From 64a0b2c34413c02d59c491cce04e0b6e8260f3f9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 19:50:11 +0000 Subject: [PATCH 1/2] chore(deps): update dependency @upstash/context7-mcp to v2 --- npx/context7/spec.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/npx/context7/spec.yaml b/npx/context7/spec.yaml index 60bed0a..3ef1386 100644 --- a/npx/context7/spec.yaml +++ b/npx/context7/spec.yaml @@ -11,7 +11,7 @@ metadata: spec: package: "@upstash/context7-mcp" # NPM package name - version: "1.0.33" # Specific version to install + version: "2.1.0" # Specific version to install provenance: # Note: This package does not have npm provenance attestations (Sigstore signatures) From 6993cc8033bf5100b55b2476d4be3084ee721237 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Thu, 15 Jan 2026 12:21:14 +0200 Subject: [PATCH 2/2] chore(context7): add W001 security allowlist for false positive The v2.0.0 release added security warnings in tool descriptions instructing users NOT to include sensitive data (API keys, passwords, credentials) in queries. The mcp-scan W001 check flags these keywords without understanding the semantic context - the words appear in a defensive "Do not include..." instruction, not a prompt injection attack. Co-Authored-By: Claude Opus 4.5 --- npx/context7/spec.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/npx/context7/spec.yaml b/npx/context7/spec.yaml index 3ef1386..0746c47 100644 --- a/npx/context7/spec.yaml +++ b/npx/context7/spec.yaml @@ -18,3 +18,14 @@ provenance: # The repository information below is verified from npm metadata and GitHub repository_uri: "https://github.com/upstash/context7" repository_ref: "refs/tags/v1.0.17" + +# Security allowlist for known false positives +security: + allowed_issues: + - code: "W001" + reason: | + Tool descriptions contain security warnings instructing users NOT to include + sensitive data (API keys, passwords, credentials) in queries. These are + defensive instructions added in v2.0.0 to protect user privacy, not prompt + injection attempts. The flagged keywords appear in a "Do not include..." + context, not in an extraction context.