Bug fixes & security
Ghost nodes after file deletion fully fixed
graphify update on Windows no longer leaves stale nodes after moving/deleting files. Two root causes resolved:
_relativize_source_filesnow runs on the existing graph before eviction, not afterdeleted_paths/evict_sourcesnow use.as_posix()for consistent forward-slash paths on all platforms- Symlinked scan roots now handled correctly via
.resolve()inbuild_merge(#1007)
Security: XML DoS hardening
extract_csproj and extract_lazarus_package now pre-screen for <!DOCTYPE / <!ENTITY before parsing — blocks billion-laughs memory exhaustion on malicious project files. Zero false positives on real MSBuild/Lazarus files. extract_lpk also gains the previously missing 2 MiB size cap.
Dart node ID fix
Dart child node IDs no longer embed absolute paths — now uses _file_stem consistent with all other extractors. Existing Dart graphs should be rebuilt with graphify extract --force. (#999)
cluster-only label alignment
cluster-only now applies remap_communities_to_previous matching the behaviour of graphify update, so community labels stay stable across re-clusterings (#1028)
New features
MCP config extractor
.mcp.json, mcp.json, mcp_servers.json, claude_desktop_config.json are now extracted into the knowledge graph — captures server nodes, npm/pip package references, and env var requirements. Env values are discarded to prevent secret leakage.
Install / upgrade
pip install --upgrade graphifyy