From 848c5f6076628da434b2c347ace23a2c9ff8f191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Fri, 6 Feb 2026 23:34:06 +0100 Subject: [PATCH 01/11] Add mcp-safety-scanner CI (baseline) --- .github/workflows/mcp-safety-scan.yml | 33 +++++++ .mcp-safety-baseline.json | 133 ++++++++++++++++++++++++++ 2 files changed, 166 insertions(+) create mode 100644 .github/workflows/mcp-safety-scan.yml create mode 100644 .mcp-safety-baseline.json diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml new file mode 100644 index 0000000000..0f254da03e --- /dev/null +++ b/.github/workflows/mcp-safety-scan.yml @@ -0,0 +1,33 @@ +name: MCP Safety Scan + +on: + push: + branches: + - main + paths: + - "src/**" + - ".github/workflows/mcp-safety-scan.yml" + - ".mcp-safety-baseline.json" + pull_request: + paths: + - "src/**" + - ".github/workflows/mcp-safety-scan.yml" + - ".mcp-safety-baseline.json" + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + + - uses: actions/setup-node@v6 + with: + node-version: 20 + + - uses: TheodorNEngoy/mcp-safety-scanner@v0 + with: + path: src + baseline: .mcp-safety-baseline.json + fail-on: high + format: github + diff --git a/.mcp-safety-baseline.json b/.mcp-safety-baseline.json new file mode 100644 index 0000000000..3690283ba3 --- /dev/null +++ b/.mcp-safety-baseline.json @@ -0,0 +1,133 @@ +{ + "version": 1, + "tool": "mcp-safety-scanner", + "generatedAt": "2026-02-06T22:32:45.334Z", + "fingerprints": [ + "02410ad395be4f98efe0dd7d4c3b55f637c6332ad612109194e40f73ddbdc58b", + "20ea9924fb8c695dd78758548be2ecb2933cb42ff959f3c554557345ac4b7980", + "22116cd74b04c873c1c1973258a48865663129bae24427bedd426f03750aa93f", + "5f062db381642e6b9911427afc31ec7badbdfad8a759ffe313afa65241630211", + "80481e00889801884b574675f1f4f53b33f46bc9be8af7f43b92c6e81d7193e0", + "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", + "cae5e08ed72eb1188f4f3dea0bbe754864dd905b7fce3f626b453b904d401e7b", + "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", + "edc274e6867eb9ba856d66b6be112628fad9cf3e4fadae83a2f563bca94c47ae", + "f6fd182ee3cca1e2535a1076c2001d0f71832e644eee80af342a226ecf0e74f3", + "f96122a88040d6f0ee21ae245e33196b51a9e3c38ea5aff7e9a5892426229b48", + "fd280dede9985170152ebf01cb12126178c34efab6f932636e19fab3971f58cf" + ], + "entries": [ + { + "fingerprint": "cae5e08ed72eb1188f4f3dea0bbe754864dd905b7fce3f626b453b904d401e7b", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/directory-tree.test.ts", + "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + }, + { + "fingerprint": "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/path-validation.test.ts", + "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + }, + { + "fingerprint": "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/path-validation.test.ts", + "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + }, + { + "fingerprint": "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/path-validation.test.ts", + "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + }, + { + "fingerprint": "edc274e6867eb9ba856d66b6be112628fad9cf3e4fadae83a2f563bca94c47ae", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/path-validation.test.ts", + "excerpt": "await fs.unlink(legitFile);" + }, + { + "fingerprint": "edc274e6867eb9ba856d66b6be112628fad9cf3e4fadae83a2f563bca94c47ae", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/path-validation.test.ts", + "excerpt": "await fs.unlink(legitFile);" + }, + { + "fingerprint": "f6fd182ee3cca1e2535a1076c2001d0f71832e644eee80af342a226ecf0e74f3", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/roots-utils.test.ts", + "excerpt": "rmSync(testDir1, { recursive: true, force: true });" + }, + { + "fingerprint": "02410ad395be4f98efe0dd7d4c3b55f637c6332ad612109194e40f73ddbdc58b", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/roots-utils.test.ts", + "excerpt": "rmSync(testDir2, { recursive: true, force: true });" + }, + { + "fingerprint": "f96122a88040d6f0ee21ae245e33196b51a9e3c38ea5aff7e9a5892426229b48", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/roots-utils.test.ts", + "excerpt": "rmSync(testDir3, { recursive: true, force: true });" + }, + { + "fingerprint": "80481e00889801884b574675f1f4f53b33f46bc9be8af7f43b92c6e81d7193e0", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/startup-validation.test.ts", + "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + }, + { + "fingerprint": "fd280dede9985170152ebf01cb12126178c34efab6f932636e19fab3971f58cf", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/__tests__/structured-content.test.ts", + "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + }, + { + "fingerprint": "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/lib.ts", + "excerpt": "await fs.unlink(tempPath);" + }, + { + "fingerprint": "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/lib.ts", + "excerpt": "await fs.unlink(tempPath);" + }, + { + "fingerprint": "5f062db381642e6b9911427afc31ec7badbdfad8a759ffe313afa65241630211", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "memory/__tests__/file-path.test.ts", + "excerpt": "await fs.unlink(oldMemoryPath);" + }, + { + "fingerprint": "20ea9924fb8c695dd78758548be2ecb2933cb42ff959f3c554557345ac4b7980", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "memory/__tests__/file-path.test.ts", + "excerpt": "await fs.unlink(newMemoryPath);" + }, + { + "fingerprint": "22116cd74b04c873c1c1973258a48865663129bae24427bedd426f03750aa93f", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "memory/__tests__/knowledge-graph.test.ts", + "excerpt": "await fs.unlink(testFilePath);" + } + ] +} From 5118bf85f9ca21663b1b9aafb3123c677f944773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 00:48:46 +0100 Subject: [PATCH 02/11] ci: pin mcp-safety-scanner action --- .github/workflows/mcp-safety-scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index 0f254da03e..5a588790c3 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -14,6 +14,9 @@ on: - ".github/workflows/mcp-safety-scan.yml" - ".mcp-safety-baseline.json" +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest @@ -24,10 +27,10 @@ jobs: with: node-version: 20 - - uses: TheodorNEngoy/mcp-safety-scanner@v0 + # Pin the action version for supply-chain safety. + - uses: TheodorNEngoy/mcp-safety-scanner@7fd13fc55cb5c21cb1611f0eda4c9ac4da411b71 # v0.3.3 with: path: src baseline: .mcp-safety-baseline.json fail-on: high format: github - From 72a4597729cd802863b5402c387f562840cde75b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 01:42:20 +0100 Subject: [PATCH 03/11] ci: bump mcp-safety-scanner pin to v0.3.5 --- .github/workflows/mcp-safety-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index 5a588790c3..36585ba00f 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@7fd13fc55cb5c21cb1611f0eda4c9ac4da411b71 # v0.3.3 + - uses: TheodorNEngoy/mcp-safety-scanner@dcf124b4f97aa893867ced9028264a298e2b4292 # v0.3.5 with: path: src baseline: .mcp-safety-baseline.json From c8b149a46a518a5e8f980fa2bb406ccf9629aeb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 02:02:11 +0100 Subject: [PATCH 04/11] chore: bump mcp-safety-scanner to v0.3.6 --- .github/workflows/mcp-safety-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index 36585ba00f..ca2d286136 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@dcf124b4f97aa893867ced9028264a298e2b4292 # v0.3.5 + - uses: TheodorNEngoy/mcp-safety-scanner@a9f2724b4a8732e291146eb7569dc571ebf6f51b # v0.3.6 with: path: src baseline: .mcp-safety-baseline.json From e8116aa245b38f11e50c4d98057adbffc34805cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 02:11:55 +0100 Subject: [PATCH 05/11] chore: refresh mcp-safety baseline --- .mcp-safety-baseline.json | 126 ++++---------------------------------- 