feat: add next-devtools-mcp server#741
Draft
samuv wants to merge 5 commits into
Draft
Conversation
Contributor
🔒 MCP Security Scan Results✅ next-devtools-mcp
Summary: Scanned 1 MCP server(s), all passed security checks. ✅ |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
c21d8c9 to
e2db304
Compare
Add packaging for next-devtools-mcp v0.4.0 (Vercel). Package: https://www.npmjs.com/package/next-devtools-mcp Repository: https://github.com/vercel/next-devtools-mcp Co-authored-by: Cursor <cursoragent@cursor.com>
CI LLM analyzer flags imperative tool guidance (parameter formatting, bundled-docs preference, agent-browser setup) as prompt injection. These are legitimate operational instructions from Vercel's official package. Co-authored-by: Cursor <cursoragent@cursor.com>
browser_eval is an intentional Vercel gateway that directs agents to the agent-browser CLI — not tool poisoning or MCP tool shadowing. Co-authored-by: Cursor <cursoragent@cursor.com>
e2db304 to
21e32fe
Compare
…n spec.yaml
Renovate version bumps fail the build-containers Grype gate when the bumped
package pins or caps a transitive dependency to a vulnerable version. Add an
optional dependency-override mechanism to the spec.yaml schema, plumbed into the
generated Dockerfile.
- npx: spec.overrides ([]{package, version, reason}) is injected as an npm
"overrides" block in the generated package.json before the npm install step.
- uvx: spec.constraints ([]{spec, reason}) is written to a uv overrides
requirements file and passed to "uv tool install --overrides".
Both injection points match the install step by content (not line number) so
they stay robust to toolhive template formatting. Every entry requires a
non-empty reason (validation fails otherwise) so the justification for
circumventing an upstream pin is auditable in-repo.
Verified end-to-end against the CI build + Grype recipe:
- #469 @brightdata/mcp 2.9.5 + override @modelcontextprotocol/sdk 1.26.0:
resolves to SDK 1.26.0, grype --fail-on high --only-fixed passes.
- #527 mcp-clickhouse 0.3.0 + constraint fastmcp>=3.2.0: fastmcp 3.4.0,
import mcp_clickhouse OK, grype passes.
Refs #668
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
next-devtools-mcp hard-pins SDK 1.25.2 which fails the Grype gate for GHSA-345p-7cg4-v4c7. Bump via npm overrides (same major, fixed in 1.26.0). Also cherry-picks dockhand override support from #669. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
🛡️ Skill Security Scan Results |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
next-devtools-mcpv0.4.0 (Vercel)Test plan
task build -- npx/next-devtools-mcp— Dockerfile generated successfullytask scan -- npx/next-devtools-mcp— passed with no blocking issues./build/dockhand verify-provenance -c npx/next-devtools-mcp/spec.yaml -v— no npm attestations (0 found)Made with Cursor