fix(security): pin MCP server versions, add dependabot, pin github-script SHA

Critical: - Pin all npx -y MCP server packages to specific versions in .mcp.json to prevent supply chain attacks via version hijacking: - @modelcontextprotocol/server-github@2025.4.8 - @modelcontextprotocol/server-memory@2026.1.26 - @modelcontextprotocol/server-sequential-thinking@2025.12.18 - @playwright/mcp@0.0.69 (was 0.0.68) Medium: - Add .github/dependabot.yml for weekly npm + github-actions updates with grouped minor/patch PRs - Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
2026-04-08 10:23:30 +08:00 · 2026-03-31 02:34:57 -07:00
parent df76bdfb51
commit 29102901fa
3 changed files with 26 additions and 5 deletions
--- a/.mcp.json
+++ b/.mcp.json
@@ -2,7 +2,7 @@
  "mcpServers": {
    "github": {
      "command": "npx",
-      "args": ["-y", "@modelcontextprotocol/server-github"]
+      "args": ["-y", "@modelcontextprotocol/server-github@2025.4.8"]
    },
    "context7": {
      "command": "npx",
@@ -14,15 +14,15 @@
    },
    "memory": {
      "command": "npx",
-      "args": ["-y", "@modelcontextprotocol/server-memory"]
+      "args": ["-y", "@modelcontextprotocol/server-memory@2026.1.26"]
    },
    "playwright": {
      "command": "npx",
-      "args": ["-y", "@playwright/mcp@0.0.68", "--extension"]
+      "args": ["-y", "@playwright/mcp@0.0.69", "--extension"]
    },
    "sequential-thinking": {
      "command": "npx",
-      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
+      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking@2025.12.18"]
    }
  }
 }