuration

  • Removed unused production dependencies: cors, express, pino, pino-roll, pino-syslog
  • Removed unused dev dependencies related to Jest (project uses Vitest): @eslint/js, @fast-check/vitest, @jest/globals, @types/cors, @types/express, @types/jest, @types/supertest, fast-check, jest, pino-pretty, supertest, ts-jest, ts-node, ts-node-dev
  • Removed jest.config.js as the project uses Vitest for testing

• #167 ee5c975 - Update dependencies to latest versions

  • Update @modelcontextprotocol/sdk from 1.17.4 to 1.18.0
  • Update axios from 1.11.0 to 1.12.1
  • Update pino from 9.9.4 to 9.9.5
  • Update @types/node from 24.3.1 to 24.3.3 (dev dependency)
  • Constrain zod to >=3.25.0 <4.0.0 to prevent breaking changes from v4

  All tests pass and no security vulnerabilities found.

v1.6.0

Minor Changes

• #164 8939e69 Thanks @sapientpants! - Add unified versioning system with single source of truth

  • Created central version.ts module that reads from package.json
  • Added CLI support for --version and -v flags to display version
  • Added --help and -h flags with comprehensive help text
  • Replaced all hardcoded version strings with VERSION constant
  • Added version to startup logging for better debugging
  • Created build script to inject version at build time
  • Added comprehensive version utilities (parsing, validation, comparison)
  • Exported VERSION constant and helper functions for programmatic access
  • Added fallback to "0.0.0-dev" when package.json is unavailable

  This ensures consistent version reporting across:

  • CLI output
  • Server metadata
  • Startup logs
  • Error messages
  • MCP protocol responses