v1.7.1

Security

• DNS-resolved private-address SSRF in web_url_read blocked (GHSA-mrvx-jmjw-vggc): The URL reader previously validated only the literal hostname string, so a public-looking hostname that DNS-resolves to a private, loopback, or link-local address (for example a domain pointing at 127.0.0.1/10.0.0.0/8 or a cloud metadata endpoint like 169.254.169.254) bypassed the SSRF guard. Direct (no-proxy) reads now validate every resolved DNS answer before connecting and pin the connection to the validated address, closing the DNS-rebinding window. The MCP_HTTP_ALLOW_PRIVATE_URLS=true opt-out still applies. When a URL-reader proxy is configured the proxy performs DNS resolution, so those deployments must rely on egress/firewall controls (documented in SECURITY.md).
• Unbounded response-body read in web_url_read capped (GHSA-xcqx-9jf5-w339): The page-size limit was advisory only — a server using chunked transfer encoding, a failing/absent HEAD response, or a body larger than its reported Content-Length could force the entire response into memory (denial of service). The body is now read through a bounded stream that enforces URL_READ_MAX_CONTENT_LENGTH_BYTES (default 5 MB) against the decompressed size and stops once the cap is exceeded, before any conversion or caching.

Full Changelog: v1.7.0...v1.7.1

v1.7.0

✨ Added

• HTML-search fallback (SEARXNG_HTML_FALLBACK=true) — opt-in compatibility mode for SearXNG instances that disable JSON output. When a search hits a 403/404 or a non-JSON response, it is automatically retried without format=json and results (title, URL, snippet) are parsed from the regular HTML results page and marked sourceFormat: "html". Triggers strictly on format rejections — never on 401, 5xx, network, or timeout errors. Enabling JSON on a SearXNG instance you control remains the recommended setup (see the README troubleshooting section).

🔒 Security

• undici → 7.28.0 — resolves two HIGH advisories affecting 7.0.0–7.27.2: GHSA-vmh5-mc38-953g (TLS certificate validation bypass in the SOCKS5 ProxyAgent) and GHSA-pr7r-676h-xcf6 (cross-user information disclosure via shared-cache whitespace bypass).
• form-data → 4.0.6 — clears a CRLF-injection advisory (GHSA-hmw2-7cc7-3qxx) in the test toolchain.

Full Changelog: v1.6.0...v1.7.0

v1.6.0

This release rolls up everything since v1.4.0. Note: 1.5.0 was published to npm and Docker Hub on 2026-06-12 but never received a GitHub release — those changes are included below alongside the new 1.6.0 work.

✨ Added

• engines parameter on searxng_web_search — a comma-separated list (e.g. google,bing,duckduckgo) routes a search to specific SearXNG engines instead of the category defaults.
• Validated & normalized categories / engines — values are trimmed and matched case-insensitively against the connected instance's live /config, and canonical names are sent to SearXNG. Unknown values are rejected up front with the available options listed, fixing silent search degradation from miscased names.
• Configurable URL cache controls — CACHE_TTL_MS (default 24 h) and CACHE_MAX_ENTRIES (default 500).
• Bounded URL cache eviction — entries track hit counts and use LFU eviction with oldest-entry tie-breaking.
• searxng_suggestions tool — returns search autocomplete suggestions from the instance.
• searxng_instance_info tool — discovers instance capabilities (engines, categories, languages, safe-search).
• JSON response format — searxng_web_search accepts response_format ("text" | "json") for programmatic result processing.
• Search metadata in text output — answers, spelling corrections, infoboxes, and suggestions surface alongside ranked results.

🔧 Changed

• URL cache TTL default raised from 60 s to 24 h within a running server (entries still expire/evict).

🐛 Fixed

• Metadata (answers, corrections, infoboxes) is preserved in text output even when min_score filters out all web results.
• Unresponsive engines are no longer listed in text output.
• searxng_suggestions and searxng_instance_info now route through the configured search proxy and default TLS dispatcher.

🔒 Security

• Least-privilege Docker workflow permissions — security-events: write is isolated to a dedicated image-scan job in both the publish and rebuild workflows, with id-token: write confined to the publish/sign job and workflow-level permissions kept read-only.
• Patched bundled hono — pinned the transitive hono dependency to ≥ 4.12.25 (npm overrides) to resolve CVE-2026-54290 (CORS middleware origin reflection) in the published Docker image.

🏗️ Build / CI

• Added a CI workflow running lint plus unit and integration tests on every pull request and push to main.

Full Changelog: v1.4.0...v1.6.0

v1.5.0

Backfilled release — 1.5.0 was published to npm and Docker Hub on 2026-06-12 but the GitHub release was missed at the time.

✨ Added

• searxng_suggestions tool — returns search autocomplete suggestions from the SearXNG instance.
• searxng_instance_info tool — discovers the connected instance's capabilities (enabled engines, supported categories, available languages, safe-search settings).
• JSON response format — searxng_web_search accepts a response_format parameter ("text" | "json"); "json" returns raw structured data for programmatic processing.
• Search metadata in text output — searxng_web_search text responses now include answers, spelling corrections, infoboxes, and autocomplete suggestions when the instance returns them.