1 file changed, 13 insertions(+), 113 deletions(-) diff --git a/.mcp-safety-baseline.json b/.mcp-safety-baseline.json index 3690283ba3..096624505d 100644 --- a/.mcp-safety-baseline.json +++ b/.mcp-safety-baseline.json @@ -1,98 +1,26 @@ { "version": 1, "tool": "mcp-safety-scanner", - "generatedAt": "2026-02-06T22:32:45.334Z", + "generatedAt": "2026-02-08T01:11:19.241Z", "fingerprints": [ - "02410ad395be4f98efe0dd7d4c3b55f637c6332ad612109194e40f73ddbdc58b", - "20ea9924fb8c695dd78758548be2ecb2933cb42ff959f3c554557345ac4b7980", - "22116cd74b04c873c1c1973258a48865663129bae24427bedd426f03750aa93f", - "5f062db381642e6b9911427afc31ec7badbdfad8a759ffe313afa65241630211", - "80481e00889801884b574675f1f4f53b33f46bc9be8af7f43b92c6e81d7193e0", + "5b247d1df57644d8c2fcf020c4a1bebb0df81a6206f3e28ca63a36f9ad8629ce", "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", - "cae5e08ed72eb1188f4f3dea0bbe754864dd905b7fce3f626b453b904d401e7b", - "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", - "edc274e6867eb9ba856d66b6be112628fad9cf3e4fadae83a2f563bca94c47ae", - "f6fd182ee3cca1e2535a1076c2001d0f71832e644eee80af342a226ecf0e74f3", - "f96122a88040d6f0ee21ae245e33196b51a9e3c38ea5aff7e9a5892426229b48", - "fd280dede9985170152ebf01cb12126178c34efab6f932636e19fab3971f58cf" + "8c6d459b9fe3fd08e618346ea8642343203edc21ba8e7d2aad85c3603aef3529" ], "entries": [ { - "fingerprint": "cae5e08ed72eb1188f4f3dea0bbe754864dd905b7fce3f626b453b904d401e7b", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/directory-tree.test.ts", - "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" - }, - { - "fingerprint": "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/path-validation.test.ts", - "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" - }, - { - "fingerprint": "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/path-validation.test.ts", - "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" - }, - { - "fingerprint": "e719a3e7fd8bcfbcd83b1c415465724f1e9244850d6ff79cd5db22022025fd14", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/path-validation.test.ts", - "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" - }, - { - "fingerprint": "edc274e6867eb9ba856d66b6be112628fad9cf3e4fadae83a2f563bca94c47ae", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/path-validation.test.ts", - "excerpt": "await fs.unlink(legitFile);" + "fingerprint": "5b247d1df57644d8c2fcf020c4a1bebb0df81a6206f3e28ca63a36f9ad8629ce", + "ruleId": "cors-wildcard-origin", + "severity": "high", + "file": "everything/transports/sse.ts", + "excerpt": "cors({" }, { - "fingerprint": "edc274e6867eb9ba856d66b6be112628fad9cf3e4fadae83a2f563bca94c47ae", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/path-validation.test.ts", - "excerpt": "await fs.unlink(legitFile);" - }, - { - "fingerprint": "f6fd182ee3cca1e2535a1076c2001d0f71832e644eee80af342a226ecf0e74f3", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/roots-utils.test.ts", - "excerpt": "rmSync(testDir1, { recursive: true, force: true });" - }, - { - "fingerprint": "02410ad395be4f98efe0dd7d4c3b55f637c6332ad612109194e40f73ddbdc58b", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/roots-utils.test.ts", - "excerpt": "rmSync(testDir2, { recursive: true, force: true });" - }, - { - "fingerprint": "f96122a88040d6f0ee21ae245e33196b51a9e3c38ea5aff7e9a5892426229b48", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/roots-utils.test.ts", - "excerpt": "rmSync(testDir3, { recursive: true, force: true });" - }, - { - "fingerprint": "80481e00889801884b574675f1f4f53b33f46bc9be8af7f43b92c6e81d7193e0", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/startup-validation.test.ts", - "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" - }, - { - "fingerprint": "fd280dede9985170152ebf01cb12126178c34efab6f932636e19fab3971f58cf", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/__tests__/structured-content.test.ts", - "excerpt": "await fs.rm(testDir, { recursive: true, force: true });" + "fingerprint": "8c6d459b9fe3fd08e618346ea8642343203edc21ba8e7d2aad85c3603aef3529", + "ruleId": "cors-wildcard-origin", + "severity": "high", + "file": "everything/transports/streamableHttp.ts", + "excerpt": "cors({" }, { "fingerprint": "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", @@ -100,34 +28,6 @@ "severity": "medium", "file": "filesystem/lib.ts", "excerpt": "await fs.unlink(tempPath);" - }, - { - "fingerprint": "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/lib.ts", - "excerpt": "await fs.unlink(tempPath);" - }, - { - "fingerprint": "5f062db381642e6b9911427afc31ec7badbdfad8a759ffe313afa65241630211", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "memory/__tests__/file-path.test.ts", - "excerpt": "await fs.unlink(oldMemoryPath);" - }, - { - "fingerprint": "20ea9924fb8c695dd78758548be2ecb2933cb42ff959f3c554557345ac4b7980", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "memory/__tests__/file-path.test.ts", - "excerpt": "await fs.unlink(newMemoryPath);" - }, - { - "fingerprint": "22116cd74b04c873c1c1973258a48865663129bae24427bedd426f03750aa93f", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "memory/__tests__/knowledge-graph.test.ts", - "excerpt": "await fs.unlink(testFilePath);" } ] } From bccdff28ab1112728f4d5684af7cacbd0512a9e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 02:24:37 +0100 Subject: [PATCH 06/11] ci: use supported actions/checkout + setup-node versions --- .github/workflows/mcp-safety-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index ca2d286136..68164ed1a0 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -21,9 +21,9 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@v4 with: node-version: 20 From fc23205da2eae6fbcaa0fbb1f0864eae13d26ce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 03:01:06 +0100 Subject: [PATCH 07/11] chore: bump mcp-safety-scanner to v0.4.1 --- .github/workflows/mcp-safety-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index 68164ed1a0..fb8ae157d4 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@a9f2724b4a8732e291146eb7569dc571ebf6f51b # v0.3.6 + - uses: TheodorNEngoy/mcp-safety-scanner@1b38cabea5b6fe9c3c4baea13a3a209f862efb8b # v0.4.1 with: path: src baseline: .mcp-safety-baseline.json From d179877d8de517b9d4c6350ea997c405be4c86ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 12:42:49 +0100 Subject: [PATCH 08/11] ci: bump mcp-safety-scanner to v0.4.6 --- .github/workflows/mcp-safety-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index fb8ae157d4..f9e1a4cb38 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@1b38cabea5b6fe9c3c4baea13a3a209f862efb8b # v0.4.1 + - uses: TheodorNEngoy/mcp-safety-scanner@b37568ec70ebd233e0516e2263fe4fce58ad0969 # v0.4.6 with: path: src baseline: .mcp-safety-baseline.json From 9b9b12c3a973ff9211ca99c6d4cfe36ac5a996e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 13:13:54 +0100 Subject: [PATCH 09/11] ci: bump mcp-safety-scanner to v0.4.7 --- .github/workflows/mcp-safety-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index f9e1a4cb38..408c22dd08 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@b37568ec70ebd233e0516e2263fe4fce58ad0969 # v0.4.6 + - uses: TheodorNEngoy/mcp-safety-scanner@2e4512a3bc199a38b5c00e41daea8abdc1e39811 # v0.4.7 with: path: src baseline: .mcp-safety-baseline.json From 58f4f8095af13aa71b37bb0c6ec05d8b7d5b7c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 13:49:02 +0100 Subject: [PATCH 10/11] ci: bump mcp-safety-scanner to v0.4.8 --- .github/workflows/mcp-safety-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index 408c22dd08..fdbc8b3689 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@2e4512a3bc199a38b5c00e41daea8abdc1e39811 # v0.4.7 + - uses: TheodorNEngoy/mcp-safety-scanner@5ecea148c56d0e38b297623f9eb6b467e2fccf71 # v0.4.8 with: path: src baseline: .mcp-safety-baseline.json From b1e8a8691d65b6008c77a81a05b86d783544f0d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Theodor=20N=2E=20Eng=C3=B8y?= Date: Sun, 8 Feb 2026 19:53:20 +0100 Subject: [PATCH 11/11] ci: bump mcp-safety-scanner to v0.4.9 + baseline v2 --- .github/workflows/mcp-safety-scan.yml | 2 +- .mcp-safety-baseline.json | 54 ++++++++++++++++++--------- 2 files changed, 38 insertions(+), 18 deletions(-) diff --git a/.github/workflows/mcp-safety-scan.yml b/.github/workflows/mcp-safety-scan.yml index fdbc8b3689..e053822e30 100644 --- a/.github/workflows/mcp-safety-scan.yml +++ b/.github/workflows/mcp-safety-scan.yml @@ -28,7 +28,7 @@ jobs: node-version: 20 # Pin the action version for supply-chain safety. - - uses: TheodorNEngoy/mcp-safety-scanner@5ecea148c56d0e38b297623f9eb6b467e2fccf71 # v0.4.8 + - uses: TheodorNEngoy/mcp-safety-scanner@5e09227cf63d559ec211ad3d99dfd3272c5a31c3 # v0.4.9 with: path: src baseline: .mcp-safety-baseline.json diff --git a/.mcp-safety-baseline.json b/.mcp-safety-baseline.json index 096624505d..9fe3cd523a 100644 --- a/.mcp-safety-baseline.json +++ b/.mcp-safety-baseline.json @@ -1,33 +1,53 @@ { - "version": 1, + "version": 2, "tool": "mcp-safety-scanner", - "generatedAt": "2026-02-08T01:11:19.241Z", + "generatedAt": "2026-02-08T18:53:00.598Z", "fingerprints": [ - "5b247d1df57644d8c2fcf020c4a1bebb0df81a6206f3e28ca63a36f9ad8629ce", - "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", - "8c6d459b9fe3fd08e618346ea8642343203edc21ba8e7d2aad85c3603aef3529" + "1080301ccc119b431825933246b66e42e8bb0e6aa4a286a27f6bf38639054e48", + "92abe3840e2e6c28655320eb095aefaaa3c766c73c9bb2e2a68b0255a3a8fcb6", + "b9bbbaf2acab0552d78b2e857daeb99e6d3f3ca0abfa1710540e97bb1998db97", + "e7805b7df03dde0ac35d234b54585a60d470e869e45d59b87f6d941757fc20a6" ], "entries": [ { - "fingerprint": "5b247d1df57644d8c2fcf020c4a1bebb0df81a6206f3e28ca63a36f9ad8629ce", - "ruleId": "cors-wildcard-origin", - "severity": "high", - "file": "everything/transports/sse.ts", - "excerpt": "cors({" + "fingerprint": "1080301ccc119b431825933246b66e42e8bb0e6aa4a286a27f6bf38639054e48", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/lib.ts", + "excerpt": "await fs.unlink(tempPath);", + "context": "", + "line": 154, + "column": 20 }, { - "fingerprint": "8c6d459b9fe3fd08e618346ea8642343203edc21ba8e7d2aad85c3603aef3529", + "fingerprint": "92abe3840e2e6c28655320eb095aefaaa3c766c73c9bb2e2a68b0255a3a8fcb6", + "ruleId": "file-delete-apis", + "severity": "medium", + "file": "filesystem/lib.ts", + "excerpt": "await fs.unlink(tempPath);", + "context": "", + "line": 252, + "column": 18 + }, + { + "fingerprint": "b9bbbaf2acab0552d78b2e857daeb99e6d3f3ca0abfa1710540e97bb1998db97", "ruleId": "cors-wildcard-origin", "severity": "high", "file": "everything/transports/streamableHttp.ts", - "excerpt": "cors({" + "excerpt": "cors({", + "context": "cors({ origin: \"*\", // use \"*\" with caution in production methods: \"GET,POST,DELETE\", preflightContinue: false, optionsSuccessStatus: 204, exposedHeaders: [\"mcp-session-id\", \"last-event-id\", \"mcp-protocol-version\"], }) );", + "line": 44, + "column": 3 }, { - "fingerprint": "8963bde5a243de8f8bb4db469176e2348a070c9ce45f69327230b08e6e06afe8", - "ruleId": "file-delete-apis", - "severity": "medium", - "file": "filesystem/lib.ts", - "excerpt": "await fs.unlink(tempPath);" + "fingerprint": "e7805b7df03dde0ac35d234b54585a60d470e869e45d59b87f6d941757fc20a6", + "ruleId": "cors-wildcard-origin", + "severity": "high", + "file": "everything/transports/sse.ts", + "excerpt": "cors({", + "context": "cors({ origin: \"*\", // use \"*\" with caution in production methods: \"GET,POST\", preflightContinue: false, optionsSuccessStatus: 204, }) ); const transports: Map = new Map<", + "line": 11, + "column": 3 } ] }