← Home

@wp-playground/mcp

npm Repository Homepage

MCP server for WordPress Playground - enables AI agents to interact with the WordPress Playground website.

22
Versions
GPL-2.0-or-later
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

bgrgicakadamzielbrandonpayton-a8csejasdanielbachhuberyannickdecatjanjakesakirk

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:isomorphic-git AI (phantom-deps): Monorepo bundled package; isomorphic-git declared at package level, consumed indirectly by bundled code. ai
phantom-deps phantom-dep:playwright AI (phantom-deps): playwright used as CLI/config tool rather than direct import; consistent with MCP server browser automation use case. ai
publish-pattern new-deps-added AI (publish-pattern): playwright is a legitimate, well-known Microsoft package appropriate for a browser-automation MCP server. ai
dependencies unvetted-dep:minimisted AI (dependencies): Bundled dep in a large monorepo package; phantom-dep finding confirms it's not directly imported at runtime. ai
phantom-deps phantom-dep:wasm-feature-detect AI (phantom-deps): Platform-specific wasm utility; bundled into the output, not directly imported. ai
phantom-deps phantom-dep:fs-ext-extra-prebuilt AI (phantom-deps): Platform-specific binary package; expected for this WordPress Playground toolchain. ai
semgrep semgrep:env-spread AI (semgrep): Occurs in e2e test harness to pass env to subprocess; not runtime package code. ai
phantom-deps phantom-dep:ignore AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:sha.js AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:express AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:octokit AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:@types/ws AI (phantom-deps): Type-only package; framework-scoped, stable false positive for this package. ai
phantom-deps phantom-dep:async-lock AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:simple-get AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:jsonc-parser AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:clean-git-ref AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:@zip.js/zip.js AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:fast-xml-parser AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:readable-stream AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:@php-wasm/universal AI (phantom-deps): Platform-specific binary package from the same WordPress Playground monorepo. ai
phantom-deps phantom-dep:minimisted AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:ini AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts, not direct imports. ai
phantom-deps phantom-dep:pako AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:pify AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:diff3 AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:yargs AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
phantom-deps phantom-dep:crc-32 AI (phantom-deps): Monorepo bundle; deps used transitively or in platform-specific contexts. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped package @wp-playground/mcp; Levenshtein match to 'yup' is a false positive with no brand impersonation. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Fires on minified CJS bundle; sample shows no actual raw IP, likely false positive from bundled code pattern. ai

Versions (showing 22 of 22)

Version Deps Published
3.1.36 5 / 0
3.1.35 5 / 0
3.1.34 5 / 0
3.1.33 5 / 0
3.1.32 5 / 0
3.1.31 5 / 0
3.1.30 5 / 0
3.1.29 5 / 0
3.1.28 29 / 0
3.1.26 28 / 0
3.1.25 28 / 0
3.1.22 28 / 0
3.1.21 27 / 0
3.1.20 27 / 0
3.1.19 27 / 0
3.1.18 27 / 0
3.1.17 27 / 0
3.1.16 27 / 0
3.1.15 27 / 0
3.1.14 27 / 0
3.1.8 27 / 0
3.1.5 3 / 1

v3.1.36

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.35

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.34

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.33

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.32

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.31

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.30

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.29

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.28

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.26

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.25

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.22

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.20

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.19

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.18

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.17

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.5

2 findings
HIGH env-spread: e2e/mcp-tools.spec.ts:37 semgrep

Spreading entire process.env into an object — may capture all secrets 35 | ], 36 | cwd: dirname(fileURLToPath(import.meta.url)), > 37 | env: { 38 | ...process.env, 39 | NODE_NO_WARNINGS: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.