Skip to content

build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.2#30

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/mcp-contextforge-gateway-1.0.2
Open

build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.2#30
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/mcp-contextforge-gateway-1.0.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Bumps mcp-contextforge-gateway from 1.0.0rc1 to 1.0.2.

Release notes

Sourced from mcp-contextforge-gateway's releases.

v1.0.2 - Admin UI Rewrite, Database Migrations, Security Enhancements, and Bug Fixes

[1.0.2] - 2026-05-25 - Admin UI Rewrite, Database Migrations, Security Enhancements, and Bug Fixes

Overview

Release 1.0.2 consolidates 59 PRs focused on Admin UI rewrite completion, database migration improvements, security enhancements, and bug fixes. This release completes the React-based Admin UI migration, strengthens database schema management with Alembic, enhances OAuth flows, and improves multi-replica deployment reliability:

  • 🖥️ Admin UI Rewrite - React-based UI components for virtual servers, tools, users, teams, navigation improvements, OAuth popup authorization flow, loading states, CSRF validation fixes, cookie authentication support.
  • 🗄️ Database & Migrations - Full migration to Alembic for schema management, UUID migration, migration lock contention elimination, multi-replica startup reliability, Alembic history branch detection.
  • 🔐 Security & Auth - CSP nonce support for OAuth callbacks, RBAC admin bypass fixes, vault plugin header normalization, generic OIDC platform_admin promotion, Redis TLS support, secrets baseline updates.
  • 🧩 Plugins & A2A - A2A agent integration into plugin framework, CPEX plugin package updates, baggage attribute mapping for span customization, A2A protocol version dropdown, type validation improvements.
  • 🔧 Infrastructure & DevOps - Docker Compose security hardening, OTLP insecure exporter setting, Slack CI failure notifications, Helm unit test suites, pre-commit hooks for client code.
  • 🐛 Bug Fixes - Password validation feedback alignment, search state preservation across pagination, private A2A agent visibility for admins, OAuth tool discovery button fix, upstream MCP session persistence, rate-limit cleanup optimization.

Breaking Changes

🔒 HTTP Redirect Handling - Security Hardening

As part of ongoing security hardening, ContextForge now disables HTTP redirect following on all outbound requests. This defense-in-depth security enhancement ensures all outbound requests go to explicitly registered destinations, preventing unintended request routing.

Impact: Systems relying on HTTP redirects (302/301/307/308) for REST tools, gateway health checks, SSE connections, StreamableHTTP endpoints, or A2A agent invocations may experience apparent breaking behavior.

Mitigation: Register final destination URLs directly instead of redirect-based URLs. For detailed migration guidance and testing procedures, see the HTTP Redirect Handling Migration Guide.

Rationale: This change implements defense-in-depth security by adding redirect blocking as a second layer of protection (in addition to URL validation at registration), strengthening the overall security posture against SSRF attacks.

Added

🖥️ Admin UI Rewrite

  • 📋 Virtual Server Management (#4806, #4858) – Virtual server detail drawer and create flow in React UI. Enables full virtual server lifecycle management in new UI.
  • 🔧 Tools Page Cards (#4646) – Cards component to list MCP server tools on Tools page. Improves tool discovery and visualization.
  • 👥 User Management Screen (#4839) – User screen and create user form in React UI. Enables user administration in new UI.
  • 🎨 Navigation Improvements (#4762, #4752) – Updated nav sidebar and main top navbar components. Improves navigation UX and consistency.
  • ⚡ Loading State Improvements (#4781) – Enhanced loading state and icon components. Provides better user feedback during async operations.
  • 🔐 OAuth Popup Authorization Flow (#4842) – OAuth 2.0 popup authorization flow for MCP servers in React UI. Streamlines OAuth authorization UX.
  • 🔧 MCP Server Edit Mode (#4745) – MCP server edit mode with OAuth password grant validation and auth type refactoring. Enables comprehensive server configuration management.

🔐 Security & Auth

  • 🔒 Redis TLS Support (#4809) – Redis TLS support for production deployments. Enables encrypted Redis connections for enhanced security.
  • 🛡️ CSP Nonce Support for OAuth (#4776) – CSP nonce support added to OAuth callback page. Strengthens Content Security Policy compliance.
  • 👥 Generic OIDC Platform Admin Promotion (#4277) – Generic OIDC providers can now promote users to platform_admin role. Improves SSO integration flexibility.

🧩 Plugins & A2A

  • 🔌 A2A Plugin Framework Integration (#4775) – Integrates A2A agents into plugin framework for header handling and RBAC (ICACF-43). Unifies plugin and agent security model.
  • 📊 Baggage Attribute Mapping (#4705) – Baggage attribute mapping for span customization in observability. Enables custom OTEL span attributes via baggage propagation.
  • 🔢 A2A Protocol Version Dropdown (#4761) – A2A protocol version dropdown in agent form. Enables explicit protocol version selection.
  • 🔧 Tool Deprecation Flag (#4829) – Deprecated flag for tool lifecycle management. Enables graceful tool deprecation without deletion.

... (truncated)

Changelog

Sourced from mcp-contextforge-gateway's changelog.

