Hi π
Thanks again for the earlier support with Elixir language support β really appreciate the quick turnaround on that π
While working on getting this approved for internal use, our Infosec team reviewed the dependencies and had a small suggestion.
They pointed out that some version ranges are quite broad, for example:
fastmcp>=0.1.0,<2
mcp>=1.0.0,<2
tree-sitter>=0.23.0,<1
This allows installation of fairly old versions (e.g., 0.1.x), which might include known vulnerabilities or outdated behavior.
Totally understand this is common in open-source for flexibility this feedback is more from an security review perspective.
Would you be open to:
Raising the minimum versions to more recent stable releases, or
Slightly tightening the version ranges based on tested versions?
Hi π
Thanks again for the earlier support with Elixir language support β really appreciate the quick turnaround on that π
While working on getting this approved for internal use, our Infosec team reviewed the dependencies and had a small suggestion.
They pointed out that some version ranges are quite broad, for example:
fastmcp>=0.1.0,<2
mcp>=1.0.0,<2
tree-sitter>=0.23.0,<1
This allows installation of fairly old versions (e.g., 0.1.x), which might include known vulnerabilities or outdated behavior.
Totally understand this is common in open-source for flexibility this feedback is more from an security review perspective.
Would you be open to:
Raising the minimum versions to more recent stable releases, or
Slightly tightening the version ranges based on tested versions?