Skip to content

chore(deps): update dependency @brightdata/mcp to v2.11.0#469

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/brightdata-mcp-2.x
Open

chore(deps): update dependency @brightdata/mcp to v2.11.0#469
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/brightdata-mcp-2.x

Conversation

@renovate

@renovate renovate Bot commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@brightdata/mcp 2.9.02.11.0 age confidence

Release Notes

brightdata/brightdata-mcp (@​brightdata/mcp)

v2.11.0

Compare Source

What's Changed

Added
  • web_data_reddit_comments — structured Reddit comments by
    post/thread URL, with optional days_back filter. Dataset
    gd_lvzdpsdlw09j6t702. Completes Reddit parity alongside
    web_data_reddit_posts. (#​154)

Note: this is the first GitHub Release since v2.11.0's predecessor
v2.9.3, so it also rolls up the changes below from v2.10.0 / v2.9.x.

Added (since v2.9.3)
  • search_dataset — search supported datasets by filter and get
    matching records directly via the fast search API. (#​142)
  • list_dataset_fields — discover a dataset's filterable fields
    (name, type, description) before building a filter. (#​142)
  • discover — discovery tool for finding sources/pages by intent.
    (#​130)

v2.10.0

Compare Source

Added
  • search_dataset tool to search supported datasets by a filter and get matching records back directly via the fast search API (PR #​142)
  • list_dataset_fields tool to discover a dataset's filterable fields (name, type, description) before building a filter (PR #​142)

v2.9.5

Compare Source

v2.9.4

Compare Source

v2.9.3

Compare Source

v2.9.3
  • New code tool group - your coding agent's companion
    • web_data_npm_package - look up any npm package by name and get back
      structured metadata: latest version, README, dependencies, and more
      (e.g. @brightdata/sdk, express, fastify)
    • web_data_pypi_package - look up any PyPI package by name and get back
      structured metadata: latest version, README, dependencies, and more
      (e.g. langchain-brightdata, requests, numpy)
    • Enable with GROUPS="code" - works with Claude Code, Cursor, Windsurf,
      and any MCP-powered coding agent
  • Added code group row to the tool groups table in README
  • Added coding agent configuration example in README
Why this matters

Coding agents constantly need to answer questions like "what's the latest
version of X?"
or "what does this package do?". Until now that meant
scraping registry pages or relying on stale training data. The code group
gives agents a single, reliable tool to query npm and PyPI directly —
structured data, no scraping, no blocking, always up to date.

v2.9.2

Compare Source

v2.9.1

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions

github-actions Bot commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

🔒 MCP Security Scan Results

⚠️ brightdata-mcp

  • Status: Warning
  • Message: Scan failed to produce output (insecure_ignore is enabled)

Summary: Scanned 1 MCP server(s), all passed security checks. ✅

@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch from a5747b8 to f0ae7d1 Compare April 20, 2026 11:05
@renovate renovate Bot changed the title chore(deps): update dependency @brightdata/mcp to v2.9.4 chore(deps): update dependency @brightdata/mcp to v2.9.5 Apr 20, 2026
@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch 2 times, most recently from 3eddbeb to 674490c Compare April 21, 2026 08:19
@rdimitrov

Copy link
Copy Markdown
Member

@renovatebot rebase

@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch 3 times, most recently from 9172b66 to 69e9ae5 Compare April 27, 2026 12:13
@JAORMX

JAORMX commented Apr 27, 2026

Copy link
Copy Markdown
Collaborator

Triage: build-containers blocked by genuine upstream CVEs

Local Grype scan (DB 2026-04-27) of the 2.9.5 image surfaces these HIGH findings (severity-cutoff: high, only-fixed: true):

Package Installed GHSA Severity Fixed in
@modelcontextprotocol/sdk 1.21.2 GHSA-w48q-cv73-mx4w High 1.24.0
@modelcontextprotocol/sdk 1.21.2 GHSA-8r9q-7v3j-jr4g High 1.25.2
@modelcontextprotocol/sdk 1.21.2 GHSA-345p-7cg4-v4c7 High 1.26.0
picomatch 4.0.3 GHSA-c2c7-rcm5-vvqj High 4.0.4

These are genuine upstream CVEs, not false positives. The fix requires @brightdata/mcp to bump its @modelcontextprotocol/sdk dep to ≥1.26.0 (and pull in updated transitive deps for picomatch).

Recommendation: Hold this bump until upstream brightdata-com/brightdata-mcp updates the MCP SDK pin.

@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch from 48a090d to 3bad57a Compare April 30, 2026 12:33
@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch 2 times, most recently from f64e5c5 to 7cc9963 Compare May 14, 2026 17:57
@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch from 7cc9963 to 36adf9a Compare June 4, 2026 09:14
@renovate renovate Bot changed the title chore(deps): update dependency @brightdata/mcp to v2.9.5 chore(deps): update dependency @brightdata/mcp to v2.10.0 Jun 4, 2026
@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch from 36adf9a to 6a5f89a Compare June 14, 2026 09:53
@renovate renovate Bot changed the title chore(deps): update dependency @brightdata/mcp to v2.10.0 chore(deps): update dependency @brightdata/mcp to v2.11.0 Jun 14, 2026
@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch 2 times, most recently from b1da6c9 to a26436e Compare July 3, 2026 10:10
@renovate renovate Bot force-pushed the renovate/brightdata-mcp-2.x branch from a26436e to 3c61fb7 Compare July 3, 2026 10:14
samuv pushed a commit that referenced this pull request Jul 3, 2026
…n spec.yaml

Renovate version bumps fail the build-containers Grype gate when the bumped
package pins or caps a transitive dependency to a vulnerable version. Add an
optional dependency-override mechanism to the spec.yaml schema, plumbed into the
generated Dockerfile.

- npx: spec.overrides ([]{package, version, reason}) is injected as an npm
  "overrides" block in the generated package.json before the npm install step.
- uvx: spec.constraints ([]{spec, reason}) is written to a uv overrides
  requirements file and passed to "uv tool install --overrides".

Both injection points match the install step by content (not line number) so
they stay robust to toolhive template formatting. Every entry requires a
non-empty reason (validation fails otherwise) so the justification for
circumventing an upstream pin is auditable in-repo.

Verified end-to-end against the CI build + Grype recipe:
- #469 @brightdata/mcp 2.9.5 + override @modelcontextprotocol/sdk 1.26.0:
  resolves to SDK 1.26.0, grype --fail-on high --only-fixed passes.
- #527 mcp-clickhouse 0.3.0 + constraint fastmcp>=3.2.0: fastmcp 3.4.0,
  import mcp_clickhouse OK, grype passes.

Refs #668

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants