github · context7HEAD

Evidence

"owner": {

    "name": "Upstash"

  },

  "plugins": [

    {

      "name": "context7-plugin",

      "source": "./plugins/claude/context7",

      "description": "Up-to-date documentation lookup. Pull version-specific documentation and code examples directly from source repositories into your LLM context.",

      "version": "1.0.0"

    }

  ]

}

RemediationAI

The context7-plugin returns untrusted repository content directly into LLM context without delimiters, enabling prompt injection attacks. Wrap all fetched documentation and code examples with visible provenance markers (e.g., `[SOURCE: repo/path/file.md]` and `[END SOURCE]`) before returning them in tool responses. This ensures the LLM and user can distinguish injected content from trusted system instructions. Verify by fetching malicious repository content and confirming the markers appear in the tool output.

Evidence

expires_at:

      tokens.expires_at ?? (tokens.expires_in ? Date.now() + tokens.expires_in * 1000 : undefined),

  };

  fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });

}

export function loadTokens(): TokenData | null {

RemediationAI

The `loadTokens()` and token-handling code writes sensitive token data (expires_at, access tokens) to CREDENTIALS_FILE via `JSON.stringify()` without redaction, risking exposure in logs or error messages. Replace the direct write with a redaction helper: create a `sanitizeTokenData()` function that removes or masks `expires_at`, `access_token`, and `refresh_token` fields before logging, or use a library like `winston-redact` to automatically redact secret-like keys. This prevents accidental token leakage in logs, stdout, or file writes. Verify by checking that `cat CREDENTIALS_FILE` or any logged output does not contain plaintext token values.

Evidence

await transport.handleRequest(req, res, req.body);

        });

      } catch (error) {

        console.error("Error handling MCP request:", error);

        if (!res.headersSent) {

          res.status(500).json({

            jsonrpc: "2.0",

RemediationAI

User-controlled error objects are printed to console.error() without ANSI escape sanitization, allowing malicious input to inject cursor-control sequences that rewrite terminal output or hide commands. Sanitize the error message by stripping ANSI escape codes before logging: use a library like `strip-ansi` or a regex `/\x1b\[[0-9;]*m/g` to remove control sequences from `error.toString()` before calling `console.error()`. This prevents terminal injection attacks. Verify by passing an error with embedded ANSI codes (e.g., `\x1b[2J` to clear screen) and confirming the terminal is not affected.

LLM consensus

Evidence

if (accessToken) {

    headers["Authorization"] = `Bearer ${accessToken}`;

  }

  const response = await fetch(`${baseUrl}/api/v2/libs/search?${params}`, { headers });

  return (await response.json()) as LibrarySearchResponse;

}

RemediationAI

The fetch call to `/api/v2/libs/search` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option to the fetch call: `const response = await fetch(url, { headers, signal: AbortSignal.timeout(5000) })` (or use a polyfill for older Node versions). This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

export async function getSkill(project: string, skillName: string): Promise<SingleSkillResponse> {

  const params = new URLSearchParams({ project, skill: skillName });

  const response = await fetch(`${baseUrl}/api/v2/skills?${params}`);

  return (await response.json()) as SingleSkillResponse;

}

RemediationAI

The fetch call to `/api/v2/skills` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

}

async function refreshAccessToken(refreshToken: string): Promise<TokenData> {

  const response = await fetch(`${getBaseUrl()}/api/oauth/token`, {

    method: "POST",

    headers: { "Content-Type": "application/x-www-form-urlencoded" },

    body: new URLSearchParams({

RemediationAI

The fetch call in `refreshAccessToken()` to `/api/oauth/token` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { method: 'POST', headers, body, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

def fetch_with_retry(url, headers, max_retries=3):

    for attempt in range(max_retries):

        response = requests.get(url, headers=headers)

        if response.status_code == 429:

            retry_after = int(response.headers.get("Retry-After", 2 ** attempt))

RemediationAI

The Python example in `docs/api-guide.mdx` calls `requests.get(url, headers=headers)` without a timeout parameter, allowing hung servers to block indefinitely. Update the code example to: `response = requests.get(url, headers=headers, timeout=5)` to enforce a 5-second timeout. This prevents thread exhaustion in production code that follows the documentation. Verify by running the example against a slow server and confirming it times out after 5 seconds.

