tirth8205/code-review-graph v2.2.4

v2.2.4 — fastmcp CVE fix, Windows hang, 11 bug fixes

on GitHub

Highlights

Ships the 11 bugs from PR #222 plus the v2.2.3.1 smoke-test hotfixes. If you're on v2.2.3 or earlier, this is a straight upgrade — re-run code-review-graph install afterward to pick up any config updates.

uvx --reinstall code-review-graph
# or
pip install -U code-review-graph

Security — CVE remediation

• fastmcp 1.0 → >=2.14.0,<3 (closes #139, #195)
  • CVE-2025-62800 (XSS)
  • CVE-2025-62801 (command injection via server_name)
  • CVE-2025-66416 (Confused Deputy)
  • Transitively drops the broken docket → fakeredis chain that caused ImportError: FakeConnection renamed to FakeRedisConnection on fresh installs (#195)
  • All 24 MCP tools verified to register and round-trip real data on fastmcp 2.14.6 across a 6-repo smoke test

Fixed

• #46 / #136 — Windows build/embed_graph_tool silent hangs. main() now sets WindowsSelectorEventLoopPolicy before mcp.run() on sys.platform == "win32". The default ProactorEventLoop deadlocks with ProcessPoolExecutor (used by full_build) over stdio MCP. No-op on macOS/Linux.
• #190 — Go method receivers. func (s *T) Foo() now attaches Foo to T as a member with a CONTAINS edge, instead of appearing as a top-level function.
• #87 — Dart parser, three bugs:
  • CALLS edges (_extract_dart_calls_from_children()) — tree-sitter-dart doesn't wrap calls in a call_expression; the pattern is identifier + selector > argument_part.
  • package:<pkg>/<path> URI resolution — walks up to a pubspec.yaml whose name: declaration matches <pkg> and resolves to <root>/lib/<path>.
  • inheritors_of bare-vs-qualified fallback — affects all languages, not just Dart.
• #91 — Nested dependency directories now ignored. node_modules/** also matches packages/app/node_modules/react/index.js in monorepos. Added Laravel (vendor/**, bootstrap/cache/**), Gradle (.gradle/**, *.jar), Flutter (.dart_tool/**, .pub-cache/**), and generic (coverage/**, .cache/**) defaults. Deliberately did not add packages/** or bin/**/obj/** — those are false positives for yarn/pnpm workspaces and .NET source trees respectively.
• #194 — Replaced bare except Exception with specific exception types + logger.debug(...) across 11 files. Debuggability win; no behavioral change at happy path.
• #132 — Visualization no longer hides all edges on graphs above ~300 nodes. The unconditional auto-collapse at page load has been raised to a 2000-node threshold; below that, all File / Function / Class nodes and their connecting edges are visible by default.
• #212 — eval command now surfaces ImportError: pyyaml is required: pip install code-review-graph[eval] instead of AttributeError: 'NoneType' object has no attribute 'safe_load' when PyYAML isn't installed.
• #218 — VS Code extension (v0.2.2 — repackage separately): better-sqlite3@11 → @12.4.1+ for VS Code 1.115 (Electron 39 / V8 14.2). v11 used v8::Context::GetIsolate() which was removed in V8 14.2, causing the extension to fail activation with every command undefined.

Carried forward from v2.2.3.1

• #223 — code-review-graph serve --repo <X> now honored by all 24 MCP tools (was only read by get_docs_section_tool).
• #223 — Wiki slug collisions no longer silently overwrite pages. Previously a ~70% data loss bug on real repos: "Data Processing" / "data processing" / "Data Processing" all slugged to the same filename and later iterations overwrote earlier content. Now tracks used slugs per-run and appends -2/-3/… suffixes.

⚠️ Windows note

The Windows event-loop fix (#46 / #136) was applied blind — the maintainer is on macOS and could not verify it on Windows before release. The fix itself is surgical (a single line in main.py behind sys.platform == "win32" — no-op everywhere else) and is the canonical remediation for the ProactorEventLoop + ProcessPoolExecutor + stdio-MCP deadlock, so it's unlikely to regress anything. But if you're on Windows and still see build or embed_graph_tool hang on v2.2.4, please open a fresh issue with:

• python -c "import sys, platform; print(sys.version, platform.platform())"
• Which tool hangs (build, embed, both, other)
• Any stack trace from Ctrl+C

A follow-up patch will ship quickly if needed.

Upgrade notes

• Re-run code-review-graph install after upgrading to pick up any config updates (this is still a requirement if you're coming from v2.2.2 or earlier — the hook schema was rewritten in v2.2.3).
• The VS Code extension needs to be repackaged and republished separately; the existing publish.yml workflow only covers PyPI.

Closes

#46, #87, #91, #132, #136, #139, #190, #194, #195, #212, #218, #223