Comparing changes

* chore(deps): bump lodash-es from 4.17.22 to 4.17.23 Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.22 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/commits/4.17.23) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * chore(ci): add dependabot auto-merge with release bot app - Add dependabot.yml config for weekly npm and github-actions updates - Group minor/patch updates into single PR - Replace auto-approve workflow with auto-merge using RELEASER_APP - Auto-merge only for minor/patch updates, major requires manual review * fix(ci): use pull_request.user.login for dependabot detection * fix(ci): add checkout step for gh cli * chore: trigger workflow --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

#106) * chore(ci): bump webiny/action-conventional-commits from 1.3.0 to 1.3.1 Bumps [webiny/action-conventional-commits](https://github.com/webiny/action-conventional-commits) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/webiny/action-conventional-commits/releases) - [Commits](webiny/action-conventional-commits@v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: webiny/action-conventional-commits dependency-version: 1.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * chore: trigger workflow --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5 to 6. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v5...v6) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1 to 2. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@v1...v2) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: '2' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

Bumps [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@v3...v4) --- updated-dependencies: - dependency-name: actions/upload-pages-artifact dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dmitry Prudnikov <[email protected]>

#114) * fix(deps): add resolutions for vulnerable transitive dependencies Add Yarn 4 resolutions to fix: - lodash 4.17.23: Prototype Pollution (GHSA-xxjr-mmjv-4gpg) - lodash-es 4.17.23: Prototype Pollution (GHSA-xxjr-mmjv-4gpg) - hono 4.11.5: JWT algorithm confusion (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4) - diff 4.0.4: DoS in parsePatch/applyPatch (GHSA-73rr-hh4g-fpgx) All affected packages are dev dependencies only. Closes #113 * chore: remove package-lock.json, use yarn.lock only This project uses Yarn 4 - package-lock.json was causing GitHub security scanner to report false positives from a stale lockfile. - Remove package-lock.json from repo - Add to .gitignore to prevent accidental re-commit

* feat(cli): add interactive setup wizard (gitlab-mcp init) - Add src/cli/init module with @clack/prompts for interactive CLI - Support GitLab.com and self-hosted instance configuration - Role-based preset selection (6 roles including readonly) - MCP client detection (8 clients including Claude Desktop/Code) - Auto-generate JSON configs with deep links for Claude Desktop - CLI installation for Claude Code (claude mcp add command) - Connection testing before config generation - PAT creation URL generation with pre-filled scopes Closes #62 * fix(cli): harden init wizard security and compatibility - Use strict hostname matching in isGitLabSaas() to prevent substring attacks (notgitlab.com, gitlab.company.com) - Remove unused generateEnvExports function - Make runWizard import lazy to avoid loading dependencies eagerly - Use dynamic import for ESM-only 'open' package in CommonJS context - Add error handling for browser open in headless environments - Use URL-safe Base64 encoding in Claude deep links - Add tests for isGitLabSaas edge cases and URL-safe Base64 * fix(cli): improve wizard security and ESM compatibility - Extract browser utils to separate module for better testability - Use eval-based dynamic import for ESM-only 'open' package in CommonJS - Replace execSync with spawnSync to prevent command injection - Mask PAT tokens in terminal output for security - Update tests to mock browser module properly * test(cli): add unit tests for browser module Add injectable import function to browser.ts for testability. Add comprehensive tests covering success and error paths. Coverage now 100% for browser.ts. * test(cli): add tests for init module exports Ensure index.ts re-exports are covered by tests. * fix(cli): harden init wizard security and platform handling - Fix Linux platform handling in Claude Desktop config path - Add CLI command token masking for terminal output - Add security warning when displaying deep link with encoded token - Update tests to mock spawnSync instead of execSync * fix(cli): add shell escaping and null-safe string interpolation - Add shellEscape() for CLI command env values to prevent injection - Add null coalescing for connectionResult.username and error - Add test for shell special character escaping * fix(cli): improve token masking regex to handle escaped quotes - Fix regex pattern to handle escaped quotes in token values - Remove misleading comment from test * fix(cli): use replacement strings in regex and add init tests - Use $1****$3 replacement strings instead of template literals - Add spawnSync assertion in CLI command test - Add test for init subcommand in main entry point * fix(cli): improve wizard UX and security warnings - Add note about replacing masked tokens in CLI command - Handle cancel consistently on all confirmation prompts - Show security warning before deep link confirmation * fix(init): improve URL normalization and PAT scopes - Strip /api/v4 suffix from instance URL if provided by user - Add readOnly parameter to getPatCreationUrl for least-privilege scopes - Fix browser.test.ts to avoid calling real open package in reset test - Add tests for URL normalization and read-only PAT scopes * docs(init): clarify role vs preset naming in types.ts Add comments explaining that UserRole uses simplified wizard-facing names while ROLE_PRESETS maps them to actual GITLAB_MCP_PRESET identifiers (e.g., "reviewer" in wizard maps to "code-reviewer" preset). * fix(init): use || instead of ?? for configPath hint Empty configPath strings should not render as blank hints in the prompt UI. Using || treats empty strings as falsy, returning undefined instead. * fix(init): normalize URLs and improve test reliability - Normalize instance URL in wizard (strip trailing / and /api/v4) - Normalize URL in config-generator before writing to GITLAB_API_URL - Rename test from "--init flag" to "init subcommand" - Add return after process.exit for TypeScript/test compatibility - Fix wizard test mocks to use mockReset for consistent state * fix(init): document PAT scope timing and fix CliArgs mocks - Add comment explaining PAT URL uses full scopes before readOnly is known - Update parseCliArgs mocks to return full CliArgs shape with all fields * docs(init): improve role vs preset mapping documentation * fix(init): add return after all process.exit calls for test compatibility * fix(init): add timeout to testConnection fetch requests Add 10-second AbortController timeout to prevent hanging on slow or unresponsive GitLab instances. Includes proper cleanup in finally block.

## [6.26.0](v6.25.0...v6.26.0) (2026-01-22) ### Features * **cli:** add interactive setup wizard (gitlab-mcp init) ([#101](#101)) ([cb6f080](cb6f080)), closes [#62](#62)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Jan 22, 2026

This comparison is taking too long to generate.

Uh oh!