zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-08 02:03:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): pin MCP server versions, add dependabot, pin github-script SHA

Browse Source 
Critical:
- Pin all npx -y MCP server packages to specific versions in .mcp.json
  to prevent supply chain attacks via version hijacking:
  - @modelcontextprotocol/server-github@2025.4.8
  - @modelcontextprotocol/server-memory@2026.1.26
  - @modelcontextprotocol/server-sequential-thinking@2025.12.18
  - @playwright/mcp@0.0.69 (was 0.0.68)

Medium:
- Add .github/dependabot.yml for weekly npm + github-actions updates
  with grouped minor/patch PRs
- Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
This commit is contained in:
Affaan Mustafa
2026-03-31 02:34:57 -07:00
parent df76bdfb51
commit 29102901fa
3 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,21 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
labels:
- "dependencies"
groups:
minor-and-patch:
update-types:
- "minor"
- "patch"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "ci"

2
.github/workflows/monthly-metrics.yml vendored
View File

@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Update monthly metrics issue - name: Update monthly metrics issue
uses: actions/github-script@v7 uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with: with:
script: | script: |
const owner = context.repo.owner; const owner = context.repo.owner;

8
.mcp.json
View File

@@ -2,7 +2,7 @@
"mcpServers": { "mcpServers": {
"github": { "github": {
"command": "npx", "command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"] "args": ["-y", "@modelcontextprotocol/server-github@2025.4.8"]
}, },
"context7": { "context7": {
"command": "npx", "command": "npx",
@@ -14,15 +14,15 @@
}, },
"memory": { "memory": {
"command": "npx", "command": "npx",
"args": ["-y", "@modelcontextprotocol/server-memory"] "args": ["-y", "@modelcontextprotocol/server-memory@2026.1.26"]
}, },
"playwright": { "playwright": {
"command": "npx", "command": "npx",
"args": ["-y", "@playwright/mcp@0.0.68", "--extension"] "args": ["-y", "@playwright/mcp@0.0.69", "--extension"]
}, },
"sequential-thinking": { "sequential-thinking": {
"command": "npx", "command": "npx",
"args": ["-y", "@modelcontextprotocol/server-sequential-thinking"] "args": ["-y", "@modelcontextprotocol/server-sequential-thinking@2025.12.18"]
} }
} }
} }