MCP Security Audit Server

Instructions

Input Schema

Input Schema (JSON Schema)

Implementation Reference

• src/handlers/security.ts:64-113 (handler)

  Core handler function that executes the tool logic: validates input dependencies, audits each package individually via npm registry, processes vulnerabilities, and returns JSON-formatted results.
  async auditNodejsDependencies(args: { dependencies: NpmDependencies }) { try { // Validate dependencies object if (!args || typeof args.dependencies !== 'object') { throw new McpError( ErrorCode.InvalidParams, 'Invalid dependencies object' ); } // Handle potentially nested dependencies object const actualDeps = args.dependencies.dependencies || args.dependencies; const auditResults = []; for (const [name, version] of Object.entries(actualDeps)) { if (typeof version !== 'string') continue try { const result = await this.auditSingleDependency(name, version); auditResults.push(result); } catch (error) { console.error(`[ERROR] Failed to audit ${name}@${version}:`, error); // Continue processing other dependencies } } // Merge and process all vulnerability results const mergedVulnerabilities = auditResults.flatMap(result => this.processVulnerabilities(result) ); // Return consolidated results return { content: [ { type: 'text', text: JSON.stringify(mergedVulnerabilities, null, 2), }, ] }; } catch (error) { console.error('[ERROR] Audit failed:', error); if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Audit failed: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• src/index.ts:61-81 (registration)

  Registers the tool in the MCP listTools handler, providing name, description, and input schema.
  this.server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: [ { name: 'audit_nodejs_dependencies', description: 'Audit specific dependencies for vulnerabilities', inputSchema: { type: 'object', properties: { dependencies: { type: 'object', additionalProperties: { type: 'string', }, description: 'Dependencies object from package.json', } }, required: ['dependencies'], }, }, ], }))
• src/index.ts:94-101 (registration)

  Dispatches tool calls to the appropriate handler method in the CallToolRequestSchema handler.
  switch (request.params.name) { case 'audit_nodejs_dependencies': return this.securityHandler.auditNodejsDependencies( request.params.arguments as { dependencies: NpmDependencies } ); default: throw new McpError(ErrorCode.MethodNotFound, `Unknown tool: ${request.params.name}`); }
• src/types/index.ts:31-33 (schema)

  Type definition for the input dependencies object used in the tool schema and handler.
  export interface NpmDependencies { [key: string]: string; // Package name -> version mapping }
• src/handlers/security.ts:18-57 (helper)

  Helper method that audits a single dependency by posting to npm's security audit endpoint.
  private async auditSingleDependency(name: string, version: string): Promise<any> { try { // Validate input parameters if (!name || !version) { throw new Error(`Invalid package name or version: ${name}@${version}`); } // Clean version string by removing prefix characters (^ or ~) const cleanVersion = version.trim().replace(/^[\^~]/, ''); // Prepare audit data structure const auditData = { name: "single-dependency-audit", version: "1.0.0", requires: { [name]: cleanVersion }, dependencies: { [name]: { version: cleanVersion } } }; // Send audit request to npm registry const result = await npmFetch.json('/-/npm/v1/security/audits', { method: 'POST', body: auditData, gzip: true }); if (!result) { throw new Error(`No response received for ${name}@${cleanVersion}`); } return result; } catch (error) { console.error(`[ERROR] Error auditing ${name}@${version}:`, error); throw new McpError( ErrorCode.InternalError, `Failed to audit ${name}@${version}: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }