Download Latest Version 7.5.0 source code.tar.gz (33.2 MB)
Email in envelope

Get an email when there's a new version of DreamFactory

Home / 7.5.0
Name Modified Size InfoDownloads / Week
Parent folder
7.5.0 source code.tar.gz 2026-04-23 33.2 MB
0
7.5.0 source code.zip 2026-04-23 33.3 MB
6 6 weekly downloads
README.md 2026-04-23 7.4 kB
0
Totals: 3 Items   66.5 MB 6

DreamFactory v7.5.0

DreamFactory v7.5.0 delivers a platform-wide 2026-04 security hardening pass (auth bypass, SQL injection, SSRF, unsafe deserialization, and timing-attack fixes across most packages), introduces GitHub as a first-class MCP utility service, adds a custom-tool lookup picker and unsaved-changes save guard to the admin UI, switches the MCP server from SSE streams to JSON responses with stale-stream eviction to prevent PHP worker lockups, and ships a new Jest + Playwright CI test harness for the admin interface.

New Features

GitHub MCP Utility Service

  • New DreamFactory utility-service integration for GitHub — custom MCP tooling can call GitHub as a first-class service so AI agents reach repositories, issues, and pull requests without custom auth plumbing
  • Admin UI elements for configuring the GitHub integration end-to-end

Custom MCP Tool Lookup Picker

  • Added a lookup picker for custom MCP tools — admins can insert DreamFactory lookup values into custom-tool configuration through the UI instead of hand-typing keys
  • Inline JSON/JS lint-error display for custom tool bodies, with error notifications on static-header JSON

Unsaved-Changes Guard for MCP Custom Tools

  • Added a save guard that detects unsaved custom-tool changes when saving an MCP service and surfaces a contextual popup with persist/discard options (replaces the previous silent-drop behavior)
  • Fixed a related issue where custom tools were not persisted on first service creation or on re-save without IDs

MCP OAuth Direct Redirect Workflow

  • MCP services can now declare an OAuth service for direct redirect — the MCP client is sent straight through the OAuth flow, skipping the DreamFactory UI login and removing a step from the desktop MCP connect experience

Security

Authentication & Authorization

  • df-core: Fixed auth bypass, widened the OAuth filter blocklist, removed token logging; reverted an earlier change that had narrowed OAuth method coverage so all meth ods are now protected again
  • df-core: Replaced rand() with random_int() in generateConfirmationCode()
  • df-core: Added /auth/ prefix to password-reset and email-invite URLs so they route through the authenticated handler
  • df-system: Removed the admin flag from password-reset email URLs
  • df-script: Replaced uniqid() with random_bytes(32) for script auth tokens
  • df-oauth: Fixed unsafe deserialization, a timing-attack vector, an open-redirect, and a name-field bug

SQL Injection Hardening

  • df-sqldb: Fixed SQL injection in MySQL INOUT stored-procedure parameters (regression test added)
  • df-sqldb: Fixed SQL injection in ORDER BY, GROUP BY, filter, and expression handling; widened expression/filter checks from allowlist to blocklist
  • df-database: db_function template value substitution now uses quoteValue() to prevent injection via template expansion

SSRF & Request Integrity

  • df-system: Added SSRF validation to import_url endpoints on Package, Import, and App resources
  • df-mcp-server: Fixed host-header injection, OAuth-redirect issues, and session leaks; CORS posture re-widened explicitly for MCP's inherently-external clients after being tightened in the scan

Admin UI

  • df-admin-interface: Added a same-origin check to handleRedirectIfPresent
  • df-admin-interface: Updated npm dependencies to eliminate critical CVEs surfaced by the scan

MCP Server

Transport & Stability

  • Switched MCP responses from SSE streams to JSON, with guards around remaining SSE streams to prevent PHP worker lockups when multiple MCP session connections arrive concurrently
  • Stale-SSE-stream eviction on reconnect — resolves 409 errors clients previously saw when reconnecting to an MCP session

Custom Tools

  • Fixed order-of-operations for custom-tool role checks against services — role rules now evaluate consistently with other service-level authorization
  • Custom tools persist correctly on first service creation and on re-save without IDs

Admin UI

Event Scripts

  • Script Type dropdown now populates for services whose names contain underscores
  • Fixed scriptMethod wiring and added fallback behavior when the method name is empty
  • Event-script services are fetched lazily on open (events on service selection), cutting initial page load on large instances
  • /system/event responses exempted from the snake→camelCase interceptor so event identifiers are returned raw

Editor & Loading States

  • Permitted top-level await in the Ace JavaScript lint worker under module:true
  • Fixed a stuck loading spinner that could persist after rapid concurrent requests

SQL Databases

  • df-sqldb: Fixed a regression where null values in additional SQL init statements caused service errors at startup
  • Blocklist-based filter/expression validation (from the security hardening above) now applies uniformly across all SQL connectors

Performance

  • df-system: Added a services_only fast path to the system/event resource, avoiding a full event walk when callers only need the service enumeration
  • df-admin-interface: Deferred event-script fetching until the user opens the section, with a secondary fetch on service selection

Testing & CI

  • df-admin-interface: Jest wired into CI with regression specs covering the 2026-04 fixes
  • df-admin-interface: Playwright scaffold with smoke specs and a dedicated CI workflow, scoped to manual/nightly to keep PR CI fast
  • df-admin-interface: UI automation affordances added and a discovery spec reporting navigation automation limits
  • df-admin-interface: Dropped the pre-existing lint gate from default CI (lint still runs, just non-blocking)
  • Test-suite hardening across df-sqldb (PHPUnit 9 compatibility, driver/host config, reliable cleanup), df-database (void return type on tearDown()), df-syst em (explicit admin auth, order-independent assertions, stronger fixture passwords), and df-user (fixture passwords updated for stronger strength policy)

Upgrade Notes

  • Security fixes are cumulative — upgrading is recommended for all deployments. The 2026-04 security scan covers auth bypass, SQL injection, SSRF, unsafe deserializati on, and timing-attack vectors across multiple packages.
  • Password-reset / invite URLs now include an /auth/ prefix. Update any external tooling that parses or constructs DreamFactory reset URLs.
  • MCP transport: The MCP server now returns JSON instead of SSE for most flows. Compliant MCP clients require no changes — the switch is server-side and transparent.
  • MCP custom tool persistence: Tools that previously appeared to be "lost" on service creation in 7.4.x will now persist correctly; re-verify any that were affected.
  • Password strength policy: The df-user fixture-password hardening reflects a stronger strength policy. Deployments relying on weak programmatic passwords (e.g., old C I fixtures or seeded test accounts) may need to update them.
  • Platform baseline is unchanged from 7.4.x (PHP 8.3 / Laravel 11). No host-level upgrade is required.
  • Standard upgrade process applies for all other changes.

Full Changelog: https://github.com/dreamfactorysoftware/dreamfactory/compare/7.4.5...7.5.0

Source: README.md, updated 2026-04-23