Conversation
|
@copilot update the docs and the PR: you need to update the MCP configuration in the agentic workflows with the updated version. The compiler will regenerate .github/workflows/package.json from them. |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Updated .github/workflows/shared/mcp/sentry.md with @sentry/mcp-server@0.29.0 - Recompiled workflow to regenerate mcp-inspector.lock.yml - Updated dependabot.md with guidance for handling MCP server transitive dependencies - The compiler now generates package.json from MCP configurations in workflow files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Updated in commit 51e733d. Changed the source MCP configuration in
Updated in commit 51e733d. Changed the source MCP configuration in |
There was a problem hiding this comment.
Pull request overview
Updates the Sentry MCP server dependency used by gh-aw’s workflow tooling to remediate Dependabot-reported vulnerabilities in transitive npm dependencies, aligning with the repo’s documented “edit source .md → recompile → regenerate lock” workflow.
Changes:
- Bumped
@sentry/mcp-serverfrom0.27.0→0.29.0in the shared MCP configuration. - Regenerated
.github/workflowsnpm manifests/lockfile to pick up patched transitive versions (including@modelcontextprotocol/sdkandhono). - Expanded Dependabot documentation with explicit guidance for MCP server transitive dependency alerts.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| docs/src/content/docs/reference/dependabot.md | Documents the correct process for addressing MCP-server-driven transitive dependency alerts. |
| .github/workflows/shared/mcp/sentry.md | Updates the Sentry MCP server version used by workflows importing this shared config. |
| .github/workflows/package.json | Regenerated manifest reflecting the updated MCP server version. |
| .github/workflows/package-lock.json | Regenerated lockfile capturing updated transitive dependency versions. |
| .github/workflows/mcp-inspector.lock.yml | Regenerated compiled workflow content to reference the updated Sentry MCP server version. |
Files not reviewed (1)
- .github/workflows/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Dependabot PR #13785 flagged security vulnerabilities in transitive dependencies
@modelcontextprotocol/sdk(GHSA-345p-7cg4-v4c7) andhono(CVE-2026-24398, CVE-2026-24472, CVE-2026-24473). Per dependabot.md, lock-only updates are overwritten on next compilation—correct workflow is updating source dependencies.Changes
@sentry/mcp-serverfrom 0.27.0 → 0.29.0 in.github/workflows/shared/mcp/sentry.md(source configuration)gh aw compile --dependabotto regeneratepackage.jsonfrom MCP configurationspackage-lock.jsonvianpm install --package-lock-onlydocs/src/content/docs/reference/dependabot.mdwith guidance for handling MCP server transitive dependenciesResult
Transitive dependencies now include security patches:
@modelcontextprotocol/sdk: 1.25.2 → 1.26.0hono: 4.11.4 → 4.11.9Key insight: The compiler generates
package.jsonfrom MCP server configurations in workflow.mdfiles. MCP server versions must be updated in the shared configuration files (e.g.,.github/workflows/shared/mcp/sentry.md), not inpackage.jsondirectly, as it is a generated file.Dependabot PR #13785 will auto-close on merge.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.