[1.0.2] - 2026-05-25 - Admin UI Rewrite, Database Migrations, Security Enhancements, and Bug Fixes

Overview

Release 1.0.2 consolidates 59 PRs focused on Admin UI rewrite completion, database migration improvements, security enhancements, and bug fixes. This release completes the React-based Admin UI migration, strengthens database schema management with Alembic, enhances OAuth flows, and improves multi-replica deployment reliability:

  • 🖥️ Admin UI Rewrite - React-based UI components for virtual servers, tools, users, teams, navigation improvements, OAuth popup authorization flow, loading states, CSRF validation fixes, cookie authentication support.
  • 🗄️ Database & Migrations - Full migration to Alembic for schema management, UUID migration, migration lock contention elimination, multi-replica startup reliability, Alembic history branch detection.
  • 🔐 Security & Auth - CSP nonce support for OAuth callbacks, RBAC admin bypass fixes, vault plugin header normalization, generic OIDC platform_admin promotion, Redis TLS support, secrets baseline updates.
  • 🧩 Plugins & A2A - A2A agent integration into plugin framework, CPEX plugin package updates, baggage attribute mapping for span customization, A2A protocol version dropdown, type validation improvements.
  • 🔧 Infrastructure & DevOps - Docker Compose security hardening, OTLP insecure exporter setting, Slack CI failure notifications, Helm unit test suites, pre-commit hooks for client code.
  • 🐛 Bug Fixes - Password validation feedback alignment, search state preservation across pagination, private A2A agent visibility for admins, OAuth tool discovery button fix, upstream MCP session persistence, rate-limit cleanup optimization.

Breaking Changes

🔒 HTTP Redirect Handling - Security Hardening

As part of ongoing security hardening, ContextForge now disables HTTP redirect following on all outbound requests. This defense-in-depth security enhancement ensures all outbound requests go to explicitly registered destinations, preventing unintended request routing.

Impact: Systems relying on HTTP redirects (302/301/307/308) for REST tools, gateway health checks, SSE connections, StreamableHTTP endpoints, or A2A agent invocations may experience apparent breaking behavior.

Mitigation: Register final destination URLs directly instead of redirect-based URLs. For detailed migration guidance and testing procedures, see the HTTP Redirect Handling Migration Guide.

Rationale: This change implements defense-in-depth security by adding redirect blocking as a second layer of protection (in addition to URL validation at registration), strengthening the overall security posture against SSRF attacks.

Added

🖥️ Admin UI Rewrite

  • 📋 Virtual Server Management (#4806, #4858) – Virtual server detail drawer and create flow in React UI. Enables full virtual server lifecycle management in new UI.
  • 🔧 Tools Page Cards (#4646) – Cards component to list MCP server tools on Tools page. Improves tool discovery and visualization.
  • 👥 User Management Screen (#4839) – User screen and create user form in React UI. Enables user administration in new UI.
  • 🎨 Navigation Improvements (#4762, #4752) – Updated nav sidebar and main top navbar components. Improves navigation UX and consistency.
  • ⚡ Loading State Improvements (#4781) – Enhanced loading state and icon components. Provides better user feedback during async operations.
  • 🔐 OAuth Popup Authorization Flow (#4842) – OAuth 2.0 popup authorization flow for MCP servers in React UI. Streamlines OAuth authorization UX.
  • 🔧 MCP Server Edit Mode (#4745) – MCP server edit mode with OAuth password grant validation and auth type refactoring. Enables comprehensive server configuration management.

🔐 Security & Auth

  • 🔒 Redis TLS Support (#4809) – Redis TLS support for production deployments. Enables encrypted Redis connections for enhanced security.
  • 🛡️ CSP Nonce Support for OAuth (#4776) – CSP nonce support added to OAuth callback page. Strengthens Content Security Policy compliance.
  • 👥 Generic OIDC Platform Admin Promotion (#4277) – Generic OIDC providers can now promote users to platform_admin role. Improves SSO integration flexibility.

🧩 Plugins & A2A

  • 🔌 A2A Plugin Framework Integration (#4775) – Integrates A2A agents into plugin framework for header handling and RBAC (ICACF-43). Unifies plugin and agent security model.
  • 📊 Baggage Attribute Mapping (#4705) – Baggage attribute mapping for span customization in observability. Enables custom OTEL span attributes via baggage propagation.
  • 🔢 A2A Protocol Version Dropdown (#4761) – A2A protocol version dropdown in agent form. Enables explicit protocol version selection.
  • 🔧 Tool Deprecation Flag (#4829) – Deprecated flag for tool lifecycle management. Enables graceful tool deprecation without deletion.

... (truncated)

Commits
  • e0967e6 Release/v1.0.2 (#4909)
  • 3f6b0f9 Fix upstream MCP session persistence (#4799)
  • 4e94bf0 chore: test cleanup (#4796)
  • 8edb89b chore: update cpex plugin packages (#4881)
  • 63a2900 Merge commit from fork
  • 968a3ae fix(bootstrap): align env var name, fix advisory lock release, pass connect_a...
  • e41f9e6 fix: resolve OAuth "Fetch Tools from MCP Server" button not triggering tool d...
  • 71221d3 feat(admin): add A2A protocol version dropdown to agent form (#4761)
  • 8c3f70d fix: rate-limit _cleanup_table DELETEs with configurable inter-batch sleep (#...
  • e6899c8 fix: admin users can now view and edit their own private A2A agents (#4788)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.2
a2a48c8 
Bumps [mcp-contextforge-gateway](https://github.com/IBM/mcp-context-forge) from 1.0.0rc1 to 1.0.2.
- [Release notes](https://github.com/IBM/mcp-context-forge/releases)
- [Changelog](https://github.com/IBM/mcp-context-forge/blob/main/CHANGELOG.md)
- [Commits](IBM/mcp-context-forge@v1.0.0-RC1...v1.0.2)

---
updated-dependencies:
- dependency-name: mcp-contextforge-gateway
  dependency-version: 1.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants