fix: vulnerabilities

[JivusAyrus]

Summary by CodeRabbit

• Chores

  • Updated MCP SDK to v1.26.0 and bumped zod across packages for compatibility.
  • Added a package override for qs to improve dependency resolution.

• Refactor

  • CLI tools registration updated so tools expose clearer titles, descriptions, and structured inputs without changing runtime behavior.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Replaced many MCP tool registrations from server.tool(...) to server.registerTool(...) using a config object (title, description, inputSchema). Bumped @modelcontextprotocol/sdk and zod versions and added a pnpm override for qs in package manifests.

Changes

Cohort / File(s)	Summary
Dependency updates cli/package.json, package.json, controlplane/package.json, studio/package.json	Bumped @modelcontextprotocol/sdk in cli and updated zod to ^3.25.0 across packages; added a pnpm override for qs@6.14.1. Minor formatting in overrides.
MCP tool registration migration cli/src/commands/mcp/tools/dream-query-workflow.ts, cli/src/commands/mcp/tools/federated-graph-tools.ts, cli/src/commands/mcp/tools/get-subgraphs.ts, cli/src/commands/mcp/tools/introspect-subgraph.ts, cli/src/commands/mcp/tools/list-subgraphs.ts, cli/src/commands/mcp/tools/schema-change-proposal-workflow.ts, cli/src/commands/mcp/tools/search-docs.ts, cli/src/commands/mcp/tools/subgraph-verify-schema-changes.ts, cli/src/commands/mcp/tools/supergraph_changelog.ts, cli/src/commands/mcp/tools/verify-query-against-in-memory-schema.ts, cli/src/commands/mcp/tools/verify-query-against-remote-schema.ts, cli/src/commands/mcp/tools/verify-router-config.ts	Replaced server.tool(...) calls with server.registerTool(name, { title, description, inputSchema }, handler) across ~12 tool files. Moved inline parameter schemas into inputSchema, added title/description metadata, and removed at least one unused import. Handler logic largely unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: prevent vulnerable peer dependencies #2195 — Modifies pnpm dependency overrides (zod) similar to this PR’s overrides changes.
• feat: update zod #2384 — Also updates zod version across monorepo package.json files, overlapping with the zod bumps here.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title "fix: vulnerabilities" is vague and generic, lacking specificity about what vulnerabilities are being addressed or how they are being fixed.	Consider a more specific title such as "fix: update zod and MCP SDK to resolve vulnerabilities" or "fix: upgrade dependencies to address security issues" to clearly indicate the main changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 136 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.13%. Comparing base (53a01d1) to head (aed790d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cli/src/commands/mcp/tools/list-subgraphs.ts	0.00%	31 Missing ⚠️
...li/src/commands/mcp/tools/federated-graph-tools.ts	0.00%	27 Missing ⚠️
cli/src/commands/mcp/tools/verify-router-config.ts	0.00%	12 Missing ⚠️
...mmands/mcp/tools/subgraph-verify-schema-changes.ts	0.00%	11 Missing ⚠️
cli/src/commands/mcp/tools/get-subgraphs.ts	0.00%	8 Missing ⚠️
cli/src/commands/mcp/tools/dream-query-workflow.ts	0.00%	7 Missing ⚠️
cli/src/commands/mcp/tools/introspect-subgraph.ts	0.00%	7 Missing ⚠️
...mands/mcp/tools/schema-change-proposal-workflow.ts	0.00%	7 Missing ⚠️
cli/src/commands/mcp/tools/search-docs.ts	0.00%	7 Missing ⚠️
cli/src/commands/mcp/tools/supergraph_changelog.ts	0.00%	7 Missing ⚠️
... and 2 more

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2494       +/-   ##
===========================================
- Coverage   61.70%   43.13%   -18.58%     
===========================================
  Files         229     1015      +786     
  Lines       24022   142011   +117989     
  Branches        0     8888     +8888     
===========================================
+ Hits        14823    61256    +46433     
- Misses       7949    79145    +71196     
- Partials     1250     1610      +360     

Files with missing lines	Coverage Δ
...mcp/tools/verify-query-against-in-memory-schema.ts	3.57% <0.00%> (ø)
...ds/mcp/tools/verify-query-against-remote-schema.ts	3.70% <0.00%> (ø)
cli/src/commands/mcp/tools/dream-query-workflow.ts	9.09% <0.00%> (ø)
cli/src/commands/mcp/tools/introspect-subgraph.ts	27.77% <0.00%> (ø)
...mands/mcp/tools/schema-change-proposal-workflow.ts	7.69% <0.00%> (ø)
cli/src/commands/mcp/tools/search-docs.ts	4.34% <0.00%> (ø)
cli/src/commands/mcp/tools/supergraph_changelog.ts	20.00% <0.00%> (ø)
cli/src/commands/mcp/tools/get-subgraphs.ts	1.94% <0.00%> (ø)
...mmands/mcp/tools/subgraph-verify-schema-changes.ts	3.61% <0.00%> (ø)
cli/src/commands/mcp/tools/verify-router-config.ts	3.38% <0.00%> (ø)
... and 2 more

... and 779 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-e6ac7c52bd4b9a3e7a371d766f44abbe7dec7f2d-nonroot

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cli/src/commands/mcp/tools/list-subgraphs.ts (1)

6-39: ⚠️ Potential issue | 🟡 Minor

Prettier formatting check is failing — fix indentation before merge.

"The register* methods (registerTool, registerPrompt, registerResource) are the recommended approach for new code." The migration to registerTool is correct and the handler signature (no-args for a tool with no input) matches the SDK pattern.

However, the CI pipeline reports a Prettier formatting failure for this file. The handler body (lines 13–38) appears to retain the indentation level from the prior server.tool() call rather than being properly indented within the new registerTool wrapper. Run prettier --write on this file to resolve.

🤖 Fix all issues with AI agents

In `@cli/src/commands/mcp/tools/get-subgraphs.ts`:
- Around line 8-17: Update the project's zod dependency to at least ^3.25.0 to
satisfy the peer dependency required by `@modelcontextprotocol/sdk`@1.26.0: modify
package.json to bump "zod" to "^3.25.0" (or a later compatible version), run
your package manager to update lockfiles (npm/yarn/pnpm install), and rebuild to
ensure types/usages like the inputSchema in server.registerTool (the
z.array(z.string()) and z.string().optional() calls) still compile; if any
breaking changes appear, adjust imports/usages accordingly or consider migrating
to zod@4 after verifying compatibility.

In `@cli/src/commands/mcp/tools/schema-change-proposal-workflow.ts`:
- Around line 19-25: Prettier is failing for this file due to formatting (likely
the long description string in the registerTool call), so run the code formatter
and commit the changes: run prettier --write on this file (or project) and
ensure the registerTool call (the object with title, description, and
inputSchema) is reformatted; if you prefer a minimal manual change, shorten or
break the description string for 'description' in the registerTool invocation so
it conforms to Prettier rules, then re-run prettier and commit the formatted
file.

🧹 Nitpick comments (1)

cli/src/commands/mcp/tools/verify-query-against-remote-schema.ts (1)

14-19: Consider using the shared ToolContext type for consistency.

Other tool files (e.g., subgraph-verify-schema-changes.ts, search-docs.ts, supergraph_changelog.ts) use the shared ToolContext type from ./types.js, while this file and verify-query-against-in-memory-schema.ts define an inline type. Aligning to the shared type would improve consistency across tools.

[StarpTech]

LGTM