Evidence

}

async function fetchWhoami(accessToken: string): Promise<WhoamiResponse> {

  const response = await fetch(`${getBaseUrl()}/api/dashboard/whoami`, {

    headers: {

      Authorization: `Bearer ${accessToken}`,

    },

RemediationAI

The fetch call in `fetchWhoami()` to `/api/dashboard/whoami` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { headers, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

const skills: (Skill & { project: string })[] = [];

    for (const item of skillMdFiles) {

      const rawUrl = `${GITHUB_RAW}/${owner}/${repo}/${branchResult.branch}/${item.path}`;

      const response = await fetch(rawUrl, { headers });

      if (!response.ok) continue;

      const content = await response.text();

RemediationAI

The fetch call in the GitHub raw content loop lacks an explicit timeout, allowing a hung GitHub server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(rawUrl, { headers, signal: AbortSignal.timeout(5000) })`. This ensures each request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

export async function searchSkills(query: string): Promise<SearchResponse> {

  const params = new URLSearchParams({ query });

  const response = await fetch(`${baseUrl}/api/v2/skills?${params}`);

  return (await response.json()) as SearchResponse;

}

RemediationAI

The fetch call in `searchSkills()` to `/api/v2/skills` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

headers: Record<string, string>

): Promise<GitHubTreeResponse | null> {

  const treeUrl = `${GITHUB_API}/repos/${owner}/${repo}/git/trees/${branch}?recursive=1`;

  const response = await fetch(treeUrl, { headers });

  if (!response.ok) return null;

  return (await response.json()) as GitHubTreeResponse;

}

RemediationAI

The fetch call in `getGitHubTree()` to the GitHub API lacks an explicit timeout, allowing a hung GitHub server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(treeUrl, { headers, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

const spinner = ora("Configuring authentication...").start();

  try {

    const response = await fetch(`${getBaseUrl()}/api/dashboard/api-keys`, {

      method: "POST",

      headers: {

        Authorization: `Bearer ${accessToken}`,

RemediationAI

The fetch call in `packages/cli/src/commands/setup.ts` to `/api/dashboard/api-keys` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { method: 'POST', headers, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

const authServerUrl = AUTH_SERVER_URL;

        try {

          const response = await fetch(`${authServerUrl}/.well-known/oauth-authorization-server`);

          if (!response.ok) {

            console.error("[OAuth] Upstream error:", response.status);

            return res.status(response.status).json({

RemediationAI

The fetch call to `/.well-known/oauth-authorization-server` lacks an explicit timeout, allowing a hung auth server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(authServerUrl + '/.well-known/oauth-authorization-server', { signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

LLM consensus

Evidence

export async function listProjectSkills(project: string): Promise<ListSkillsResponse> {

  const params = new URLSearchParams({ project });

  const response = await fetch(`${baseUrl}/api/v2/skills?${params}`);

  return (await response.json()) as ListSkillsResponse;

}

RemediationAI

The fetch call in `listProjectSkills()` to `/api/v2/skills` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

const files: SkillFile[] = [];

    for (const item of skillFiles) {

      const rawUrl = `${GITHUB_RAW}/${owner}/${repo}/${branch}/${item.path}`;

      const fileResponse = await fetch(rawUrl, { headers: ghHeaders });

      if (!fileResponse.ok) {

        console.warn(`Failed to fetch ${item.path}: ${fileResponse.status}`);

