fix: patch mcp vitest audit and node runtime#98
Merged
Conversation
|
@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
dhairyashiil
changed the title
dhairyashiil
commented
Jun 2, 2026
dhairyashiil
commented
Jun 2, 2026
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
dhairyashiil
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches the repo-wide Security Audit failure by moving the MCP server
vitestdev dependency to exact version4.1.8, which is in the patched range for GHSA-5xrq-8626-4rwp.Also removes broad semver ranges from direct
apps/mcp-serverdependencies by pinning them to the explicit versions previously declared inpackage.json:@modelcontextprotocol/sdk:1.12.1@vercel/postgres:0.10.0zod:3.24.4tsx:4.19.4Important scope note:
vitestis the only direct dependency intentionally upgraded, and that upgrade is required for the critical security advisory. This PR does not touch the mobile app.Follow-up from review:
vitest@4.1.8requires Node 20+, so the MCP server package now declaresnode >=22, the README prerequisite matches it, and the MCP Docker runtime usesnode:22-slim. I chose Node 22 instead of Node 20 because Node 20 is EOL as of 2026-03-24, while Node 22 is still LTS: https://nodejs.org/en/about/previous-releasesDocker follow-up: while validating the Node 22 runtime image locally, the MCP Docker build exposed two Dockerfile issues: the Bun builder image needed Python/build tools for
node-gyp, and the final stage tried to copy a missingbun.lock*. This PR now fixes both so the MCP Docker image builds successfully.Validation
bun install --frozen-lockfilebun --filter @calcom/mcp-server testbun --filter @calcom/mcp-server typecheckbun --filter @calcom/mcp-server lintbun --filter @calcom/mcp-server buildbun audit --prod --audit-level=criticalgit diff --checkinitializeresult withserverInfo.name = calcom-mcp-serverand protocol2024-11-05DOCKER_CONFIG=$(mktemp -d) docker build -f Dockerfile .fromapps/mcp-server