Fix tar, SDK, and axios vulnerabilities via pnpm overrides

.changeset/security-audit-verification.md

@@ -0,0 +1,31 @@
+---
+"mcp-taskflow": patch
+---
+
+Security: Fix high-severity vulnerabilities via pnpm overrides
+
+Added pnpm overrides to fix security vulnerabilities:
+
+1. **tar <= 7.5.6** (6 high severity issues):
+   - Arbitrary File Overwrite and Symlink Poisoning
+   - Race Condition via Unicode Ligature Collisions
+   - Arbitrary File Creation/Overwrite via Hardlink Path Traversal
+   - Enforced tar >= 7.5.7 via pnpm override
+
+2. **@modelcontextprotocol/sdk** (2 high severity CVEs):
+   - CVE-2026-0621: Regular Expression Denial of Service (ReDoS) vulnerability (CVSS 8.7)
+   - CVE-2026-25536: Cross-Client Data Leak via shared server/transport instance (CVSS 7.1)
+   - Enforced @modelcontextprotocol/sdk >= 1.26.0 via pnpm override
+
+3. **axios <= 1.13.4** (1 high severity):
+   - GHSA-43fc-jf86-j433: Denial of Service via __proto__ Key in mergeConfig
+   - Enforced axios >= 1.13.5 via pnpm override
+
+Changes:
+- Added `tar: "^7.5.7"` to pnpm.overrides in package.json
+- Added `@modelcontextprotocol/sdk: ">=1.26.0"` to pnpm.overrides in package.json
+- Added `axios: ">=1.13.5"` to pnpm.overrides in package.json
+- Updated pnpm-lock.yaml with security fixes
+- Added package-lock.json to .gitignore (pnpm-only repository)
+
+All 593 tests pass.

.gitignore

@@ -1,6 +1,7 @@
 # Dependencies
 node_modules/
 .pnpm-store/
+package-lock.json
 
 # Build output
 dist/

package.json

@@ -85,7 +85,9 @@
   },
   "pnpm": {
     "overrides": {
-      "tar": "^7.5.7"
+      "tar": "^7.5.7",
+      "@modelcontextprotocol/sdk": ">=1.26.0",
+      "axios": ">=1.13.5"
     }
   }
 }