RemediationAI

The fetch call in the GitHub file download loop lacks an explicit timeout, allowing a hung GitHub server to block indefinitely and exhaust connection pools. Add a timeout option: `const fileResponse = await fetch(rawUrl, { headers: ghHeaders, signal: AbortSignal.timeout(5000) })`. This ensures each request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

for (let i = 0; i <= this.retry.attempts; i++) {

      try {

        res = await fetch(url, requestOptions as RequestInit);

        break;

      } catch (error_) {

        if (requestOptions.signal?.aborted) {

RemediationAI

The fetch call in the SDK retry loop lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `res = await fetch(url, { ...requestOptions, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

export function trackEvent(event: string, data?: Record<string, unknown>): void {

  if (process.env.CTX7_TELEMETRY_DISABLED) return;

  fetch(`${getBaseUrl()}/api/v2/cli/events`, {

    method: "POST",

    headers: { "Content-Type": "application/json" },

    body: JSON.stringify({ event, data }),

RemediationAI

The fire-and-forget fetch call in `trackEvent()` to `/api/v2/cli/events` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `fetch(url, { method: 'POST', headers, body, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

const headers = generateHeaders(context);

    const response = await fetch(url, { headers });

    if (!response.ok) {

      const errorMessage = await parseErrorResponse(response, context.apiKey);

      console.error(errorMessage);

RemediationAI

The fetch call in `packages/mcp/src/lib/api.ts` lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { headers, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

const headers = generateHeaders(context);

    const response = await fetch(url, { headers });

    if (!response.ok) {

      const errorMessage = await parseErrorResponse(response, context.apiKey);

      console.error(errorMessage);

RemediationAI

The fetch call in `packages/mcp/src/lib/api.ts` (second instance) lacks an explicit timeout, allowing a hung upstream server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { headers, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

repo: string,

  headers: Record<string, string>

): Promise<{ branch: string } | { status: number }> {

  const response = await fetch(`${GITHUB_API}/repos/${owner}/${repo}`, { headers });

  if (!response.ok) return { status: response.status };

  const data = (await response.json()) as { default_branch: string };

  return { branch: data.default_branch };

RemediationAI

The fetch call in `getGitHubRepo()` to the GitHub API lacks an explicit timeout, allowing a hung GitHub server to block indefinitely and exhaust connection pools. Add a timeout option: `const response = await fetch(url, { headers, signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

async function fetchRule(filename: string, fallback: string): Promise<string> {

  for (const base of GITHUB_RAW_URLS) {

    try {

      const res = await fetch(`${base}/${filename}`);

      if (res.ok) return await res.text();

    } catch {

      continue;

RemediationAI

The fetch call in `fetchRule()` to GitHub raw URLs lacks an explicit timeout, allowing a hung GitHub server to block indefinitely and exhaust connection pools. Add a timeout option: `const res = await fetch(url, { signal: AbortSignal.timeout(5000) })`. This ensures the request fails after 5 seconds instead of hanging. Verify by testing with a timeout-inducing server and confirming the request aborts within the specified window.

Evidence

"type": "string",

            "description": "Title of the code snippet"

          },

          "codeDescription": {

            "type": "string",

            "description": "Description of what the code does"

          },

          "codeLanguage": {

            "type": "string",

            "description": "Primary programming language"

RemediationAI

The `codeDescription` field in the OpenAPI schema is an unconstrained string with a risky name, allowing arbitrary input that could be used for injection attacks. Constrain the schema by adding `maxLength: 500` and optionally a `pattern` to the field definition in `docs/openapi.json`: `"codeDescription": { "type": "string", "maxLength": 500, "description": "Description of what the code does" }`. This limits the blast radius of the tool. Verify by attempting to pass a very long or malicious string and confirming it is rejected or truncated.

