code2mcp

# Dependencies Manifest Project: code2mcp Generated: 2025-11-17 Last Updated: 2025-11-17 Version: 1.0.0 Status: IMPLEMENTED ## Overview This document tracks all dependencies, their versions, purposes, and security considerations. ## Runtime Dependencies ### @modelcontextprotocol/sdk (^0.6.0) **Purpose**: Official MCP SDK for creating MCP servers and clients **License**: MIT **Usage**: Core protocol implementation, server/client classes, transport layers **Security**: Official Anthropic package **Files Using**: - src/index.ts (Server, StdioServerTransport) - src/orchestrator/MCPOrchestrator.ts (Client, StdioClientTransport) ### typescript (^5.6.3) **Purpose**: TypeScript compiler for transpiling user code in sandbox **License**: Apache-2.0 **Usage**: Runtime TypeScript compilation via `ts.transpileModule()` **Security**: Official Microsoft package **Files Using**: - src/sandbox/CodeSandbox.ts ### json-schema-to-typescript (^15.0.2) **Purpose**: Convert JSON Schema to TypeScript interfaces **License**: MIT **Usage**: Generate TypeScript type definitions from MCP tool schemas **Security**: Well-maintained community package **Files Using**: - src/generator/TypeScriptGenerator.ts ### winston (^3.17.0) **Purpose**: Structured logging **License**: MIT **Usage**: Log to stderr (critical for MCP protocol - stdout reserved for JSON-RPC) **Security**: Industry standard logging library **Files Using**: - src/utils/logger.ts ### zod (^3.23.8) **Purpose**: Runtime schema validation **License**: MIT **Usage**: Validate configuration and inputs **Status**: Installed but not yet used (planned for future validation) **Security**: Widely used validation library ## Development Dependencies ### @types/node (^22.10.2) **Purpose**: TypeScript type definitions for Node.js **License**: MIT **Usage**: Type checking for Node.js APIs ### tsx (^4.19.2) **Purpose**: TypeScript execution for development **License**: MIT **Usage**: `npm run dev` hot reload, script execution ## Built-in Node.js Modules The following built-in modules are used (no installation required): ### vm **Purpose**: Code execution in isolated contexts **Usage**: Sandbox execution in `src/sandbox/CodeSandbox.ts` **Security Note**: Provides basic isolation, not as secure as isolated-vm ### fs (promises) **Purpose**: Filesystem operations **Usage**: Writing generated TypeScript API files ### path **Purpose**: Path manipulation **Usage**: Generate file paths for TypeScript APIs ## Dependency Graph ``` code2mcp ├── @modelcontextprotocol/sdk (MCP protocol) │ └── Used by: index.ts, orchestrator ├── typescript (TS compilation) │ └── Used by: sandbox ├── json-schema-to-typescript (Type generation) │ └── Used by: generator ├── winston (Logging) │ └── Used by: utils/logger └── zod (Validation - future) └── Planned for config validation ``` ## Security Audit ### Last Audit: 2025-11-17 ### Vulnerabilities: 0 ```bash npm audit # found 0 vulnerabilities ``` ### Security Considerations 1. **@modelcontextprotocol/sdk**: Official Anthropic package, trusted source 2. **typescript**: Official Microsoft package, widely used 3. **json-schema-to-typescript**: Community package, 1.5k+ stars, actively maintained 4. **winston**: 22k+ stars, industry standard 5. **zod**: 33k+ stars, TypeScript-first validation ### Sandbox Security Note **Current Implementation**: Uses Node.js built-in `vm` module - ✅ Basic isolation - ❌ Not production-grade security - ❌ Can be escaped by determined attacker **Recommended for Production**: 1. **isolated-vm** - Strong V8 isolate separation (requires C++ compilation) 2. **Deno** - Secure by default with explicit permissions 3. **Cloudflare Workers** - Ultimate isolation with disposable isolates **Current Risk**: LOW (sandbox is only exposed to trusted LLM-generated code) ## Version History ### 1.0.0 (2025-11-17) - Initial dependency selection - Node.js vm-based sandbox implementation - All dependencies installed and working ## Dependency Update Policy 1. **Security updates**: Apply immediately 2. **Minor updates**: Review and apply monthly 3. **Major updates**: Review breaking changes, test thoroughly 4. **Deprecated packages**: Replace within 30 days ## Known Issues ### isolated-vm Compilation Failure **Issue**: isolated-vm v5.0.1 fails to compile on Node.js v25 (requires C++20) **Workaround**: Using built-in `vm` module instead **Resolution Plan**: Either: - Use Deno for better security - Downgrade to Node.js v20 for isolated-vm compatibility - Wait for isolated-vm update for Node.js v25 **Tracking**: See DOCS/Diagnosis/ (when issue is created) ## Related Documentation - DOCS/Architecture/SYSTEM_MAP.md: How dependencies fit into architecture - DOCS/Architecture/CODE_STRUCTURE.md: Which files use which dependencies - package.json: Actual dependency versions ## Change Log - 2025-11-17 23:00: **v1.1.0** - Added build:full and generate-apis scripts to package.json - 2025-11-17 22:00: Initial dependencies documented - 2025-11-17 22:00: Build successful with current dependency set - 2025-11-17 22:00: Security audit passed (0 vulnerabilities)