chore(deps-dev): bump @modelcontextprotocol/inspector from 0.16.8 to 0.21.2#532
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
3ed884c to
6622983
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
6622983 to
7035789
Compare
![minsky-reviewer[bot]](https://avatars.githubusercontent.com/u/52695?s=60&v=4){kind=small}
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Findings
-
[NON-BLOCKING] PR description/version mismatch
- File: package.json:55 (devDependencies)
- The PR description claims bumping @modelcontextprotocol/inspector from 0.16.8 to 0.21.2, but the actual version in package.json is being changed from ^0.16.2 to ^0.21.2. This is minor, but it can be confusing when auditing history or changelogs.
-
[NON-BLOCKING] Lockfile drift risk
- File: package.json:55 (devDependencies)
- The diff updates only package.json. If this repo tracks a lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml), it should be updated in the same PR to avoid version drift and CI/Developer environment inconsistencies. Please confirm whether a lockfile exists and update it accordingly.
-
[NON-BLOCKING] Potential CLI/behavioral changes across 0.16 → 0.21
- File: package.json:55 (devDependencies)
- This is a multi-minor jump on a 0.x line; some projects treat 0.x minors as potentially breaking. If you invoke the inspector via package.json scripts or tooling (e.g., CLI flags, binary name, or config), those usages could have changed between 0.16 and 0.21. Please verify any scripts or docs that reference the inspector’s CLI to ensure compatibility.
-
[PRE-EXISTING] Semver nuance for 0.x with caret ranges
- File: package.json:55 (devDependencies)
- Using ^0.21.2 restricts updates to 0.21.x (caret on 0.x does not include the next minor by semver rules). If the intent was to receive 0.22.x automatically in dev, the current range won’t do that. Not necessarily wrong, but worth confirming intent.
Spec Verification Table
- No task spec provided. All criteria: N/A
Documentation Impact
- If any docs or README sections mention the inspector version, CLI usage, or flags, they may need updates to reflect changes between 0.16.x and 0.21.x.
- If a lockfile is tracked, consider documenting the requirement to update it with dependency bumps to prevent drift.
Event: APPROVE
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
7035789 to
622eae6
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Findings
-
[NON-BLOCKING] Lockfile not updated; dependency bump not effective
- File: bun.lock (workspaces."".devDependencies)
- Evidence: bun.lock still pins "@modelcontextprotocol/inspector": "^0.16.2" in the root workspace devDependencies block, while package.json bumps it to "^0.21.2". This will cause version drift and developers/CI using the lockfile will continue to install 0.16.x, not 0.21.x.
- Impact: The intended upgrade (including security/bug fixes noted in upstream release notes) won’t actually take effect for environments honoring the lockfile.
- Action: Regenerate bun.lock (e.g., bun install) so it reflects @modelcontextprotocol/inspector 0.21.2 and its transitive tree.
-
[NON-BLOCKING] PR description/version mismatch
- File: package.json (devDependencies), PR description
- Evidence: The PR description claims a bump from 0.16.8 to 0.21.2; the actual change is from ^0.16.2 to ^0.21.2 (see package.json devDependencies). This can cause confusion during audits.
- Action: Align the PR description with the actual from/to versions in this repo.
-
[NON-BLOCKING] Missed upstream security fix due to stale lockfile
- Files: bun.lock; package.json
- Evidence: Upstream 0.21.x release notes include fix(server): sanitize error responses to prevent stack trace exposure. Because bun.lock still resolves @modelcontextprotocol/inspector to 0.16.x, the fix won’t land in developer environments using the lockfile.
- Impact: While this is a devDependency and the risk surface is limited to environments where the Inspector server is run during development, keeping the older version may inadvertently retain a known vulnerability/finding in that tool.
- Action: Same as the lockfile update above; once bun.lock is refreshed to 0.21.2, this is addressed.
Spec verification
- No explicit task spec provided. N/A
Documentation impact
- No user-facing docs updates required for a devDependency bump. Consider adding a brief note in the changelog or dependency update log if you track those internally, but not required.
Event
COMMENT
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
622eae6 to
b75a629
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Findings
-
[NON-BLOCKING] Lockfile not updated; dependency bump will not take effect in CI/dev installs
- File: bun.lock:8 (RIGHT)
- bun.lock still pins "@modelcontextprotocol/inspector": "^0.16.2" in the root workspace devDependencies while package.json was bumped to "^0.21.2". Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, so the intended upgrade won’t actually be used. Please regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
-
[NON-BLOCKING] PR description/version mismatch
- File: package.json:59
- The PR title/description says bump 0.16.8 → 0.21.2, but the prior version in package.json was ^0.16.2. Consider aligning the description for audit clarity.
