everything-claude-code

zsp/everything-claude-code

Fork 0

mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-08 10:23:30 +08:00

Commit Graph

Author	SHA1	Message	Date
Affaan Mustafa	29102901fa	fix(security): pin MCP server versions, add dependabot, pin github-script SHA Critical: - Pin all npx -y MCP server packages to specific versions in .mcp.json to prevent supply chain attacks via version hijacking: - @modelcontextprotocol/server-github@2025.4.8 - @modelcontextprotocol/server-memory@2026.1.26 - @modelcontextprotocol/server-sequential-thinking@2025.12.18 - @playwright/mcp@0.0.69 (was 0.0.68) Medium: - Add .github/dependabot.yml for weekly npm + github-actions updates with grouped minor/patch PRs - Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)	2026-03-31 02:34:57 -07:00
Affaan Mustafa	c39aa22c5a	fix: harden lifecycle hook launchers and mcp schema	2026-03-29 21:26:56 -04:00
senoldogann	d473cf87e6	feat(codex): add Codex native plugin manifest and fix Claude plugin.json - Add .codex-plugin/plugin.json — Codex-native plugin manifest with skills reference and MCP server config pointer - Add .codex-plugin/.mcp.json — standalone MCP server config bundle (github, context7, exa, memory, playwright, sequential-thinking) - Add .codex-plugin/README.md — installation guide and server reference - Fix .claude-plugin/plugin.json — add missing agents[] (28 explicit file paths per validator rules), skills[], and commands[] arrays; remove hooks field (auto-loaded by Claude Code v2.1+ convention) - Add tests/plugin-manifest.test.js — 16 CI tests enforcing PLUGIN_SCHEMA_NOTES.md rules (no hooks, arrays throughout, explicit agent paths, version required, .mcp.json structural checks) - Update package.json: add .codex-plugin/ to files[], add plugin manifest test to npm test chain Refs: .claude-plugin/PLUGIN_SCHEMA_NOTES.md	2026-03-28 20:06:42 -04:00

Author

SHA1

Message

Date

Affaan Mustafa

29102901fa

fix(security): pin MCP server versions, add dependabot, pin github-script SHA

Critical:
- Pin all npx -y MCP server packages to specific versions in .mcp.json
  to prevent supply chain attacks via version hijacking:
  - @modelcontextprotocol/server-github@2025.4.8
  - @modelcontextprotocol/server-memory@2026.1.26
  - @modelcontextprotocol/server-sequential-thinking@2025.12.18
  - @playwright/mcp@0.0.69 (was 0.0.68)

Medium:
- Add .github/dependabot.yml for weekly npm + github-actions updates
  with grouped minor/patch PRs
- Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)

2026-03-31 02:34:57 -07:00

Affaan Mustafa

c39aa22c5a

fix: harden lifecycle hook launchers and mcp schema

2026-03-29 21:26:56 -04:00

senoldogann

d473cf87e6

feat(codex): add Codex native plugin manifest and fix Claude plugin.json

- Add .codex-plugin/plugin.json — Codex-native plugin manifest with
  skills reference and MCP server config pointer
- Add .codex-plugin/.mcp.json — standalone MCP server config bundle
  (github, context7, exa, memory, playwright, sequential-thinking)
- Add .codex-plugin/README.md — installation guide and server reference
- Fix .claude-plugin/plugin.json — add missing agents[] (28 explicit
  file paths per validator rules), skills[], and commands[] arrays;
  remove hooks field (auto-loaded by Claude Code v2.1+ convention)
- Add tests/plugin-manifest.test.js — 16 CI tests enforcing
  PLUGIN_SCHEMA_NOTES.md rules (no hooks, arrays throughout, explicit
  agent paths, version required, .mcp.json structural checks)
- Update package.json: add .codex-plugin/ to files[], add plugin
  manifest test to npm test chain

Refs: .claude-plugin/PLUGIN_SCHEMA_NOTES.md

2026-03-28 20:06:42 -04:00

3 Commits