diff --git a/.changeset/security-audit-verification.md b/.changeset/security-audit-verification.md new file mode 100644 index 0000000..fd4606e --- /dev/null +++ b/.changeset/security-audit-verification.md @@ -0,0 +1,31 @@ +--- +"mcp-taskflow": patch +--- + +Security: Fix high-severity vulnerabilities via pnpm overrides + +Added pnpm overrides to fix security vulnerabilities: + +1. **tar <= 7.5.6** (6 high severity issues): + - Arbitrary File Overwrite and Symlink Poisoning + - Race Condition via Unicode Ligature Collisions + - Arbitrary File Creation/Overwrite via Hardlink Path Traversal + - Enforced tar >= 7.5.7 via pnpm override + +2. **@modelcontextprotocol/sdk** (2 high severity CVEs): + - CVE-2026-0621: Regular Expression Denial of Service (ReDoS) vulnerability (CVSS 8.7) + - CVE-2026-25536: Cross-Client Data Leak via shared server/transport instance (CVSS 7.1) + - Enforced @modelcontextprotocol/sdk >= 1.26.0 via pnpm override + +3. **axios <= 1.13.4** (1 high severity): + - GHSA-43fc-jf86-j433: Denial of Service via __proto__ Key in mergeConfig + - Enforced axios >= 1.13.5 via pnpm override + +Changes: +- Added `tar: "^7.5.7"` to pnpm.overrides in package.json +- Added `@modelcontextprotocol/sdk: ">=1.26.0"` to pnpm.overrides in package.json +- Added `axios: ">=1.13.5"` to pnpm.overrides in package.json +- Updated pnpm-lock.yaml with security fixes +- Added package-lock.json to .gitignore (pnpm-only repository) + +All 593 tests pass. diff --git a/.gitignore b/.gitignore index 85c8374..89fdc47 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Dependencies node_modules/ .pnpm-store/ +package-lock.json # Build output dist/ diff --git a/package.json b/package.json index 02c2f41..3f24e36 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,9 @@ }, "pnpm": { "overrides": { - "tar": "^7.5.7" + "tar": "^7.5.7", + "@modelcontextprotocol/sdk": ">=1.26.0", + "axios": ">=1.13.5" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2e82c22..8fa0586 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,13 +6,15 @@ settings: overrides: tar: ^7.5.7 + '@modelcontextprotocol/sdk': '>=1.26.0' + axios: '>=1.13.5' importers: .: dependencies: '@modelcontextprotocol/sdk': - specifier: ^1.26.0 + specifier: '>=1.26.0' version: 1.26.0(zod@3.25.76) dotenv: specifier: ^16.3.1 @@ -848,8 +850,8 @@ packages: resolution: {integrity: sha512-kNOjDqAh7px0XWNI+4QbzoiR/nTkHAWNud2uvnJquD1/x5a7EQZMJT0AczqK0Qn67oY/TTQ1LbUKajZpp3I9tQ==} engines: {node: '>=8.0.0'} - axios@1.13.4: - resolution: {integrity: sha512-1wVkUaAO6WyaYtCkcYCOx12ZgpGf9Zif+qXa4n+oYzK558YryKqiL6UWwd5DqiH3VRW0GYhTZQ/vlgJrCoNQlg==} + axios@1.13.5: + resolution: {integrity: sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==} balanced-match@1.0.2: resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} @@ -3202,7 +3204,7 @@ snapshots: atomic-sleep@1.0.0: {} - axios@1.13.4(debug@4.4.3): + axios@1.13.5(debug@4.4.3): dependencies: follow-redirects: 1.15.11(debug@4.4.3) form-data: 4.0.5 @@ -3316,7 +3318,7 @@ snapshots: cmake-js@7.4.0: dependencies: - axios: 1.13.4(debug@4.4.3) + axios: 1.13.5(debug@4.4.3) debug: 4.4.3 fs-extra: 11.3.3 memory-stream: 1.0.0