Evidence

"type": "string",

            "description": "Programming language"

          },

          "code": {

            "type": "string",

            "description": "The actual code content"

          }

        },

        "required": [

          "language",

RemediationAI

The `code` field in the OpenAPI schema is an unconstrained string with a risky name, allowing arbitrary code input that could be used for injection attacks. Constrain the schema by adding `maxLength: 10000` to the field definition in `docs/openapi.json`: `"code": { "type": "string", "maxLength": 10000, "description": "The actual code content" }`. This limits the blast radius of the tool. Verify by attempting to pass a very long or malicious string and confirming it is rejected or truncated.

Evidence

"type": "object",

        "description": "A code snippet from library documentation",

        "properties": {

          "codeTitle": {

            "type": "string",

            "description": "Title of the code snippet"

          },

          "codeDescription": {

            "type": "string",

            "description": "Description of what the code does"

RemediationAI

The `codeTitle` and `codeDescription` fields in the code snippet schema are unconstrained strings with risky names, allowing arbitrary input for injection attacks. Constrain the schema by adding `maxLength: 200` to both fields in `docs/openapi.json`: `"codeTitle": { "type": "string", "maxLength": 200 }` and `"codeDescription": { "type": "string", "maxLength": 200 }`. This limits the blast radius of the tool. Verify by attempting to pass very long or malicious strings and confirming they are rejected or truncated.

Evidence

"type": "integer",

            "description": "Token count for the snippet"

          },

          "codeId": {

            "type": "string",

            "description": "URL to source location"

          },

          "pageTitle": {

            "type": "string",

            "description": "Title of the documentation page"

RemediationAI

The `codeId` field is an unconstrained string with a risky name (URL-like), allowing arbitrary input for injection attacks. Constrain the schema by adding `maxLength: 500` and a URL pattern to the field definition in `docs/openapi.json`: `"codeId": { "type": "string", "maxLength": 500, "pattern": "^https?://" }`. This limits the blast radius of the tool. Verify by attempting to pass a very long or non-URL string and confirming it is rejected.

Evidence

"type": "string",

            "description": "Description of what the code does"

          },

          "codeLanguage": {

            "type": "string",

            "description": "Primary programming language"

          },

          "codeTokens": {

            "type": "integer",

            "description": "Token count for the snippet"

RemediationAI

The `codeLanguage` field is an unconstrained string with a risky name, allowing arbitrary input for injection attacks. Constrain the schema by adding an `enum` list of allowed languages to the field definition in `docs/openapi.json`: `"codeLanguage": { "type": "string", "enum": ["javascript", "python", "java", "go", "rust"] }`. This limits the blast radius of the tool. Verify by attempting to pass an unlisted language and confirming it is rejected.

Evidence

# ----- Build Stage -----

FROM node:lts-alpine AS builder

RUN corepack enable pnpm

WORKDIR /app

# Copy monorepo config and install dependencies

COPY package.json pnpm-lock.yaml pnpm-workspace.yaml tsconfig.json ./

COPY packages/mcp ./packages/mcp

RUN pnpm install --frozen-lockfile

# Build the mcp package

RUN pnpm --filter @upstash/context7-mcp build

# ----- Production Stage -----

FROM node:lts-alpine

RUN corepack enable pnpm

WORKDIR /app

# Install production dependencies only

COPY package.js

RemediationAI

The Dockerfile runs the MCP server as root by default, allowing any RCE or library vulnerability to gain full system privileges. Add a non-root `USER` directive before the `CMD` in the final stage of `packages/mcp/Dockerfile`: `USER 1000` or `USER nobody` (or use a distroless image with `USER nonroot`). This limits the blast radius of container escapes. Verify by running the container and confirming `whoami` returns a non-root user.

