From 9b471ed6274bb3369b3f2e2bfa5930d85194a859 Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Wed, 22 Apr 2026 18:30:25 +0000
Subject: [PATCH] fix: pin MCP server package versions to prevent supply-chain
 drift

All three MCP servers used `npx -y <package>` without version pins,
causing npx to auto-install the latest version on each invocation.
A compromised or breaking release would silently affect all users.

Pinned to current stable versions verified against npm registry:
- @playwright/mcp@0.0.70
- @upstash/context7-mcp@2.1.8
- deepwiki-mcp@0.0.6

Update these pins deliberately when upgrading rather than auto-pulling.

Co-Authored-By: Claude Code <noreply@anthropic.com>
---
 .mcp.json | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.mcp.json b/.mcp.json
index d73a545..0b9fdea 100644
--- a/.mcp.json
+++ b/.mcp.json
@@ -2,15 +2,24 @@
   "mcpServers": {
     "playwright": {
       "command": "npx",
-      "args": ["-y", "@playwright/mcp"]
+      "args": [
+        "-y",
+        "@playwright/mcp@0.0.70"
+      ]
     },
     "context7": {
       "command": "npx",
-      "args": ["-y", "@upstash/context7-mcp"]
+      "args": [
+        "-y",
+        "@upstash/context7-mcp@2.1.8"
+      ]
     },
     "deepwiki": {
       "command": "npx",
-      "args": ["-y", "deepwiki-mcp"]
+      "args": [
+        "-y",
+        "deepwiki-mcp@0.0.6"
+      ]
     }
   }
 }