Spec verification
- No task spec provided. N/A.
Documentation impact
- No documentation changes are required for this dependency bump, but after regenerating the lockfile it may be worth noting in release notes or internal change logs that the bun.lock was refreshed to make the upgrade effective.
Conclusion: COMMENT
Scoped, minimal change to bump @modelcontextprotocol/inspector in package.json looks straightforward. However, bun.lock still references ^0.16.2; without regenerating the lockfile, CI/dev installs won’t actually pick up 0.21.x. I left a non-blocking finding to refresh bun.lock and a nit about the description/version mismatch. No security or user-facing correctness issues are evident from this trivial diff given current scope.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
4 times, most recently
from
8496869 to
c0bcb6b
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The package.json bump to @modelcontextprotocol/inspector ^0.21.2 looks correct for a trivial devDependency update. However, bun.lock still pins the inspector at ^0.16.2, so CI/dev environments honoring the lockfile will continue to install 0.16.x and won’t realize the upgrade. I’ve left a non‑blocking note to regenerate bun.lock and a small nit about the PR description’s from/to version mismatch.
Given the trivial scope, I’m not blocking, but please refresh the lockfile so the intended upgrade actually takes effect.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, upgrade won’t take effect in CI/dev installs
bun.lockstill lists"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and the resolved package entry is"@modelcontextprotocol/inspector@0.16.2".
Evidence (see bun.lock root workspace section):
"devDependencies": {
"@eslint/js": "9.29.0",
"@modelcontextprotocol/inspector": "^0.16.2",
…
}
While package.json was bumped to ^0.21.2, environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x. Please regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
- [NON-BLOCKING] package.json:59 — PR description says 0.16.8 → 0.21.2, repo previously had ^0.16.2 → ^0.21.2
Minor audit nit: The PR description references upgrading from0.16.8, but the repository’spackage.jsonchanged from^0.16.2to^0.21.2(now present inpackage.json). This mismatch can cause confusion when correlating with changelogs. Consider aligning the PR description to reflect the actual from/to version in this repo.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | bun.lock still lists @modelcontextprotocol/inspector: ^0.16.2 and resolves to @modelcontextprotocol/inspector@0.16.2 in the packages section, while package.json has ^0.21.2 (see bun.lock root workspace devDependencies and packages entries; package.json devDependencies). |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
c0bcb6b to
c6b6951
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
package.json has been updated to @modelcontextprotocol/inspector ^0.21.2, but bun.lock still pins the package at ^0.16.2. As-is, CI/dev installs governed by the lockfile will continue to use 0.16.x, so the intended upgrade (and its fixes) won’t actually land. I’ve flagged this as non‑blocking since this PR is a trivial deps-only change, but please regenerate bun.lock to make the bump effective. Also, the PR description states 0.16.8 → 0.21.2 whereas the repo changed ^0.16.2 → ^0.21.2; consider aligning the description for audit clarity. Overall, no blocking issues found; once the lockfile is refreshed, this is good to go.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, so the upgrade won’t take effect in CI/dev installs
bun.lockcontinues to list"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and the resolved package entry is"@modelcontextprotocol/inspector@0.16.2", whilepackage.jsonnow specifies^0.21.2.
Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, meaning the intended upgrade to 0.21.x (including upstream fixes) won’t actually be used. Please regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
- [NON-BLOCKING] package.json:62 — PR description says 0.16.8 → 0.21.2, repo actually changed ^0.16.2 → ^0.21.2
Minor audit nit: The PR description references upgrading from0.16.8, but the repository’spackage.jsonchanged from^0.16.2to^0.21.2(now present inpackage.json). This mismatch can cause confusion when correlating with changelogs. Consider aligning the PR description to reflect the actual from/to version in this repo.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | bun.lock still lists @modelcontextprotocol/inspector: ^0.16.2 and resolves to @modelcontextprotocol/inspector@0.16.2, while package.json has ^0.21.2 (see bun.lock root workspace devDependencies and packages entries; package.json devDependencies). |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
c6b6951 to
bd2a409
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Scoped dependency bump looks fine in package.json, but bun.lock still pins @modelcontextprotocol/inspector to ^0.16.2, so CI/dev installs will not pick up 0.21.x. Please regenerate the lockfile to make the upgrade effective. Also, the PR description’s from-version (0.16.8) doesn’t match this repo’s previous ^0.16.2; consider aligning for audit clarity. No critical security, data-loss, or scope issues detected; leaving non-blocking comments only.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, so the upgrade won’t take effect in CI/dev installs
bun.lockcontinues to list"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and the resolved package entry is"@modelcontextprotocol/inspector@0.16.2", whilepackage.jsonnow specifies^0.21.2.
Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, meaning the intended upgrade to 0.21.x (including upstream fixes) won’t actually be used. Please regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
- [NON-BLOCKING] package.json:62 — PR description claims 0.16.8 → 0.21.2, repo actually changed ^0.16.2 → ^0.21.2
Minor audit nit: The PR description references upgrading from0.16.8, but the repository’spackage.jsonchanged from^0.16.2to^0.21.2(now present inpackage.json). This mismatch can cause confusion when correlating with changelogs. Consider aligning the PR description to reflect the actual from/to version in this repo.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | bun.lock still lists @modelcontextprotocol/inspector: ^0.16.2 and resolves to @modelcontextprotocol/inspector@0.16.2, while package.json has ^0.21.2 (see bun.lock root workspace devDependencies and packages entries; package.json devDependencies). |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
bd2a409 to
1955d9b
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
I verified the latest commit updates package.json to @modelcontextprotocol/inspector@^0.21.2, but the bun.lock is still pinned to ^0.16.2. As a result, CI and developer installs that honor the lockfile will continue to use 0.16.x and won’t pick up the intended upgrade (including upstream fixes). Please regenerate bun.lock so the bump is effective across environments. No other issues found; scope remains limited to the devDependency bump.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, so the upgrade won’t take effect in CI/dev installs
bun.lockcontinues to list"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and the resolved package entry is"@modelcontextprotocol/inspector@0.16.2", whilepackage.jsonnow specifies^0.21.2.
Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, meaning the intended upgrade to 0.21.x (including upstream fixes) won’t actually be used. Please regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | bun.lock at the repo root still lists @modelcontextprotocol/inspector: ^0.16.2 and resolves to @modelcontextprotocol/inspector@0.16.2, while package.json has ^0.21.2. See bun.lock root workspace devDependencies and packages sections; and package.json: devDependencies. |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
1955d9b to
fecc751
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
fecc751 to
0b7787f
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Scoped change to bump @modelcontextprotocol/inspector in package.json looks correct, but the lockfile was not regenerated. bun.lock still pins the inspector devDependency at ^0.16.2 and resolves to 0.16.2, so CI/dev installs honoring the lockfile will not pick up 0.21.x. Please run bun install/update and commit the refreshed bun.lock to make the upgrade effective. No other issues observed within the narrow scope of this trivial dependency bump.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, so the intended upgrade won’t take effect in CI/dev installs
bun.lockcontinues to list"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and the resolved package entry is"@modelcontextprotocol/inspector@0.16.2", whilepackage.jsonnow specifies^0.21.2.
Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, meaning the intended upgrade to 0.21.x (including upstream fixes) won’t actually be used. Please regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
Evidence:
package.jsonshows"@modelcontextprotocol/inspector": "^0.21.2"indevDependencies.bun.lockroot workspacedevDependenciesstill has"@modelcontextprotocol/inspector": "^0.16.2", and thepackagessection contains"@modelcontextprotocol/inspector@0.16.2".
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | package.json sets @modelcontextprotocol/inspector to ^0.21.2 (package.json: devDependencies), but bun.lock still lists @modelcontextprotocol/inspector: ^0.16.2 under the root workspace devDependencies and resolves to @modelcontextprotocol/inspector@0.16.2 in the packages section. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
0b7787f to
b29b9f8
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
I verified the current diff updates package.json to @modelcontextprotocol/inspector ^0.21.2, but the root bun.lock still pins the package at ^0.16.2 and resolves to 0.16.2. This means CI/dev installs honoring the lockfile will not pick up the intended upgrade, including upstream fixes. Please regenerate bun.lock so it reflects 0.21.2 and its transitive dependencies. No new blocking issues or scope creep observed; this remains a non-blocking nit for a trivial deps-only PR.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, so the upgrade won’t take effect in CI/dev installs
bun.lockat the repo root continues to list"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and thepackagessection resolves"@modelcontextprotocol/inspector@0.16.2", whilepackage.jsonnow specifies^0.21.2.
