mirroir

Pin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.

Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.

Remove the -y/--yes auto-confirm flag from MCP server launch arguments. This flag bypasses user confirmation prompts and allows unattended execution of potentially dangerous operations.

Likely FP if the matched text is an isolated flag (-y or --yes) in documentation describing command-line options, not in an actual MCP config.

Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.

Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.

Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.

Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.

Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.

Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.

Remove the -y/--yes auto-confirm flag from MCP server launch arguments. This flag bypasses user confirmation prompts and allows unattended execution of potentially dangerous operations.

Likely FP if the matched text is an isolated flag (-y or --yes) in documentation describing command-line options, not in an actual MCP config.