Evidence

# Context7 MCP - توثيق أكواد محدث لأي أمر برمجي

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Install in VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22name%22%3A%22cont

RemediationAI

The MCP manifest in `packages/mcp/mcpb/manifest.json` declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

![Cover](https://github.com/upstash/context7/blob/master/public/cover.png?raw=true)

[![安裝 MCP 伺服器](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=context7&config=eyJ1cmwiOiJodHRwczovL21jcC5jb250ZXh0Ny5jb20vbWNwIn0%3D)

# Context7 MCP - 即時更新的程式碼文件，適用於任何提示

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/cont

RemediationAI

The MCP manifest (referenced in i18n/README.ar.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

# Context7 MCP - Documentazione aggiornata per qualsiasi prompt

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Install in VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Installa%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22

RemediationAI

The MCP manifest (referenced in i18n/README.zh-TW.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

# Context7 MCP - Documentação de Código Atualizada para Qualquer Prompt

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp)

[<img alt="Instalar no Cursor" src="https://img.shields.io/badge/Instalar%20no%20CURSOR-000000?style=for-the-badge&logo=cursor&logoColor=white">](https://cursor.com/en/install-mcp?name=context7&config=eyJ1cmwiOiJodHRw

RemediationAI

The MCP manifest (referenced in i18n/README.it.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

---

title: Developer Guide

description: Set up and run Context7 MCP locally for development

---

This guide covers how to set up the Context7 MCP server locally for development and testing.

## Getting Started

Clone the project and install dependencies:

```bash

git clone https://github.com/upstash/context7.git

cd context7

pnpm i

```

Build:

```bash

pnpm run build

```

Run the server:

```bash

node packages/mcp/dist/index.js

```

## CLI Arguments

`context7-mcp` accepts the following CLI flags

RemediationAI

The MCP manifest (referenced in i18n/README.pt-BR.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

---

title: Troubleshooting

---

This guide helps you resolve common issues when setting up or using Context7 MCP.

## Quick Checklist

- Confirm Node.js v18+ is installed (`node --version`)

- Update to the latest Context7 MCP package (`@upstash/context7-mcp@latest`)

- Verify connectivity with `curl https://mcp.context7.com/ping`

- Add your API key to the configuration if you hit rate limits

- Enable debug logs (`DEBUG=*`) before collecting support information

<Tip>

  **Skip Node.js issues entir

RemediationAI

The MCP manifest (referenced in docs/resources/developer.mdx) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

# Context7 MCP - Herhangi Bir Prompt İçin Güncel Kod Belgeleri

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="VS Code'da Yükle (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Context7%20MCP%20Y%C3%BCkle&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22n

RemediationAI

The MCP manifest (referenced in docs/resources/troubleshooting.mdx) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

![Cover](https://github.com/upstash/context7/blob/master/public/cover.png?raw=true)

[![MCP 서버 설치](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=context7&config=eyJ1cmwiOiJodHRwczovL21jcC5jb250ZXh0Ny5jb20vbWNwIn0%3D)

# Context7 MCP - 모든 프롬프트를 위한 최신 코드 문서

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/con

RemediationAI

The MCP manifest (referenced in i18n/README.tr.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

# Context7 MCP - Tài Liệu Code Cập Nhật Cho Mọi Prompt

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Install in VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22name%22%3A

RemediationAI

The MCP manifest (referenced in i18n/README.ko.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

# Context7 MCP - Documentación Actualizada Para Cualquier Prompt

[![Sitio Web](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![insignia smithery](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Instalar en VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Instalar%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3

RemediationAI

The MCP manifest (referenced in i18n/README.vi.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

name: Bug Report

description: Report a bug or issue with Context7 MCP

title: "[Bug]: "

labels: ["bug", "needs-triage"]

body:

  - type: markdown

    attributes:

      value: |

        Thanks for taking the time to report this issue! Please fill out the form below to help us investigate.

