🚨 Active Supply Chain Attack:node-ipc Package Compromised.Learn More
Socket
Book a DemoSign in
Socket
Book a DemoSign in

@socketsecurity/mcp

Package Overview
Dependencies
Maintainers
2
Versions
16
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@socketsecurity/mcp - npm Package Compare versions

Comparing version
0.0.12
 to
0.0.13
+31
-24
index.js

@@ -53,35 +53,39 @@ #!/usr/bin/env -S node --experimental-strip-types

let SOCKET_API_KEY = process.env['SOCKET_API_KEY'] || '';
function buildSocketHeaders() {
return {
'user-agent': `socket-mcp/${VERSION}`,
accept: 'application/x-ndjson',
'content-type': 'application/json',
authorization: `Bearer ${SOCKET_API_KEY}`
};
}
const server = new McpServer({
name: 'socket',
version: VERSION,
description: 'Socket MCP server',
capabilities: {
resources: {},
tools: {},
streaming: {}
});
server.registerTool('depscore', {
title: 'Dependency Score Tool',
description: "Get the dependency score of packages with the `depscore` tool from Socket. Use 'unknown' for version if not known. Use this tool to scan dependencies for their quality and security on existing code or when code is generated. Stop generating code and ask the user how to proceed when any of the scores are low. When checking dependencies, make sure to also check the imports in the code, not just the manifest files (pyproject.toml, package.json, etc).",
inputSchema: z.object({
packages: z.array(z.object({
ecosystem: z.string().describe('The package ecosystem (e.g., npm, pypi)').default('npm'),
depname: z.string().describe('The name of the dependency'),
version: z.string().describe("The version of the dependency, use 'unknown' if not known").default('unknown'),
})).describe('Array of packages to check'),
}),
annotations: {
readOnlyHint: true,
},
});
server.tool('depscore', "Get the dependency score of packages with the `depscore` tool from Socket. Use 'unknown' for version if not known. Use this tool to scan dependencies for their quality and security on existing code or when code is generated. Stop generating code and ask the user how to proceed when any of the scores are low. When checking dependencies, make sure to also check the imports in the code, not just the manifest files (pyproject.toml, package.json, etc).", {
packages: z.array(z.object({
ecosystem: z.string().describe('The package ecosystem (e.g., npm, pypi)').default('npm'),
depname: z.string().describe('The name of the dependency'),
version: z.string().describe("The version of the dependency, use 'unknown' if not known").default('unknown'),
})).describe('Array of packages to check'),
}, async ({ packages }) => {
logger.info(`Received request for ${packages.length} packages`);
const SOCKET_HEADERS = {
'user-agent': `socket-mcp/${VERSION}`,
accept: 'application/x-ndjson',
'content-type': 'application/json',
authorization: `Bearer ${SOCKET_API_KEY}`
};
const components = packages.map(pkg => {
const cleanedVersion = pkg.version.replace(/[\^~]/g, '');
const cleanedVersion = (pkg.version ?? 'unknown').replace(/[\^~]/g, '');
const ecosystem = pkg.ecosystem ?? 'npm';
let purl;
if (cleanedVersion === '1.0.0' || cleanedVersion === 'unknown' || !cleanedVersion) {
purl = `pkg:${pkg.ecosystem}/${pkg.depname}`;
purl = `pkg:${ecosystem}/${pkg.depname}`;
}
else {
logger.info(`Using version ${cleanedVersion} for ${pkg.depname}`);
purl = `pkg:${pkg.ecosystem}/${pkg.depname}@${cleanedVersion}`;
purl = `pkg:${ecosystem}/${pkg.depname}@${cleanedVersion}`;
}

@@ -93,3 +97,3 @@ return { purl };

method: 'POST',
headers: SOCKET_HEADERS,
headers: buildSocketHeaders(),
body: JSON.stringify({ components })

@@ -159,2 +163,5 @@ });

}
else {
results.push(`${purl}: No score found`);
}
}

@@ -216,4 +223,4 @@ return {

];
const isValidOrigin = !origin || allowedOrigins.includes(origin);
if (origin && !isValidOrigin) {
const isValidOrigin = origin && allowedOrigins.includes(origin);
if (!isValidOrigin) {
logger.warn(`Rejected request from invalid origin: ${origin}`);

@@ -220,0 +227,0 @@ res.writeHead(403, { 'Content-Type': 'application/json' });

+1
-1
mock-client/stdio-client.js

@@ -12,3 +12,3 @@ #!/usr/bin/env node --experimental-strip-types

env: {
...process.env,
...Object.fromEntries(Object.entries(process.env).filter(([, value]) => value !== undefined)),
SOCKET_API_KEY: process.env['SOCKET_API_KEY'] || ''

@@ -15,0 +15,0 @@ }

+10
-7
package.json
{
"name": "@socketsecurity/mcp",
"version": "0.0.12",
"version": "0.0.13",
"type": "module",

@@ -23,6 +23,7 @@ "main": "./index.js",

"build:permissions": "chmod +x ./index.js && (chmod +x ./mock-client/*.js 2>/dev/null || true)",
"build-dtx": "run-s build build-dtx:*",
"build-dtx:versions_match": "node --experimental-strip-types scripts/check-versions.ts",
"build-dtx:validate": "npx dxt validate ./",
"build-dtx:dtx-pack": "npx dxt pack ./",
"build-mcpb": "run-s build build-mcpb:*",
"build-mcpb:versions_match": "node --experimental-strip-types scripts/check-versions.ts",
"build-mcpb:validate": "npx mcpb validate ./",
"build-mcpb:ensure-deps": "npm install --production --ignore-scripts",
"build-mcpb:mcpb-pack": "npx mcpb pack ./",
"clean": "./scripts/clean.sh",

@@ -37,2 +38,4 @@ "debug-stdio": "node --experimental-strip-types ./mock-client/debug-client.ts",

"files": [
"package.json",
"package-lock.json",
"index.js",

@@ -51,4 +54,5 @@ "index.d.ts",

"dependencies": {
"@anthropic-ai/mcpb": "^1.1.0",
"@modelcontextprotocol/sdk": "^1.18.0",
"pino": "^9.7.0",
"pino": "^10.0.0",
"pino-pretty": "^13.0.0",

@@ -59,3 +63,2 @@ "semver": "^7.7.2",

"devDependencies": {
"@anthropic-ai/dxt": "^0.2.0",
"@types/node": "^24.0.7",

@@ -62,0 +65,0 @@ "@types/semver": "^7.7.0",