github · context7HEAD

Evidence

await transport.handleRequest(req, res, req.body);

        });

      } catch (error) {

        console.error("Error handling MCP request:", error);

        if (!res.headersSent) {

          res.status(500).json({

            jsonrpc: "2.0",

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

const files: SkillFile[] = [];

    for (const item of skillFiles) {

      const rawUrl = `${GITHUB_RAW}/${owner}/${repo}/${branch}/${item.path}`;

      const fileResponse = await fetch(rawUrl, { headers: ghHeaders });

      if (!fileResponse.ok) {

        console.warn(`Failed to fetch ${item.path}: ${fileResponse.status}`);

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

if (accessToken) {

    headers["Authorization"] = `Bearer ${accessToken}`;

  }

  const response = await fetch(`${baseUrl}/api/v2/libs/search?${params}`, { headers });

  return (await response.json()) as LibrarySearchResponse;

}

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

export async function getSkill(project: string, skillName: string): Promise<SingleSkillResponse> {

  const params = new URLSearchParams({ project, skill: skillName });

  const response = await fetch(`${baseUrl}/api/v2/skills?${params}`);

  return (await response.json()) as SingleSkillResponse;

}

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

}

async function refreshAccessToken(refreshToken: string): Promise<TokenData> {

  const response = await fetch(`${getBaseUrl()}/api/oauth/token`, {

    method: "POST",

    headers: { "Content-Type": "application/x-www-form-urlencoded" },

    body: new URLSearchParams({

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

repo: string,

  headers: Record<string, string>

): Promise<{ branch: string } | { status: number }> {

  const response = await fetch(`${GITHUB_API}/repos/${owner}/${repo}`, { headers });

  if (!response.ok) return { status: response.status };

  const data = (await response.json()) as { default_branch: string };

  return { branch: data.default_branch };

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

headers: Record<string, string>

): Promise<GitHubTreeResponse | null> {

  const treeUrl = `${GITHUB_API}/repos/${owner}/${repo}/git/trees/${branch}?recursive=1`;

  const response = await fetch(treeUrl, { headers });

  if (!response.ok) return null;

  return (await response.json()) as GitHubTreeResponse;

}

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

const authServerUrl = AUTH_SERVER_URL;

        try {

          const response = await fetch(`${authServerUrl}/.well-known/oauth-authorization-server`);

          if (!response.ok) {

            console.error("[OAuth] Upstream error:", response.status);

            return res.status(response.status).json({

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

}

async function fetchWhoami(accessToken: string): Promise<WhoamiResponse> {

  const response = await fetch(`${getBaseUrl()}/api/dashboard/whoami`, {

    headers: {

      Authorization: `Bearer ${accessToken}`,

    },

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

export async function searchSkills(query: string): Promise<SearchResponse> {

  const params = new URLSearchParams({ query });

  const response = await fetch(`${baseUrl}/api/v2/skills?${params}`);

  return (await response.json()) as SearchResponse;

}

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

const headers = generateHeaders(context);

    const response = await fetch(url, { headers });

    if (!response.ok) {

      const errorMessage = await parseErrorResponse(response, context.apiKey);

      console.error(errorMessage);

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

const spinner = ora("Configuring authentication...").start();

  try {

    const response = await fetch(`${getBaseUrl()}/api/dashboard/api-keys`, {

      method: "POST",

      headers: {

        Authorization: `Bearer ${accessToken}`,

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

def fetch_with_retry(url, headers, max_retries=3):

    for attempt in range(max_retries):

        response = requests.get(url, headers=headers)

        if response.status_code == 429:

            retry_after = int(response.headers.get("Retry-After", 2 ** attempt))

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

export async function listProjectSkills(project: string): Promise<ListSkillsResponse> {

  const params = new URLSearchParams({ project });

  const response = await fetch(`${baseUrl}/api/v2/skills?${params}`);

  return (await response.json()) as ListSkillsResponse;

}

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

for (let i = 0; i <= this.retry.attempts; i++) {

      try {

        res = await fetch(url, requestOptions as RequestInit);

        break;

      } catch (error_) {

        if (requestOptions.signal?.aborted) {

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

export function trackEvent(event: string, data?: Record<string, unknown>): void {

  if (process.env.CTX7_TELEMETRY_DISABLED) return;

  fetch(`${getBaseUrl()}/api/v2/cli/events`, {

    method: "POST",

    headers: { "Content-Type": "application/json" },

    body: JSON.stringify({ event, data }),

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

const headers = generateHeaders(context);

    const response = await fetch(url, { headers });

    if (!response.ok) {

      const errorMessage = await parseErrorResponse(response, context.apiKey);

      console.error(errorMessage);

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

const skills: (Skill & { project: string })[] = [];

    for (const item of skillMdFiles) {

      const rawUrl = `${GITHUB_RAW}/${owner}/${repo}/${branchResult.branch}/${item.path}`;

      const response = await fetch(rawUrl, { headers });

      if (!response.ok) continue;

      const content = await response.text();

