Skip to main content

Dependabot Security Configuration

This document explains how Dependabot is configured in this repository to automatically address security vulnerabilities like the current malware incident.

Configuration Overviewโ€‹

Dependabot is configured to:

๐Ÿ”’ Security-First Approachโ€‹

  • Daily checks for npm package updates (focusing on security patches)
  • Weekly checks for GitHub Actions updates
  • Priority handling for security vulnerabilities
  • Automatic PR creation for available fixes

๐ŸŽฏ Current Focus: Debug Package Malwareโ€‹

The remaining 9 critical vulnerabilities stem from the debug package malware in @modelcontextprotocol/sdk. Dependabot will:

  1. Monitor for clean versions of @modelcontextprotocol/sdk that don't depend on vulnerable debug
  2. Create PRs immediately when security updates are available
  3. Group related updates to reduce noise while maintaining security focus

๐Ÿ“‹ PR Managementโ€‹

Grouping Strategyโ€‹

  • Production dependencies: @modelcontextprotocol/*, @types/*
  • Development dependencies: Jest, TypeScript, linting tools
  • GitHub Actions: Workflow security updates

Labels Appliedโ€‹

  • dependencies - All dependency updates
  • security - Security-related updates (highest priority)
  • github-actions - Workflow updates

๐Ÿšจ Expected Behaviorโ€‹

When Dependabot detects:

  • A new version of @modelcontextprotocol/sdk without the malware
  • Security patches for any dependencies
  • Updated GitHub Actions with security fixes

It will automatically:

  1. Create a PR with detailed change information
  2. Add appropriate labels for easy identification
  3. Request review from @tosin2013
  4. Include security analysis in the PR description

๐Ÿ”„ Integration with Existing Workflowsโ€‹

Dependabot PRs will trigger:

  • Build validation (from build.yml)
  • Security audits (from dependencies.yml)
  • Node.js compatibility checks
  • Lint checks (from lint.yml)

๐Ÿ“Š Benefitsโ€‹

  • Proactive security: Catch vulnerabilities before they become incidents
  • Automated monitoring: No manual checking needed
  • Quick response: Daily checks ensure rapid security patch deployment
  • Organized updates: Grouped PRs prevent dependency management chaos

Manual Overrideโ€‹

If urgent security fixes are needed:

# Force update to resolve critical vulnerabilities
npm audit fix --force

# Review breaking changes carefully
npm test
make node-compat

Note: The current debug malware issue requires waiting for upstream @modelcontextprotocol/sdk to release a clean version, which Dependabot will automatically detect and propose.