@atlassian-dc-mcp/common

Shared utilities for @atlassian-dc-mcp MCP servers. Not affiliated with Atlassian.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

evgeniy.moroz

Keywords

mcpatlassiandata-centermodel-context-protocol

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:express	AI (phantom-deps): express is a declared runtime dependency; phantom-dep heuristic is a false positive.	ai	2026/05/03
semgrep	semgrep:env-spread	AI (semgrep): Intentional env-merging pattern in a runtime config utility; not credential exfiltration.	ai	2026/04/30
phantom-deps	phantom-dep:zod	AI (phantom-deps): zod is a declared runtime dependency; phantom-dep heuristic is a false positive here.	ai	2026/04/30

Versions (showing 42 of 42)

Version	Deps	Published
0.19.0	4 / 3	2026-04-27
0.18.0	4 / 3	2026-04-24
0.17.1	4 / 3	2026-04-23
0.17.0	4 / 3	2026-04-23
0.16.0	3 / 3	2026-04-14
0.15.0	3 / 3	2026-04-07
0.14.3	3 / 3	2026-04-02
0.14.2	3 / 3	2026-04-02
0.14.1	3 / 3	2026-04-01
0.14.0	3 / 3	2026-03-23
0.13.0	3 / 3	2026-03-21
0.12.2	3 / 3	2026-03-21
0.12.1	3 / 3	2026-03-21
0.12.0	3 / 3	2026-03-18
0.11.2	3 / 3	2026-03-12
0.11.1	3 / 3	2026-03-12
0.11.0	3 / 3	2026-03-09
0.10.2	3 / 3	2026-03-09
0.10.1	4 / 4	2026-03-09
0.10.0	4 / 4	2026-01-31
0.9.12	4 / 4	2026-01-03
0.9.11	4 / 4	2026-01-03
0.9.10	4 / 4	2026-01-03
0.9.9	4 / 4	2025-09-13
0.9.8	4 / 4	2025-09-13
0.9.7	4 / 4	2025-09-13
0.9.6	4 / 4	2025-09-13
0.9.5	4 / 4	2025-09-13
0.9.4	4 / 4	2025-09-13
0.9.3	4 / 4	2025-09-13
0.9.2	4 / 4	2025-09-13
0.9.1	4 / 4	2025-09-13
0.9.0	4 / 4	2025-09-13
0.8.3	4 / 4	2025-09-06
0.8.2	4 / 4	2025-09-06
0.8.1	4 / 4	2025-09-06
0.8.0	4 / 4	2025-09-06
0.7.0	4 / 4	2025-08-03
0.6.1	4 / 4	2025-05-26
0.6.0	4 / 4	2025-05-26
0.5.0	4 / 4	2025-05-14
0.4.0	4 / 4	2025-05-03

v0.18.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.0

2 findings

HIGH env-spread: src/runtime-config.ts:139 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/b1ff/atlassian-dc-mcp/blob/eb8394fc8317b2d986b03de9853edf47aa77566a/src/runtime-config.ts#L139 137 | 138 | function getMergedEnvironment(): NodeJS.ProcessEnv { > 139 | return { 140 | ...getParsedFileEnvironment(), 141 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

2 findings

HIGH env-spread: src/runtime-config.ts:139 semgrep

Spreading entire process.env into an object — may capture all secrets 137 | 138 | function getMergedEnvironment(): NodeJS.ProcessEnv { > 139 | return { 140 | ...getParsedFileEnvironment(), 141 | ...process.env,