gilles/claude-code-best-practice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: pin MCP server package versions to prevent supply-chain drift

Browse Source 
All three MCP servers used `npx -y <package>` without version pins,
causing npx to auto-install the latest version on each invocation.
A compromised or breaking release would silently affect all users.

Pinned to current stable versions verified against npm registry:
- @playwright/mcp@0.0.70
- @upstash/context7-mcp@2.1.8
- deepwiki-mcp@0.0.6

Update these pins deliberately when upgrading rather than auto-pulling.

Co-Authored-By: Claude Code <noreply@anthropic.com>
This commit is contained in:
claude[bot]
2026-04-22 18:30:25 +00:00
parent 61a847cc4d
commit 9b471ed627
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.mcp.json
+12 -3
View File
@@ -2,15 +2,24 @@
"mcpServers": { "mcpServers": {
"playwright": { "playwright": {
"command": "npx", "command": "npx",
"args": ["-y", "@playwright/mcp"] "args": [
"-y",
"@playwright/mcp@0.0.70"
]
}, },
"context7": { "context7": {
"command": "npx", "command": "npx",
"args": ["-y", "@upstash/context7-mcp"] "args": [
"-y",
"@upstash/context7-mcp@2.1.8"
]
}, },
"deepwiki": { "deepwiki": {
"command": "npx", "command": "npx",
"args": ["-y", "deepwiki-mcp"] "args": [
"-y",
"deepwiki-mcp@0.0.6"
]
} }
} }
} }