@vendure/mcp-server
v1.0.4-alphaThe official Vendure MCP server
12
Total
6
Critical
2
High
4
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
18: return 'Vendure config file not found.';
19: }
>>> 20: const dbTypeRegex = /type:\s*(?:['"]([^'"]+)['"]|(?:process\.env\.([a-zA-Z0-9_]+)))/;
21: const dbTypeMatch = configContent.match(dbTypeRegex);
22: if (!dbTypeMatch) {Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
29: else if (dbTypeMatch[2]) {
30: const envVarName = dbTypeMatch[2];
>>> 31: const envPath = path.join(projectPath, '.env');
32: if (!fs.existsSync(envPath)) {
33: return `Database type is set by environment variable "${envVarName}", but .env file was not found.`;Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
31: const envPath = path.join(projectPath, '.env');
32: if (!fs.existsSync(envPath)) {
>>> 33: return `Database type is set by environment variable "${envVarName}", but .env file was not found.`;
34: }
35: const envContent = fs.readFileSync(envPath);Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
37: dbType = envVars[envVarName];
38: if (!dbType) {
>>> 39: return `Database type is set by environment variable "${envVarName}", but it was not found in the .env file.`;
40: }
41: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
42: if (dbType) {
43: if (SUPPORTED_DB_TYPES.includes(dbType)) {
>>> 44: const source = dbTypeMatch[1] ? 'config file' : '.env file';
45: return `Database type: ${dbType} (from ${source})`;
46: }Environment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
18: cwd: projectPath,
19: stdio: ['pipe', 'pipe', 'pipe'],
>>> 20: env: Object.assign({}, process.env),
21: });
22: let stdout = '';Node.js child process spawning
Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.
>>> 1: import { spawn } from 'child_process';
2: import fs from 'fs';
3: import path from 'path';Decoded base64 content: ���y��zw ���v��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveJavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
65: async fetchFromWeb(filename) {
66: const url = `${VendureDocsService.VENDURE_DOCS_BASE_URL}/${filename}`;
>>> 67: // Use Node.js built-in fetch (available in Node.js 18+)
68: const response = await fetch(url);
69: if (!response.ok) {JavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
66: const url = `${VendureDocsService.VENDURE_DOCS_BASE_URL}/${filename}`;
67: // Use Node.js built-in fetch (available in Node.js 18+)
>>> 68: const response = await fetch(url);
69: if (!response.ok) {
70: throw new Error(`HTTP ${response.status}: ${response.statusText}`);High-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveScan History
| Date | Risk | Findings | Files | Duration |
|---|---|---|---|---|
| Feb 27, 2026 | critical | 12 | 42 | 0.00s |
| Feb 25, 2026 | critical | 12 | 42 | 0.00s |
| Feb 23, 2026 | critical | 12 | 42 | 0.00s |
| Feb 22, 2026 | critical | 12 | 42 | 0.00s |