Skip to content

chore(security): pin MCP transitive vulnerability fixes#2321

Open
mInrOz wants to merge 1 commit intocode-yeongyu:devfrom
mInrOz:chore/security-mcp-transitive-deps
Open

chore(security): pin MCP transitive vulnerability fixes#2321
mInrOz wants to merge 1 commit intocode-yeongyu:devfrom
mInrOz:chore/security-mcp-transitive-deps

Conversation

@mInrOz
Copy link

@mInrOz mInrOz commented Mar 5, 2026
edited by cubic-dev-ai bot
Loading

Summary

  • Hardens transitive dependency resolution for vulnerabilities pulled through @modelcontextprotocol/sdk.
  • Bumps the MCP SDK floor to ^1.27.1 and enforces patched transitive versions via overrides.
  • Regenerates bun.lock so installs deterministically resolve the patched dependency set.

Changes

  • Updated package.json:
    • @modelcontextprotocol/sdk from ^1.25.2 to ^1.27.1
    • Added/updated overrides for:
      • @modelcontextprotocol/sdk: ^1.27.1
      • @hono/node-server: ^1.19.10
      • hono: ^4.12.5
      • ajv: ^8.18.0
      • qs: ^6.15.0
  • Updated bun.lock to reflect override-enforced resolutions.

Screenshots

N/A (dependency/config-only changes).

Testing

bun run typecheck
bun run build
bun audit
bun test src/features/skill-mcp-manager
bun test src/tools/skill
  • bun run typecheck: pass
  • bun run build: pass
  • bun audit: no vulnerabilities found
  • Targeted MCP-related tests: pass

Related Issues

Checklist

  • Code follows project conventions
  • bun run typecheck passes
  • bun run build succeeds
  • Tested locally with OpenCode
  • Updated documentation if needed (N/A for dependency-only security update)
  • No package release version bump in package.json (version unchanged; dependency ranges updated intentionally for security)

Summary by cubic

Pins @modelcontextprotocol/sdk to ^1.27.1 and enforces patched transitive versions to fix vulnerabilities. Regenerates bun.lock to ensure secure, deterministic installs.

  • Dependencies
    • @modelcontextprotocol/sdk → ^1.27.1 (dep + override)
    • @hono/node-server → ^1.19.10
    • hono → ^4.12.5
    • ajv → ^8.18.0
    • qs → ^6.15.0

Written for commit fade192. Summary will update on new commits.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026
edited
Loading

All contributors have signed the CLA. Thank you! ✅
Posted by the CLA Assistant Lite bot.

@mInrOz
Copy link
Author

mInrOz commented Mar 5, 2026

I have read the CLA Document and I hereby sign the CLA

github-actions bot added a commit that referenced this pull request Mar 5, 2026
@github-actions
@mInrOz has signed the CLA in #2321
7e0a1a1
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 5, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Requires human review: Dependency overrides (especially ajv and qs) can cause breaking changes in the transitive tree; cannot be 100% sure of no regressions without full dependency tree analysis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mInrOz