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

async function fetchRule(filename: string, fallback: string): Promise<string> {

  for (const base of GITHUB_RAW_URLS) {

    try {

      const res = await fetch(`${base}/${filename}`);

      if (res.ok) return await res.text();

    } catch {

      continue;

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

"type": "string",

            "description": "Title of the code snippet"

          },

          "codeDescription": {

            "type": "string",

            "description": "Description of what the code does"

          },

          "codeLanguage": {

            "type": "string",

            "description": "Primary programming language"

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "string",

            "description": "Programming language"

          },

          "code": {

            "type": "string",

            "description": "The actual code content"

          }

        },

        "required": [

          "language",

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "string",

            "description": "Description of what the code does"

          },

          "codeLanguage": {

            "type": "string",

            "description": "Primary programming language"

          },

          "codeTokens": {

            "type": "integer",

            "description": "Token count for the snippet"

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "integer",

            "description": "Token count for the snippet"

          },

          "codeId": {

            "type": "string",

            "description": "URL to source location"

          },

          "pageTitle": {

            "type": "string",

            "description": "Title of the documentation page"

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "object",

        "description": "A code snippet from library documentation",

        "properties": {

          "codeTitle": {

            "type": "string",

            "description": "Title of the code snippet"

          },

          "codeDescription": {

            "type": "string",

            "description": "Description of what the code does"

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# ----- Build Stage -----

FROM node:lts-alpine AS builder

RUN corepack enable pnpm

WORKDIR /app

# Copy monorepo config and install dependencies

COPY package.json pnpm-lock.yaml pnpm-workspace.yaml tsconfig.json ./

COPY packages/mcp ./packages/mcp

RUN pnpm install --frozen-lockfile

# Build the mcp package

RUN pnpm --filter @upstash/context7-mcp build

# ----- Production Stage -----

FROM node:lts-alpine

RUN corepack enable pnpm

WORKDIR /app

# Install production dependencies only

COPY package.js

Remediation

Create and switch to a non-root user before the CMD / ENTRYPOINT: RUN adduser --system --uid 1000 app USER 1000 Or reuse the base image's shipped non-root account (e.g. `USER nobody`, `USER nonroot` on distroless). Multi-stage builds only need the USER directive in the final stage.

Evidence

fetch-depth: 0

      - name: Check for changeset

        uses: actions/github-script@v7

        with:

          script: |

            const { execSync } = require('child_process');

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: "20"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Build and push Docker image

        id: build-push

        uses: docker/build-push-action@v6

        with:

          context: .

          file: packages/mcp/Dockerfile

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: "20"

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx

        uses: docker/setup-buildx-action@v3

      - name: Build and push Docker image

        id: build-push

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: lts/*

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: aws-actions/amazon-ecr-login@v2

      - name: Set up QEMU

        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx

        uses: docker/setup-buildx-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - name: Checkout code

        uses: actions/checkout@v6

      - name: Configure AWS credentials

        uses: aws-actions/configure-aws-credentials@v5

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: "20"

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Login to Amazon ECR

        id: login-ecr

        uses: aws-actions/amazon-ecr-login@v2

      - name: Set up QEMU

        uses: docker/setup-qemu-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: "20"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: "20"

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v6

      - name: Configure AWS credentials

        uses: aws-actions/configure-aws-credentials@v5

        with:

          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

pull-requests: write

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

ref: ${{ inputs.branch || github.ref }}

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: "20"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: read

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

        with:

          ref: ${{ inputs.branch || github.ref }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

        with:

          fetch-depth: 0

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

test:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT

      - name: Cache pnpm dependencies

        uses: actions/cache@v5

        with:

          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}

          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Create Release PR or Publish

        id: changesets

        uses: changesets/action@v1

        with:

          publish: pnpm release

          commit: "chore(release): version packages"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: read

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

try {

      await access(candidate);

      return candidate;

    } catch {}

  }

  return candidates[0];

}

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

let content = "";

    try {

      content = await readFile(filePath, "utf-8");

    } catch {}

    if (content.includes(marker)) {

      const regex = new RegExp(`${escapedMarker}\\n[\\s\\S]*?${escapedMarker}`);

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

if (stats.isSymbolicLink() || stats.isDirectory()) {

      await rm(targetPath, { recursive: true });

    }

  } catch {}

  await mkdir(targetDir, { recursive: true });

  await symlink(sourcePath, targetPath);

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

    await access(join(baseDir, dirname(universalPath)));

    hasUniversalDir = true;

  } catch {}

  const detectedIdes: IDE[] = [

    ...(hasUniversalDir ? (["universal"] as IDE[]) : []),

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

      await access(join(baseDir, parentDir));

      detected.push(ide);

    } catch {}

  }

  return detected;

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

let existing = "";

  try {

    existing = await readFile(filePath, "utf-8");

  } catch {}

  const sectionHeader = `[mcp_servers.${serverName}]`;

  const alreadyExists = existing.includes(sectionHeader);

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.