We release security updates for the following versions:
| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| < 3.0 | ❌ |
DO NOT open public GitHub issues for security vulnerabilities.
Instead, please report security issues using one of these methods:
- Navigate to the repository's Security tab
- Click "Report a vulnerability"
- URL: https://github.com/gander-tools/osm-tagging-schema-mcp/security/advisories/new
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Varies by severity (coordinated with reporter)
When security issues are discovered:
- Private fix: Developed privately in coordination with reporter
- Coordinated disclosure: We work with reporters on disclosure timing
- Security advisory: Published when fixed version is released
- Version release: New version published with fix
- User notification: Security advisories sent via GitHub
⚠️ TEMPORARY NOTE: Delete this section when MCP SDK CVE is patched and project upgrades to safe version.
Status: Project is NOT AFFECTED by this vulnerability
Details:
- Vulnerability: ReDoS in MCP SDK's UriTemplate class
- Affected: MCP servers using resource handlers with exploded URI templates (
{/path*}) - This project: Does NOT use resource handlers - only Tools and Prompts
- Conclusion: Safe to use
References:
- Issue: modelcontextprotocol/typescript-sdk#965
- Detailed analysis: See docs/deployment/security.md
Future considerations: If implementing MCP resources, avoid exploded array patterns until SDK is patched.
This project implements comprehensive security measures:
- ✅ NPM Provenance: Cryptographic build attestations (SLSA Level 3)
- ✅ SBOM: Software Bill of Materials for transparency
- ✅ Image Signing: Docker images signed with Cosign
- ✅ Vulnerability Scanning: Automated Trivy scanning
- ✅ Dependency Management: Automated security updates via Renovate
For detailed information, see Security & Supply Chain Documentation.
- Verify provenance before installing from npm
- Pin versions in production:
@gander-tools/osm-tagging-schema-mcp@3.7.0 - Run
npm auditregularly - Review SBOM for unexpected dependencies
- Verify Docker signatures before deployment
- Enable 2FA on GitHub account
- Sign commits with GPG
- Review dependencies carefully
- Run security scans before submitting PRs
- Request minimal permissions
For security questions (non-vulnerability):
- GitHub Discussions: https://github.com/gander-tools/osm-tagging-schema-mcp/discussions
For vulnerability reports:
- GitHub Security Advisories: https://github.com/gander-tools/osm-tagging-schema-mcp/security/advisories/new