Evidence:
package.jsondevDependenciesshows"@modelcontextprotocol/inspector": "^0.21.2".bun.lockroot workspacedevDependenciesstill has"@modelcontextprotocol/inspector": "^0.16.2", and thepackagessection contains"@modelcontextprotocol/inspector@0.16.2".
Impact: Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, meaning the intended upgrade to 0.21.x (including upstream fixes) won’t actually be used.
Action: Regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | package.json sets @modelcontextprotocol/inspector to ^0.21.2, but bun.lock still lists it as ^0.16.2 in the root workspace devDependencies and resolves to @modelcontextprotocol/inspector@0.16.2. See package.json: devDependencies and bun.lock:8 (workspaces."".devDependencies) along with packages entry for @modelcontextprotocol/inspector@0.16.2. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
b29b9f8 to
52dcc89
Compare
Bumps [@modelcontextprotocol/inspector](https://github.com/modelcontextprotocol/inspector) from 0.16.8 to 0.21.2. - [Release notes](https://github.com/modelcontextprotocol/inspector/releases) - [Commits](modelcontextprotocol/inspector@0.16.8...0.21.2) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/inspector" dependency-version: 0.21.2 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/modelcontextprotocol/inspector-0.21.2
branch
from
52dcc89 to
9617ebe
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: 3
Scoped dependency bump looks correct in package.json. However, the root bun.lock still pins @modelcontextprotocol/inspector at ^0.16.2 and resolves to 0.16.2, so CI/dev installs will not actually pick up 0.21.x. Please regenerate bun.lock to align with package.json so the upgrade is effective. No other issues found; once the lockfile is refreshed, this should be ready to merge.
Findings
- [NON-BLOCKING] bun.lock:8 — Lockfile still pins
@modelcontextprotocol/inspectorat^0.16.2, so the intended upgrade won’t take effect in CI/dev installs
bun.lockat the repo root still lists"@modelcontextprotocol/inspector": "^0.16.2"under the root workspacedevDependencies, and thepackagessection resolves"@modelcontextprotocol/inspector@0.16.2", whilepackage.jsonnow specifies^0.21.2.
Evidence:
package.jsondevDependenciesshows"@modelcontextprotocol/inspector": "^0.21.2".bun.lockroot workspacedevDependencieshas"@modelcontextprotocol/inspector": "^0.16.2", and thepackagessection contains"@modelcontextprotocol/inspector@0.16.2".
Impact: Environments honoring the lockfile (CI and developer machines) will continue to install 0.16.x, meaning the intended upgrade to 0.21.x won’t actually be used (including upstream fixes and behavior changes).
Action: Regenerate bun.lock (e.g., bun install or bun update @modelcontextprotocol/inspector) so it reflects 0.21.2 and its transitive tree.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| The dependency bump is reflected consistently in all tracked lockfiles so CI/dev installs will use the new version. | Not Met | package.json sets @modelcontextprotocol/inspector to ^0.21.2 (package.json: devDependencies), but bun.lock still lists it as ^0.16.2 in the root workspace devDependencies and resolves to @modelcontextprotocol/inspector@0.16.2. See bun.lock root workspace devDependencies and packages entries. |
Bumps @modelcontextprotocol/inspector from 0.16.8 to 0.21.2.
Release notes
Sourced from @modelcontextprotocol/inspector's releases.
... (truncated)
Commits
996f02cMerge pull request #1194 from olaservo/chore/bump-version-0.21.2509f4abMerge branch 'main' into chore/bump-version-0.21.24df1191fix(server): sanitize error responses to prevent stack trace exposure (#1187)8f60747chore: bump version to 0.21.20d7757efix: validate serverInfo.websiteUrl before rendering as link (#1186)a809c2aMerge pull request #1138 from modelcontextprotocol/dependabot/github_actions/...c180babMerge pull request #1137 from modelcontextprotocol/dependabot/github_actions/...b99c8b8Merge pull request #1136 from modelcontextprotocol/dependabot/github_actions/...afd785bMerge pull request #1126 from modelcontextprotocol/dependabot/github_actions/...5f1eb0aMerge pull request #1125 from modelcontextprotocol/dependabot/github_actions/...Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@modelcontextprotocol/inspectorsince your current version.