🎉 Release Highlights
🔒 Security and Maintenance Release
This release resolves critical dependency management issues that prevented Dependabot from scanning MCP plugin directories, fixes esbuild security vulnerabilities across all MCP plugins, and includes community contributions improving plugin reliability.
Key Improvements
- ✅ Fixed Dependabot configuration to properly scan all 9 npm directories
- 🔒 Resolved esbuild security vulnerability (GHSA-67mh-4wv8-2f99) across 6 MCP plugins
- 📦 Updated vitest to v3.2.4 for improved testing reliability
- 🐛 Community bug fix from @thetonymaster for ai-commit-gen model specification
👥 Contributors
🎉 Special Thanks
Huge appreciation to @thetonymaster (Antonio Cabrera) for contributing the ai-commit-gen model specification fix!
- PR: #25
- Fix: Updated `/commit` command to use correct model identifier `claude-sonnet-4-5-20250929`
- Impact: Ensures ai-commit-gen plugin works reliably with the latest Claude model
This is exactly the kind of community contribution that makes open source great! 🚀
🐛 Bug Fixes
- ai-commit-gen plugin: Fixed model specification in `/commit` command - changed from generic "sonnet" to specific `claude-sonnet-4-5-20250929` (thanks @thetonymaster!) #25
🔧 Infrastructure & Dependencies
Dependabot Configuration Fix
- Added 7 new package-ecosystem entries to `.github/dependabot.yml` for comprehensive dependency scanning
- Now properly scans: root, marketplace, 6 MCP plugins, sugar MCP server
- Previously only scanned root directory, missing all MCP plugin vulnerabilities
Security Updates
- Resolved esbuild <=0.24.2 moderate severity vulnerability (GHSA-67mh-4wv8-2f99) in all 6 MCP plugins
- Updated vitest from v2.1.9 to v3.2.4 across:
- `plugins/mcp/project-health-auditor/`
- `plugins/mcp/domain-memory-agent/`
- `plugins/mcp/ai-experiment-logger/`
- `plugins/mcp/conversational-api-debugger/`
- `plugins/mcp/design-to-code/`
- `plugins/mcp/workflow-orchestrator/`
- Updated Express and @types/express in ai-experiment-logger #32
Dependency Management
- Created missing `package-lock.json` files for improved dependency tracking
- All MCP plugins now report 0 security vulnerabilities
- Improved audit trail with granular dependency updates
📊 Repository Health
| Metric | Before | After | Change |
|---|---|---|---|
| Security Vulnerabilities | 6 | 0 | ✅ -6 |
| Open Pull Requests | 20 | 0 | ✅ -20 |
| Active Branches | 27 | 5 | ✅ -22 |
| Total Plugins | 226 | 226 | - |
| Dependabot Status | ⚠️ Partial | ✅ Full | ✅ Fixed |
🔗 Pull Requests
Merged
- #25 - fix(commit): update model to specific sonnet 4.5 version (@thetonymaster)
- #32 - chore(deps): bump express and @types/express
Closed (Deferred)
18 Dependabot PRs for major version updates - deferred for comprehensive review in future release
📦 Installation
# Add marketplace (if not already added)
/plugin marketplace add jeremylongshore/claude-code-plugins
# Install or update plugins
/plugin install devops-automation-pack@claude-code-plugins-plus
/plugin install ai-commit-gen@claude-code-plugins-plus🌐 Resources
- Marketplace: https://claudecodeplugins.io/
- Documentation: CLAUDE.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Security: SECURITY.md
Full Changelog: v1.0.38...v1.0.39