  - type: dropdown

    id: client

    attributes:

      label: MCP Client

      description: Which MCP client are you using?

      options:

        - Cursor

        - Claude Desktop

        - Claude Code

RemediationAI

The MCP manifest (referenced in i18n/README.es.md) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

{

  "manifest_version": "0.3",

  "name": "context7",

  "display_name": "Context7",

  "version": "2.1.0",

  "description": "Up-to-date Code Docs For Any Prompt",

  "long_description": "Context7 MCP pulls up-to-date, version-specific documentation and code examples straight from the source — and places them directly into your prompt.",

  "author": {

    "name": "Upstash",

    "email": "context7@upstash.com",

    "url": "https://upstash.com"

  },

  "homepage": "https://context7.com",

  "documentati

RemediationAI

The MCP manifest (referenced in .github/ISSUE_TEMPLATE/bug_report.yml) declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

![Cover](https://github.com/upstash/context7/blob/master/public/cover.png?raw=true)

[![安装 MCP 服务器](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=context7&config=eyJ1cmwiOiJodHRwczovL21jcC5jb250ZXh0Ny5jb20vbWNwIn0%3D)

# Context7 MCP - 最新文档赋能每个提示词

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mc

RemediationAI

The MCP manifest in `packages/mcp/mcpb/manifest.json` declares tools but does not include an `auth` or `authorization` field, making it unclear how the server authenticates requests. Add an explicit authentication field to the manifest: `"auth": { "type": "oauth2" }` or `"auth": { "type": "bearer" }` depending on the actual mechanism used. This allows reviewers to audit the security model. Verify by checking that the manifest now includes the auth field and matches the actual implementation.

Evidence

# Context7 MCP — Актуальна документація з прикладами коду для будь-якого запиту

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Install in VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Fi

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# Context7 MCP - Documentation à jour pour vos prompts

[![Site Web](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![badge smithery](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Installer dans VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Installer%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22nam

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# Context7 MCP - Актуальная документация для любого промпта

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Install in VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22name%

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# Context7 MCP - Dokumentasi Kode Terkini Untuk Setiap Permintaan

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="Install in VS Code (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%2

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

{

  "mcpServers": {

    "context7": {

      "url": "https://mcp.context7.com/mcp"

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# Context7 MCP - Aktuelle Dokumentation für jeden Prompt

[![Website](https://img.shields.io/badge/Website-context7.com-blue)](https://context7.com) [![smithery badge](https://smithery.ai/badge/@upstash/context7-mcp)](https://smithery.ai/server/@upstash/context7-mcp) [<img alt="In VS Code installieren (npx)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Context7%20MCP&color=0098FF">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22nam

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

{

  "name": "context7",

  "description": "Up-to-date code docs for any prompt",

  "version": "1.0.0",

  "settings": [

    {

      "name": "API Key",

      "description": "Context7 API key. Create new key at https://context7.com/dashboard.",

      "envVar": "CONTEXT7_API_KEY"

    }

  ],

  "mcpServers": {

    "context7": {

      "command": "npx",

      "args": ["-y", "@upstash/context7-mcp", "--api-key", "${CONTEXT7_API_KEY}"]

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

---

title: Factory AI

sidebarTitle: Factory AI

description: AI-native software development platform with Droids

---

[Factory AI](https://factory.ai) is a coding agent platform that uses "Droids" to handle development tasks. By connecting Context7 as an MCP server, Factory Droids can access up-to-date library documentation during coding tasks.

For more details on how Factory AI handles MCP, see the [Factory AI MCP documentation](https://docs.factory.ai/cli/configuration/mcp).

## Setup

There a

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

---

title: "On-Premise Deployment"

sidebarTitle: "Getting Started"

---

Context7 On-Premise lets you run the full Context7 stack inside your own infrastructure. Your code, documentation, and embeddings never leave your environment.

