chore(deps): update dependency mcp-clickhouse to v0.4.0#527
chore(deps): update dependency mcp-clickhouse to v0.4.0#527renovate[bot] wants to merge 1 commit into
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
🔒 MCP Security Scan Results✅ mcp-clickhouse
Summary: Scanned 1 MCP server(s), all passed security checks. ✅ |
a8beb02 to
24e0363
Compare
🛡️ Skill Security Scan Results |
5d053ce to
24e0363
Compare
|
@renovatebot rebase |
24e0363 to
ba0c8dd
Compare
Triage: build-containers blocked by genuine upstream CVEsLocal Grype scan (DB 2026-04-27) of the 0.3.0 image surfaces these HIGH/CRITICAL findings (severity-cutoff: high, only-fixed: true):
These are genuine upstream CVEs in Recommendation: Hold this bump until upstream ClickHouse/mcp-clickhouse widens its fastmcp constraint to allow 3.x. |
f9a6ae0 to
b6aa1a2
Compare
1d64991 to
81caeb0
Compare
81caeb0 to
7062f6d
Compare
7062f6d to
60a14a8
Compare
60a14a8 to
ca9e67e
Compare
…n spec.yaml
Renovate version bumps fail the build-containers Grype gate when the bumped
package pins or caps a transitive dependency to a vulnerable version. Add an
optional dependency-override mechanism to the spec.yaml schema, plumbed into the
generated Dockerfile.
- npx: spec.overrides ([]{package, version, reason}) is injected as an npm
"overrides" block in the generated package.json before the npm install step.
- uvx: spec.constraints ([]{spec, reason}) is written to a uv overrides
requirements file and passed to "uv tool install --overrides".
Both injection points match the install step by content (not line number) so
they stay robust to toolhive template formatting. Every entry requires a
non-empty reason (validation fails otherwise) so the justification for
circumventing an upstream pin is auditable in-repo.
Verified end-to-end against the CI build + Grype recipe:
- #469 @brightdata/mcp 2.9.5 + override @modelcontextprotocol/sdk 1.26.0:
resolves to SDK 1.26.0, grype --fail-on high --only-fixed passes.
- #527 mcp-clickhouse 0.3.0 + constraint fastmcp>=3.2.0: fastmcp 3.4.0,
import mcp_clickhouse OK, grype passes.
Refs #668
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This PR contains the following updates:
0.2.0→0.4.0Release Notes
ClickHouse/mcp-clickhouse (mcp-clickhouse)
v0.4.0Compare Source
Added
FASTMCP_SERVER_AUTHenvironment variable (e.g. Azure Entra, Google, GitHub, WorkOS). Static token, FastMCP OAuth, and disabled mode are now mutually exclusive; configure exactly one. (#171)ghcr.io/clickhouse/mcp-clickhouse:vX.Y.Z,:X.Y, and:latest.Changed
/healthendpoint is now unauthenticated across all auth modes (previously gated only under static-token mode, which was asymmetric and incompatible with redirect-based OAuth providers). Response bodies trimmed toOK/ generic error strings to avoid leaking ClickHouse version information or connection exception details; underlying errors are logged server-side.Fixed
run_queryandrun_chdb_select_querytools now await their thread-pool futures asynchronously, so concurrent tool calls are served while a slow query is in flight. (#128)v0.3.0Compare Source
Added
CLICKHOUSE_SNIenvironment variable for connections behind proxies or load balancers. (#127)CLICKHOUSE_WRITE_ACCESSenvironment variable, with built-in DROP and TRUNCATE protection. (#93)CLICKHOUSE_MCP_MIDDLEWAREenvironment variable for hooking into the MCP server lifecycle. Includes an example middleware module. (#114)Configuration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.