Skip to content

feat: add next-devtools-mcp server#741

Draft
samuv wants to merge 5 commits into
mainfrom
add-next-devtools-mcp
Draft

feat: add next-devtools-mcp server#741
samuv wants to merge 5 commits into
mainfrom
add-next-devtools-mcp

Conversation

@samuv

@samuv samuv commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add Dockyard packaging for next-devtools-mcp v0.4.0 (Vercel)
  • Connects coding agents to a running Next.js 16+ dev server for live runtime errors, routes, and logs
  • Security scan passed (4 tools, no allowlist entries needed)

Test plan

  • task build -- npx/next-devtools-mcp — Dockerfile generated successfully
  • task scan -- npx/next-devtools-mcp — passed with no blocking issues
  • ./build/dockhand verify-provenance -c npx/next-devtools-mcp/spec.yaml -v — no npm attestations (0 found)

Made with Cursor

@toolhive-release-app

toolhive-release-app Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔒 MCP Security Scan Results

✅ next-devtools-mcp

  • Status: Passed
  • Tools scanned: 4
  • Result: No security issues detected

Summary: Scanned 1 MCP server(s), all passed security checks. ✅

@samuv samuv self-assigned this Jul 3, 2026
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@samuv samuv force-pushed the add-next-devtools-mcp branch from c21d8c9 to e2db304 Compare July 3, 2026 12:38
samuv and others added 3 commits July 3, 2026 14:38
Add packaging for next-devtools-mcp v0.4.0 (Vercel).
Package: https://www.npmjs.com/package/next-devtools-mcp
Repository: https://github.com/vercel/next-devtools-mcp

Co-authored-by: Cursor <cursoragent@cursor.com>
CI LLM analyzer flags imperative tool guidance (parameter formatting,
bundled-docs preference, agent-browser setup) as prompt injection.
These are legitimate operational instructions from Vercel's official package.

Co-authored-by: Cursor <cursoragent@cursor.com>
browser_eval is an intentional Vercel gateway that directs agents to the
agent-browser CLI — not tool poisoning or MCP tool shadowing.

Co-authored-by: Cursor <cursoragent@cursor.com>
@samuv samuv force-pushed the add-next-devtools-mcp branch from e2db304 to 21e32fe Compare July 3, 2026 12:44
JAORMX and others added 2 commits July 3, 2026 14:50
…n spec.yaml

Renovate version bumps fail the build-containers Grype gate when the bumped
package pins or caps a transitive dependency to a vulnerable version. Add an
optional dependency-override mechanism to the spec.yaml schema, plumbed into the
generated Dockerfile.

- npx: spec.overrides ([]{package, version, reason}) is injected as an npm
  "overrides" block in the generated package.json before the npm install step.
- uvx: spec.constraints ([]{spec, reason}) is written to a uv overrides
  requirements file and passed to "uv tool install --overrides".

Both injection points match the install step by content (not line number) so
they stay robust to toolhive template formatting. Every entry requires a
non-empty reason (validation fails otherwise) so the justification for
circumventing an upstream pin is auditable in-repo.

Verified end-to-end against the CI build + Grype recipe:
- #469 @brightdata/mcp 2.9.5 + override @modelcontextprotocol/sdk 1.26.0:
  resolves to SDK 1.26.0, grype --fail-on high --only-fixed passes.
- #527 mcp-clickhouse 0.3.0 + constraint fastmcp>=3.2.0: fastmcp 3.4.0,
  import mcp_clickhouse OK, grype passes.

Refs #668

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
next-devtools-mcp hard-pins SDK 1.25.2 which fails the Grype gate for
GHSA-345p-7cg4-v4c7. Bump via npm overrides (same major, fixed in 1.26.0).

Also cherry-picks dockhand override support from #669.

Co-authored-by: Cursor <cursoragent@cursor.com>
@toolhive-release-app

Copy link
Copy Markdown
Contributor

🛡️ Skill Security Scan Results

⚠️ No skills were scanned in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants