gilles/claude-code-best-practice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: pin MCP server package versions to prevent supply-chain drift

Browse Source 
All three MCP servers used `npx -y <package>` without version pins,
causing npx to auto-install the latest version on each invocation.
A compromised or breaking release would silently affect all users.

Pinned to current stable versions verified against npm registry:
- @playwright/mcp@0.0.70
- @upstash/context7-mcp@2.1.8
- deepwiki-mcp@0.0.6

Update these pins deliberately when upgrading rather than auto-pulling.

Co-Authored-By: Claude Code <noreply@anthropic.com>
This commit is contained in:
claude[bot]
2026-04-22 18:30:25 +00:00
parent 61a847cc4d
commit 9b471ed627
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.mcp.json
+12 -3
View File
@@ -2,15 +2,24 @@
"mcpServers": {
"playwright": {
"command": "npx",
"args": ["-y", "@playwright/mcp"]
"args": [
"-y",
"@playwright/mcp@0.0.70"
]
},
"context7": {
"command": "npx",
"args": ["-y", "@upstash/context7-mcp"]
"args": [
"-y",
"@upstash/context7-mcp@2.1.8"
]
},
"deepwiki": {
"command": "npx",
"args": ["-y", "deepwiki-mcp"]
"args": [
"-y",
"deepwiki-mcp@0.0.6"
]
}
}
}