chore(release): v0.1.9 — security and dependency updates

Closes 6 GitHub Dependabot security alerts and 8 dependency PRs.

Security
- Bump vite to 8.0.6 in root and dashboard (resolves GHSA-v2wj-q39q-566r,
  GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9 — all dev-server-only)
- Bump recharts 2.15.4 → 3.8.1 in dashboard, eliminating lodash from the
  shipped bundle (resolves GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh).
  Bundle size dropped 47KB (655KB → 608KB).

Dependencies
- @modelcontextprotocol/sdk 1.28.0 → 1.29.0
- express-rate-limit 8.3.1 → 8.3.2
- react-router-dom 7.13.2 → 7.14.0 (dashboard)
- eslint 10.1.0 → 10.2.0, @typescript-eslint/* 8.57.2 → 8.58.0 (dev)
- @types/node 25.5.0 → 25.5.2 (dev)

Fixed
- EvalTrendChart Tooltip formatter type updated for recharts 3.x

Verification
- Root: 18 test files, 120 tests passing, 0 vulnerabilities
- Dashboard: build succeeds, 0 vulnerabilities
- Website: build succeeds, 0 vulnerabilities
- All version-carrying files synced to 0.1.9

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: irparent

CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.9] - 2026-04-07
+
+### Security
+- **Vite dev server vulnerabilities** — bumped vite to 8.0.6 across root and dashboard, resolving 6 GitHub Dependabot alerts:
+  - GHSA-v2wj-q39q-566r: `server.fs.deny` bypassed with queries (high)
+  - GHSA-p9ff-h696-f583: arbitrary file read via Vite Dev Server WebSocket (high)
+  - GHSA-4w7w-66w2-5vf9: path traversal in optimized deps `.map` handling (moderate)
+  - All three are dev-server-only (no impact on shipped artifacts), but worth eliminating
+- **Lodash removal from dashboard bundle** — bumped recharts 2.15.4 → 3.8.1, which drops the lodash dependency in favor of `es-toolkit`. Eliminates GHSA-r5fr-rjxr-66jc (`_.template` code injection) and GHSA-f23m-r3pf-42rh (prototype pollution) from the published dashboard. Bundle size dropped 47 KB (655 KB → 608 KB).
+
+### Changed
+- Bumped `@modelcontextprotocol/sdk` 1.28.0 → 1.29.0 (typings exports, ResourceSchema size field, `windowsHide` on Windows, capability extensions)
+- Bumped `express-rate-limit` 8.3.1 → 8.3.2
+- Bumped `react-router-dom` 7.13.2 → 7.14.0 (dashboard)
+- Bumped dev dependencies: `eslint` 10.1.0 → 10.2.0, `@typescript-eslint/*` 8.57.2 → 8.58.0, `@types/node` 25.5.0 → 25.5.2
+
+### Fixed
+- Recharts 3.x type compatibility: `EvalTrendChart` Tooltip formatter signature updated to match the new generic `Formatter<ValueType, NameType>` shape
+
 ## [0.1.8] - 2026-03-25
 
 ### Fixed

dashboard/package-lock.json

@@ -11,14 +11,14 @@
   "dependencies": {
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
-    "react-router-dom": "^7.13.2",
-    "recharts": "^2.15.0"
+    "react-router-dom": "^7.14.0",
+    "recharts": "^3.8.1"
   },
   "devDependencies": {
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
     "@vitejs/plugin-react": "^6.0.1",
     "typescript": "^6.0.2",
-    "vite": "^8.0.3"
+    "vite": "^8.0.6"
   }
 }

dashboard/package.json

@@ -105,7 +105,7 @@ export function EvalTrendChart({ data, period, onPeriodChange }: Props) {
               color: '#fafafa',
               fontSize: '13px',
             }}
-            formatter={(value: number, name: string) => [
+            formatter={(value, name) => [
               `${value}%`,
               name === 'scorePercent' ? 'Avg Score' : 'Pass Rate',
             ]}

dashboard/src/components/dashboard/EvalTrendChart.tsx

@@ -1,6 +1,6 @@
 {
   "name": "@iris-eval/mcp-server",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "The agent eval standard for MCP. Score every agent output for quality, safety, and cost.",
   "mcpName": "io.github.iris-eval/mcp-server",
   "type": "module",
@@ -67,10 +67,10 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.0",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "better-sqlite3": "^12.8.0",
     "express": "^5.1.0",
-    "express-rate-limit": "^8.3.1",
+    "express-rate-limit": "^8.3.2",
     "helmet": "^8.1.0",
     "pino": "^10.3.1",
     "safe-regex2": "^5.1.0",
@@ -79,11 +79,11 @@
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.0",
     "@types/express": "^5.0.0",
-    "@types/node": "^25.5.0",
-    "@typescript-eslint/eslint-plugin": "^8.57.1",
-    "@typescript-eslint/parser": "^8.57.0",
+    "@types/node": "^25.5.2",
+    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@typescript-eslint/parser": "^8.58.0",
     "@vitest/coverage-v8": "^4.1.1",
-    "eslint": "^10.1.0",
+    "eslint": "^10.2.0",
     "prettier": "^3.0.0",
     "tsx": "^4.0.0",
     "typescript": "^5.7.0",

package-lock.json

@@ -6,12 +6,12 @@
     "url": "https://github.com/iris-eval/mcp-server",
     "source": "github"
   },
-  "version": "0.1.8",
+  "version": "0.1.9",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@iris-eval/mcp-server",
-      "version": "0.1.8",
+      "version": "0.1.9",
       "transport": {
         "type": "stdio"
       },

package.json

@@ -4,7 +4,7 @@
   "homepage": "https://iris-eval.com",
   "repository": "https://github.com/iris-eval/mcp-server",
   "npm": "@iris-eval/mcp-server",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "license": "MIT",
   "transport": [
     "stdio",