fix(deps): update module github.com/stacklok/toolhive to v0.8.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/stacklok/toolhive	v0.8.2 → v0.8.3

---

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.8.3

Compare Source

Unified Versioning

Starting with this release, all ToolHive components now share the same version number:

• CLI (thv)
• Container images
• Helm charts (toolhive-operator, toolhive-operator-crds)

The Helm charts now also reference container images with the same version tag, ensuring complete version alignment across the entire stack.

Why some versions appear to have "skipped"

You may notice that some components jumped version numbers:

Component	Previous Version	New Version
CLI	v0.8.2	v0.8.3
Container images	v0.8.2	v0.8.3
toolhive-operator chart	0.5.28	0.8.3
toolhive-operator-crds chart	0.0.106	0.8.3

This is expected. We unified all version numbers to simplify tracking and ensure consistency across the project. The actual changes in this release are patch-level—there are no breaking changes or major new features that would warrant the version jumps.

Benefits of unified versioning

• Simpler compatibility tracking: All components with the same version are guaranteed to work together
• Easier upgrades: No need to cross-reference compatibility matrices
• Clearer release communication: One version number for the entire release
• Chart and image alignment: Helm charts now deploy container images with matching version tags

Ref: #​1779

Future Simplification

We also have plans in the near future to remove the toolhive-operator-crds Chart in favour of a single toolhive-operator Chart. This is made possible by improvements in the CRD package and installation capabilities and allows us to simpify the experience for users by reducing the number of Charts they have to maintain their use of.

What's Changed

• Update anchore/sbom-action action to v0.22.1 by @​renovate[bot] in #​3465
• Update build and group commands logging strategy by @​eleftherias in #​3461
• Add configurable UserInfo field mapping and UserInfo support for authserver's OAuth provider by @​jhrozek in #​3466
• Integrate status reporting into vMCP runtime by @​yrobla in #​3457
• Update alpine Docker tag to v3.23.3 by @​renovate[bot] in #​3475
• Update registry from toolhive-registry release v2026.01.28 by @​github-actions[bot] in #​3473
• Remove unused docker image manager by @​eleftherias in #​3477
• Update anthropics/claude-code-action digest to 2817c54 by @​renovate[bot] in #​3476
• Update client commands logging strategy by @​eleftherias in #​3478
• Add PR size guidelines to prevent oversized PRs by @​dmjb in #​3482
• Add registry validation and structured errors by @​dmjb in #​3479
• Infrastructure improvements and bugfixes for vMCP by @​therealnb in #​3439
• E2E test case for discovery API by @​dmjb in #​3459
• Add CODEOWNERS by @​JAORMX in #​3483
• Update docker/login-action action to v3.7.0 by @​renovate[bot] in #​3484
• fix(vmcp): vmcp creates authz middleware by @​jerm-dro in #​3474
• Add authserver configuration with validation and auto-generation by @​jhrozek in #​3472
• Add headerForward to MCPRemoteProxy CRD by @​jhrozek in #​3458
• Update Go version to 1.25.6 to fix security vulnerabilities by @​ChrisJBurns in #​3490
• Update registry from toolhive-registry release v2026.01.28 by @​github-actions[bot] in #​3496
• Add deploying-vmcp-locally skill by @​jerm-dro in #​3494
• Update anthropics/claude-code-action digest to ff34ce0 by @​renovate[bot] in #​3498
• Add headerForward to workloads REST API by @​jhrozek in #​3495
• adds VERSION file ready for release process improvements by @​ChrisJBurns in #​3489
• Update module github.com/golang-jwt/jwt/v5 to v5.3.1 by @​renovate[bot] in #​3491
• Update actions/cache digest to cdf6c1f by @​renovate[bot] in #​3500
• Introduce service layer and improve API/CLI error handling by @​dmjb in #​3480
• Simplify controller and add E2E tests for status reporting by @​yrobla in #​3468
• Remove RedHat images by @​dmjb in #​3502
• Update swagger docs for registry API by @​dmjb in #​3503
• adds release action for creating release prs by @​ChrisJBurns in #​3505
• adds action that creates a release tag when release pr merged by @​ChrisJBurns in #​3506
• Remove unused message field from registry api by @​eleftherias in #​3507
• Improves Helm Chart workflows on PR / main runs by @​ChrisJBurns in #​3508
• Update config and secrets CLI logging by @​eleftherias in #​3509
• Replace string matching with JSON parsing in isRemoteWorkload - issue - 2941 by @​deepika1214 in #​2968
• Remove remaining references to UBI builds by @​dmjb in #​3510
• fix(vmcp) - template validation with functions by @​jerm-dro in #​3492
• Add unified Helm chart publishing to release workflow by @​ChrisJBurns in #​3511
• aligns versions of images to latest toolhive release by @​ChrisJBurns in #​3519
• Release v0.8.3 by @​stacklokbot in #​3522

New Contributors

• @​stacklokbot made their first contribution in #​3522

Full Changelog: stacklok/toolhive@v0.8.2...v0.8.3

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.5 -> 1.25.6
github.com/golang-jwt/jwt/v5	v5.3.0 -> v5.3.1

[github-actions]

🔒 MCP Security Scan Results

✅ adb-mysql-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ agentql-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ arxiv-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ astra-db-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ aws-diagram

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ aws-documentation

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ blender-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ brightdata-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ browserbase-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ chroma-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ chrome-devtools-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ context7

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ graphlit-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ heroku-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ ida-pro-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ launchdarkly-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ magic-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ mcp-clickhouse

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ mcp-jetbrains

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ mcp-neo4j-aura-manager

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ mcp-neo4j-cypher

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ mcp-neo4j-memory

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ mcp-server-box

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ mcp-server-circleci

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ mcp-server-neon

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ netbird

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ notion

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ onchain-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ pagerduty-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ phoenix-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ playwright-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ sentry-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ supabase-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ tavily-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

---

Summary: Scanned 34 MCP server(s), all passed security checks. ✅