Merge branch 'main' into 4geru/generate-rich-menu

Author: 4geru

.github/scripts/npm-audit.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+dirs=()
+while IFS= read -r path; do
+  dirs+=("$(dirname "$path")")
+done < <(
+  find . \( -path '*/node_modules' -o -path '*/dist' \) -prune -o \
+       \( -name package.json -o -name package-lock.json \) -print
+)
+
+IFS=$'\n' dirs=($(printf '%s\n' "${dirs[@]}" | sort -u)); unset IFS
+
+declare -a failed=()
+
+for dir in "${dirs[@]}"; do
+  printf '\n\n\033[1;34m==> %s\033[0m\n' "$dir"
+
+  pushd "$dir" >/dev/null
+  if ! npm audit --audit-level moderate; then
+    failed+=("$dir")
+  fi
+  popd >/dev/null
+done
+
+if ((${#failed[@]})); then
+  echo -e "\n\033[0;31mnpm audit reported vulnerabilities in:\033[0m"
+  printf '  - %s\n' "${failed[@]}"
+  echo "You can run 'npm audit fix' in these directories to resolve the issues."
+  echo "If running 'npm audit fix' does not resolve the issues, you may need to manually update dependencies."
+  exit 1
+else
+  echo "npm audit passed: no vulnerabilities detected"
+  exit 0
+fi

.github/workflows/check-eol-newrelease.yml

@@ -15,10 +15,10 @@ jobs:
     if: github.repository == 'line/line-bot-mcp-server'
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Run EoL & NewRelease check
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const checkEolAndNewReleases = require('.github/scripts/check-eol-newrelease.cjs');

.github/workflows/close-issue.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
     if: github.repository == 'line/line-bot-mcp-server'
     steps:
-      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
         with:
           days-before-issue-stale: 28 # 4 weeks
           days-before-issue-close: 0

.github/workflows/create-draft-release.yml

@@ -45,10 +45,10 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Fetch Latest Release
         id: get-latest-release
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const latestRelease = await github.rest.repos.getLatestRelease({
@@ -64,7 +64,7 @@ jobs:
 
       - name: Calculate New Version
         id: calculate-version
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const latestTag = '${{ steps.get-latest-release.outputs.latest_tag }}';
@@ -85,7 +85,7 @@ jobs:
 
       - name: Generate Release Notes
         id: generate-release-notes
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { data: releaseNotes } = await github.rest.repos.generateReleaseNotes({

.github/workflows/label-issue.yml

@@ -13,7 +13,7 @@ jobs:
     permissions:
       issues: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Add label on issue open
         if: github.event.action == 'opened' || github.event.action == 'reopened'

.github/workflows/npm-audit.yml

@@ -0,0 +1,69 @@
+name: "Reminder for 'run npm audit'"
+
+on:
+  schedule:
+    - cron: '0 22 * * *'
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  run-npm-audit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    if: github.repository == 'line/line-bot-mcp-server'
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '24'
+          # Enable this when setup-node v5 is released
+          # package-manager-cache: false
+
+      - name: Run npm audit and check diff
+        id: audit
+        run: .github/scripts/npm-audit.sh
+        continue-on-error: true
+
+      - name: Create or update reminder issue
+        if: steps.audit.outcome == 'failure'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          TZ: 'Asia/Tokyo'
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const title = 'Reminder: run npm audit';
+            const securityURL = `https://github.com/${owner}/${repo}/security`;
+            const baseBody = [
+              'Fix all vulnerabilities. You can check with `.github/scripts/npm-audit.sh` locally, then send a PR with the fixes.',
+              `After fixing, make sure the vulnerabilities count in **${securityURL}** is **0**.`
+            ].join('\n\n');
+
+            const { data: result } = await github.rest.search.issuesAndPullRequests({
+              q: `repo:${owner}/${repo} is:issue is:open in:title "${title}"`
+            });
+
+            const today = new Date();
+
+            if (result.total_count === 0) {
+              await github.rest.issues.create({
+                owner,
+                repo,
+                title,
+                body: `${baseBody}\n\n0 days have passed.`
+              });
+            } else {
+              const issue = result.items[0];
+              const created = new Date(issue.created_at);
+              const diffDays = Math.floor((today - created) / 86_400_000);
+              await github.rest.issues.update({
+                owner,
+                repo,
+                issue_number: issue.number,
+                body: `${baseBody}\n\n${diffDays} days have passed.`
+              });
+            }

.github/workflows/release.yml

@@ -16,12 +16,14 @@ jobs:
       id-token: write
       issues: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # Setup .npmrc file to publish to GitHub Packages
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 24
           registry-url: 'https://registry.npmjs.org'
+          # Enable this when setup-node v5 is released, and release is broken
+          # package-manager-cache: false
       - run: npm install
       - name: Update version in package.json, package-lock.json
         run: |
@@ -34,12 +36,10 @@ jobs:
           echo "VERSION=$VERSION" >> $GITHUB_ENV
           node .github/scripts/update-version.mjs $VERSION
       - run: npm run release
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Issue on Failure
         if: failure()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/test.yml

@@ -23,14 +23,16 @@ jobs:
     name: Node.js ${{ matrix.node }}
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: true
       - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: ${{ matrix.node }}
           cache: 'npm'
+          # Enable this when setup-node v5 is released, and release is broken
+          # package-manager-cache: false
       - name: Install Dependency
         run: npm ci
       - name: Build
@@ -45,7 +47,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run pinact
         uses: suzuki-shunsuke/pinact-action@49cbd6acd0dbab6a6be2585d1dbdaa43b4410133 # v1.0.0
         with:

CONTRIBUTING.md

@@ -30,6 +30,7 @@ The project structure is as follows:
 To add a new Tool, you can create a new file under `src/tools/` and
 implement the Tool in that file. The Tool should extend `AbstractTool`
 and should be registered in `src/index.ts`.
+Please remember to add the description of the tool to both README.md and README.ja.md.
 
 ### Run all CI tasks in your local
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22.16-alpine AS builder
+FROM node:22.19-alpine AS builder
 
 COPY . /app