fix: Remove redact-pii dependency and address security vulnerabilities

.github/workflows/mcp-compatibility.yml

@@ -32,15 +32,17 @@ jobs:
         with:
           version: 9
 
-      - name: Fetch all available MCP SDK versions (≥1.11)
+      - name: Fetch all available MCP SDK versions (≥1.11, <1.24)
         id: get-versions
         run: |
-          # Get all versions >= 1.11 and filter to get latest patch for each minor version
+          # Get all versions >= 1.11 and < 1.24, filter to get latest patch for each minor version
+          # Note: Versions 1.24+ have known compatibility issues
           VERSIONS=$(pnpm view @modelcontextprotocol/sdk versions --json | jq -c '
             map(select(test("^[0-9]+\\.[0-9]+\\.[0-9]+$"))) |
             map(select(
-              (split(".")[0] | tonumber > 1) or
-              ((split(".")[0] | tonumber == 1) and (split(".")[1] | tonumber >= 11))
+              (split(".")[0] | tonumber == 1) and
+              (split(".")[1] | tonumber >= 11) and
+              (split(".")[1] | tonumber < 24)
             )) |
             group_by(split(".")[0:2] | join(".")) |
             map(max_by(split(".") | map(tonumber))) |

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcpcat",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Analytics tool for MCP (Model Context Protocol) servers - tracks tool usage patterns and provides insights",
   "type": "module",
   "main": "dist/index.js",
@@ -53,29 +53,28 @@
   "homepage": "https://github.com/MCPCat/mcpcat-typescript-sdk#readme",
   "packageManager": "pnpm@10.11.0",
   "devDependencies": {
-    "@changesets/cli": "^2.29.4",
+    "@changesets/cli": "^2.29.8",
     "@modelcontextprotocol/sdk": "~1.23.0",
     "@types/node": "^22.15.21",
     "@typescript-eslint/eslint-plugin": "^8.32.1",
     "@typescript-eslint/parser": "^8.32.1",
-    "@vitest/coverage-v8": "^3.1.4",
-    "@vitest/ui": "^3.1.4",
-    "eslint": "^9.27.0",
+    "@vitest/coverage-v8": "^4.0.14",
+    "@vitest/ui": "^4.0.14",
+    "eslint": "^9.39.1",
     "husky": "^9.1.7",
     "lint-staged": "^16.1.0",
     "prettier": "^3.5.3",
     "tsup": "^8.5.0",
     "typescript": "^5.8.3",
-    "vitest": "^3.1.4"
+    "vitest": "^4.0.14",
+    "zod": "^3.25 || ^4.0"
   },
   "peerDependencies": {
     "@modelcontextprotocol/sdk": ">=1.11"
   },
   "dependencies": {
     "@opentelemetry/otlp-transformer": "^0.203.0",
-    "mcpcat-api": "0.1.6",
-    "redact-pii": "3.4.0",
-    "zod": "^3.25 || ^4.0"
+    "mcpcat-api": "0.1.6"
   },
   "lint-staged": {
     "*.{ts,js}": [
@@ -85,5 +84,21 @@
     "*.{json,md,yml,yaml}": [
       "prettier --write"
     ]
+  },
+  "pnpm": {
+    "overrides": {
+      "js-yaml": ">=4.1.1",
+      "tmp": ">=0.2.4",
+      "vite": ">=6.4.1",
+      "body-parser": ">=2.2.1",
+      "brace-expansion": "2.0.2"
+    },
+    "overridesComments": {
+      "js-yaml": "Fixes GHSA-mh29-5h37-fv8m (prototype pollution in merge) - via @changesets/cli",
+      "tmp": "Fixes GHSA-52f5-9888-hmc6 (symlink attack) - via @changesets/cli",
+      "vite": "Fixes GHSA-93m4-6634-74q7 and other vite security issues - via vitest",
+      "body-parser": "Fixes GHSA-wqch-xfxh-vrr4 (DoS via url encoding) - via @modelcontextprotocol/sdk",
+      "brace-expansion": "Fixes GHSA-v6h2-p8h4-qcjw (ReDoS vulnerability) - via eslint"
+    }
   }
 }