From fade192399cf26834fb573d84b16a01fc4faf2b4 Mon Sep 17 00:00:00 2001
From: Martin Bergo <martin@nerv.no>
Date: Thu, 5 Mar 2026 13:23:07 +0100
Subject: [PATCH] chore(security): pin MCP transitive vulnerability fixes

---
 bun.lock     | 7 ++++++-
 package.json | 9 +++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/bun.lock b/bun.lock
index e99fefc76c..64de3681a1 100644
--- a/bun.lock
+++ b/bun.lock
@@ -9,7 +9,7 @@
         "@ast-grep/napi": "^0.40.0",
         "@clack/prompts": "^0.11.0",
         "@code-yeongyu/comment-checker": "^0.7.0",
-        "@modelcontextprotocol/sdk": "^1.25.2",
+        "@modelcontextprotocol/sdk": "^1.27.1",
         "@opencode-ai/plugin": "^1.2.16",
         "@opencode-ai/sdk": "^1.2.17",
         "commander": "^14.0.2",
@@ -49,7 +49,12 @@
     "@code-yeongyu/comment-checker",
   ],
   "overrides": {
+    "@hono/node-server": "^1.19.10",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@opencode-ai/sdk": "^1.2.17",
+    "ajv": "^8.18.0",
+    "hono": "^4.12.5",
+    "qs": "^6.15.0",
   },
   "packages": {
     "@ast-grep/cli": ["@ast-grep/cli@0.40.5", "", { "dependencies": { "detect-libc": "2.1.2" }, "optionalDependencies": { "@ast-grep/cli-darwin-arm64": "0.40.5", "@ast-grep/cli-darwin-x64": "0.40.5", "@ast-grep/cli-linux-arm64-gnu": "0.40.5", "@ast-grep/cli-linux-x64-gnu": "0.40.5", "@ast-grep/cli-win32-arm64-msvc": "0.40.5", "@ast-grep/cli-win32-ia32-msvc": "0.40.5", "@ast-grep/cli-win32-x64-msvc": "0.40.5" }, "bin": { "sg": "sg", "ast-grep": "ast-grep" } }, "sha512-yVXL7Gz0WIHerQLf+MVaVSkhIhidtWReG5akNVr/JS9OVCVkSdz7gWm7H8jVv2M9OO1tauuG76K3UaRGBPu5lQ=="],
diff --git a/package.json b/package.json
index 34351b9eb4..156b3f6c3d 100644
--- a/package.json
+++ b/package.json
@@ -55,7 +55,7 @@
     "@ast-grep/napi": "^0.40.0",
     "@clack/prompts": "^0.11.0",
     "@code-yeongyu/comment-checker": "^0.7.0",
-    "@modelcontextprotocol/sdk": "^1.25.2",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@opencode-ai/plugin": "^1.2.16",
     "@opencode-ai/sdk": "^1.2.17",
     "commander": "^14.0.2",
@@ -88,7 +88,12 @@
     "oh-my-opencode-windows-x64-baseline": "3.10.0"
   },
   "overrides": {
-    "@opencode-ai/sdk": "^1.2.17"
+    "@opencode-ai/sdk": "^1.2.17",
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@hono/node-server": "^1.19.10",
+    "hono": "^4.12.5",
+    "ajv": "^8.18.0",
+    "qs": "^6.15.0"
   },
   "trustedDependencies": [
     "@ast-grep/cli",