Bump @upstash/context7-mcp from 2.2.4 to 3.2.1

[dependabot]

Bumps @upstash/context7-mcp from 2.2.4 to 3.2.1.

Changelog

Sourced from @​upstash/context7-mcp's changelog.

3.2.1

Patch Changes

• 8123b51: Restore Node 18 support by pinning undici to ^6.26.0 and commander to ^13.1.0, which dropped the Node 20+ engine requirements that caused a "File is not defined" crash on startup.

3.2.0

Minor Changes

• c921c8b: Replace the in-result sign-in nudge with an MCP form elicitation. When the backend signals (via X-Context7-Auth-Prompt: 1) that an anonymous client has crossed the per-IP threshold, the MCP server now fires an elicitation/create request instead of appending instructions into the tool result.
  • Surfaces the npx ctx7 setup --<client> --mcp[ --stdio] -y command in a client-rendered dialog rather than as model-visible text. The previous text-injection approach was treated as untrusted instruction content by some agents; elicitations are delivered out-of-band to the user so they bypass that path entirely.
  • Gated on the client advertising the elicitation capability — clients without it see no nudge, which is a safe no-op.
  • Presents a two-option radio: "I'll run the command to sign in" or "Continue anonymously with smaller limits".
  • The server holds no suppression state: the backend emits the header at most once per MCP session, so the dialog is shown whenever the header is present. Frequency is owned entirely by the backend.
  • Fire-and-forget: the elicitation does not block or alter the surrounding tool response.

Patch Changes

• cb6aee1: Bump runtime dependencies: @modelcontextprotocol/sdk 1.25 -> 1.29, undici 6 -> 7, and zod 4.3 -> 4.4.
• fcdc36e: Advertise empty prompts and resources capabilities with no-op prompts/list, resources/list, and resources/templates/list handlers. Some MCP clients (e.g. opencode) call these unconditionally and treat -32601 Method not found as a fatal connection error rather than honoring the negotiated capabilities, which previously prevented the server from loading.

3.1.0

Minor Changes

• 1fb2d42: Add multi-tenant Microsoft Entra ID validation for MCP tokens. The server now detects inbound Entra v2 tokens by issuer pattern, fetches per-teamspace configuration (tenantId, audience, requiredScope) from the Context7 app, and verifies the token against the matching tenant's JWKS, enforcing the required scope claim when configured. User resolution happens downstream in the Context7 app against a pre-provisioned user mapping table — the MCP server only validates. Per-tenant JWKS cache and a 5-minute in-memory config cache keyed by JWT audience reduce overhead under load.

3.0.0

Major Changes

• af6a7b5: Convert the stateless MCP implementation to a stateful one using Redis for session management.

Patch Changes

• 3d73145: Reduce Redis writes on refresh by checking the remaining TTL first and only issuing EXPIRE when the session is within one day of expiry.

2.3.0

Minor Changes

• 34fda7d: Prompt anonymous users to sign in. After the backend signals (via the X-Context7-Auth-Prompt: 1 response header on /v2/libs/search or /v2/context) that an anonymous client has crossed the per-IP threshold, the MCP server appends a one-time sign-in invitation to the tool result.
  • Both stdio and HTTP transports surface the same nudge: a tool-result notice asking the assistant to run npx ctx7 setup --<client> --mcp -y (with --stdio appended when the MCP server is running on stdio) after explicit user confirmation. The CLI handles OAuth and writes credentials into the MCP client's config; the user restarts their MCP server / editor to pick up the new credentials.
  • Detects the calling client from X-Context7-Client-IDE / User-Agent and selects the matching CLI flag (--cursor, --claude, --codex, --opencode, --gemini); falls back to interactive setup when unknown.
  • HTTP transport remains stateless — the threshold is tracked by the backend (per-IP, 24h TTL), the MCP server only reacts to the signal.

2.2.5

Patch Changes

... (truncated)

Commits

• dec6cf3 chore(release): version packages (#2763)
• 8123b51 fix: restore Node 18 support for context7 mcp (#2762)
• 0c53c6f chore(release): version packages (#2731)
• c921c8b feat(mcp): switch anonymous sign-in nudge to elicitation (#2716)
• 43e4106 docs: document Docker MCP Toolkit stdio transport (#2734)
• cb6aee1 chore(deps): combined dependabot dependency updates (#2737)
• dbc4c78 fix: update references from Windsurf to Devin Desktop in documentation and te...
• fcdc36e fix(mcp): add no-op prompts/list and resources/list handlers (#2534)
• 801e112 chore(release): version packages (#2698)
• 1fb2d42 feat(mcp): multi-tenant Entra ID validation (#2629)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)