## What's Included

- Full Context7 parsing and indexing pipeline

- Local vector storage (no external vector DB required)

- Built-in MCP server. Works with any MCP-compatible AI client

- Web UI for managing indexed libraries and configuration

- REST API compatible wi

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

fetch-depth: 0

      - name: Check for changeset

        uses: actions/github-script@v7

        with:

          script: |

            const { execSync } = require('child_process');

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: "20"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Build and push Docker image

        id: build-push

        uses: docker/build-push-action@v6

        with:

          context: .

          file: packages/mcp/Dockerfile

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: "20"

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx

        uses: docker/setup-buildx-action@v3

      - name: Build and push Docker image

        id: build-push

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: lts/*

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: aws-actions/amazon-ecr-login@v2

      - name: Set up QEMU

        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx

        uses: docker/setup-buildx-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - name: Checkout code

        uses: actions/checkout@v6

      - name: Configure AWS credentials

        uses: aws-actions/configure-aws-credentials@v5

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: "20"

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Login to Amazon ECR

        id: login-ecr

        uses: aws-actions/amazon-ecr-login@v2

      - name: Set up QEMU

        uses: docker/setup-qemu-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: "20"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: "20"

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v6

      - name: Configure AWS credentials

        uses: aws-actions/configure-aws-credentials@v5

        with:

          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

pull-requests: write

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

ref: ${{ inputs.branch || github.ref }}

      - name: Setup Node

        uses: actions/setup-node@v4

        with:

          node-version: "20"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: read

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

        with:

          ref: ${{ inputs.branch || github.ref }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

        with:

          fetch-depth: 0

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

test:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT

      - name: Cache pnpm dependencies

        uses: actions/cache@v5

        with:

          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}

          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Create Release PR or Publish

        id: changesets

        uses: changesets/action@v1

        with:

          publish: pnpm release

          commit: "chore(release): version packages"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: read

    steps:

      - name: Checkout Repo

        uses: actions/checkout@v6

      - name: Setup Node

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

import * as crypto from "crypto";

import * as http from "http";

import * as fs from "fs";

import * as path from "path";

import * as os from "os";

import { CLI_CLIENT_ID } from "../constants.js";

import { getBaseUrl } from "./api.js";

const CONFIG_DIR = path.join(os.homedir(), ".context7");

const CREDENTIALS_FILE = path.join(CONFIG_DIR, "credentials.json");

export interface TokenData {

  access_token: string;

  refresh_token?: string;

  token_type: string;

  expires_in?: number;

  expires_at?: 

Remediation

Replace check-then-use with action-then-handle: Python: `try: with open(p) as f: ... except FileNotFoundError: ...` Node: `try { fs.readFileSync(p); } catch (e) { if (e.code === "ENOENT") ... }` For atomic file creation: Python: `os.open(p, os.O_RDWR | os.O_CREAT | os.O_EXCL)` Node: `fs.open(p, "wx")` — fails if file exists, no race. When you genuinely must check first, use `flock` (Python `fcntl`) or a similar per-process advisory lock to make the window uninteresting to a

Evidence

try {

      await access(candidate);

      return candidate;

    } catch {}

  }

  return candidates[0];

}

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

let content = "";

    try {

      content = await readFile(filePath, "utf-8");

    } catch {}

    if (content.includes(marker)) {

      const regex = new RegExp(`${escapedMarker}\\n[\\s\\S]*?${escapedMarker}`);

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

    await access(join(baseDir, dirname(universalPath)));

    hasUniversalDir = true;

  } catch {}

  const detectedIdes: IDE[] = [

    ...(hasUniversalDir ? (["universal"] as IDE[]) : []),

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

      await access(join(baseDir, parentDir));

      detected.push(ide);

    } catch {}

  }

  return detected;

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

let existing = "";

  try {

    existing = await readFile(filePath, "utf-8");

  } catch {}

  const sectionHeader = `[mcp_servers.${serverName}]`;

  const alreadyExists = existing.includes(sectionHeader);

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

if (stats.isSymbolicLink() || stats.isDirectory()) {

      await rm(targetPath, { recursive: true });

    }

  } catch {}

  await mkdir(skillsRoot, { recursive: true });

  await symlink(sourcePath, targetPath);

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.