🐛 Fixed

• Metadata (answers, corrections, infoboxes) is preserved in text output even when min_score filters out all web results.
• Unresponsive engines are no longer listed in text output.
• searxng_suggestions and searxng_instance_info requests route through the configured search proxy and default TLS dispatcher.

Full Changelog: v1.4.0...v1.5.0

v1.4.0

Added

• Result count control: num_results parameter on searxng_web_search (1–20) lets callers request only as many results as they need. SEARXNG_MAX_RESULTS env var sets an operator-level hard cap that applies even when num_results is omitted — useful for reducing token spend across all callers.

• Token budget limits: SEARXNG_MAX_RESULT_CHARS env var truncates each search result snippet to a character limit (appending …) before returning. URL_READ_MAX_CHARS env var sets a default maxLength for URL reads when the caller omits it — both controls are recommended for local models with small context windows.

• HEAD preflight for URL reader: A fast HEAD request is made before every URL fetch to check Content-Length. If the server reports a size above URL_READ_MAX_CONTENT_LENGTH_BYTES (default 5 MB), the download is blocked and a descriptive message with readHeadings/section pagination hints is returned instead of downloading an unbounded body.

• categories parameter on searxng_web_search: Routes searches to specific SearXNG categories — general, news, images, videos, it, science, files, social media. Omitting the parameter uses the SearXNG instance default (general).

• Configurable search defaults: SEARXNG_DEFAULT_LANGUAGE and SEARXNG_DEFAULT_SAFESEARCH env vars set operator-level defaults for language and safe-search level. Per-call parameters still take precedence. Invalid SEARXNG_DEFAULT_SAFESEARCH values (not 0, 1, or 2) are logged and ignored.

• Configurable timeouts: SEARXNG_TIMEOUT_MS controls the search request timeout and FETCH_TIMEOUT_MS controls the URL reader fetch timeout (both default to 10000 ms).

• Lite tool schemas (SEARXNG_LITE_TOOLS=true): When set, registers minimal query-only and url-only tool schemas instead of the full parameter list. Reduces context overhead for local models with small context windows while still forwarding any extra arguments the caller provides.

Security

• Pinned the npm trusted publishing installer step in the publish workflow to a full commit SHA to guard against tag-swap supply-chain attacks.

Full Changelog: v1.3.4...v1.4.0

v1.3.4

Security

• Docker images are now signed with Cosign (keyless OIDC). Verify a published image with:

  cosign verify docker.io/isokoliuk/mcp-searxng:latest \
    --certificate-identity-regexp 'https://github.com/ihor-sokoliuk/mcp-searxng/.github/workflows/docker-publish.yml@.*' \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com

• Expanded fuzz test coverage: search parameter handling and URL read arguments are now fuzz-tested on every CI run.
• Tightened GitHub Actions workflow permissions to least-privilege and switched to reproducible npm ci installs in the publish pipeline.

Full Changelog: v1.3.3...v1.3.4

v1.3.3

Fixed

• test:coverage script now enforces the coverage threshold mechanically.
• Gitignored AI process artifacts (plans, drafts) so they can never be committed.

Security

• Docker base image (node:lts-alpine) is now pinned by digest and bumped automatically via Dependabot.
• Added a weekly rebuild workflow: when upstream patches the base image, the published Docker image is rebuilt from the latest release tag, re-scanned with Trivy, and republished under the same version tags. Published images now embed the org.opencontainers.image.base.digest OCI label for auditability.

Full Changelog: v1.3.2...v1.3.3

v1.3.2

Fixed

• Expanded SearXNGWeb response interface to include all fields returned by the API.
• Search requests now use AbortController to enforce the configured timeout and prevent hanging.

Security

• Pinned all GitHub Actions workflow steps to full commit SHAs to guard against tag-swap supply-chain attacks.
• Added CodeQL static analysis, Trivy Docker image scanning, and ClusterFuzzLite continuous fuzzing.
• Added Dependabot for automated npm and GitHub Actions dependency updates.
• Verified mcp-publisher binary integrity with SHA-256 checksum before use.

Full Changelog: v1.3.1...v1.3.2

v1.3.1

Full Changelog: v1.3.0...v1.3.1

Hotfix of the lockfile bin parameter

v1.3.0

Full Changelog: v1.2.1...v1.3.0

Bug fixes

• Fixed server silently exiting when launched via npx, Claude Desktop, opencode, or mcpo (#91). Root cause: the isMainModule path comparison introduced in v1.2.0 fails when Node runs through an npm .bin/ symlink. Replaced the fragile detection with a dedicated src/cli.ts entrypoint — works on every Node version and invocation method.

Security

• HTTP server now binds to 127.0.0.1 by default instead of 0.0.0.0 — opt in to network-wide access with MCP_HTTP_HOST=0.0.0.0 (breaking for HTTP transport users)
• Rate limiting added to all HTTP routes: 20 req/min for new sessions, 300 req/min for existing sessions, 60 req/min on /health. Configurable via MCP_RATE_* env vars
• CI: docker-publish.yml now uses least-privilege GITHUB_TOKEN permissions