fix(proxy): suppress SAST HttpToHttps false positive in OAuth callback server#2
Open
m-golovchin wants to merge 2 commits into
Open
fix(proxy): suppress SAST HttpToHttps false positive in OAuth callback server#2m-golovchin wants to merge 2 commits into
m-golovchin wants to merge 2 commits into
Conversation
added 2 commits
May 20, 2026 13:15
…k server Adds RFC 8252 §8.3 rationale comment to callback-server.ts explaining why HTTP is intentional for the localhost-only ephemeral OAuth callback server, and adds a .snyk policy file to suppress the Javascript/HttpToHttps finding. Refs: EPMCDME-12199
…ility
Replaces single-quoted glob '{src,tests}/**/*.ts' in lint/lint:fix scripts
with bare directory args 'src tests' — ESLint v9 flat config resolves file
patterns internally, so shell glob expansion is not needed. Adds '**/*.mjs'
to global eslint ignores to preserve the original TypeScript-only scope.
m-golovchin
pushed a commit
that referenced
this pull request
Jun 10, 2026
* Add release and publishing documentation to CLAUDE.md - Added release commands to Common Commands section - Created comprehensive Release & Publishing Policy section - Documented step-by-step release process - Included version bumping strategies - Added verification commands for npm publish 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: add Release Manager agent with dry run support Add specialized release-manager agent that automates the complete release process: - Analyzes git history and generates release notes - Handles version bumping and git tagging - Creates GitHub releases and triggers npm publish workflow - Supports dry runs and resuming from existing tags - Smart detection of release state (tag exists, release exists, npm published) Also includes agent system documentation and .gitignore updates. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/mcp/auth/callback-server.tsexplaining whyhttp.createServeris intentional for the localhost-only ephemeral OAuth callback server.snykpolicy file to suppress the Snyk SASTJavascript/HttpToHttpsfinding for this fileWhy HTTP is correct here
RFC 8252 §8.3 (OAuth 2.0 for Native Apps) explicitly permits plain HTTP for loopback redirect URIs:
localhost— no network exposurehttp://localhostredirect URIs per the same RFCNote on
.snykformatThe
.snykignore keyjavascript/HttpToHttpsfollows the Snyk Code rule name from the ticket. If the Snyk plan requires a different format, the entry can be updated via the Snyk web UI (which will regenerate the.snykentry with the correct schema for your tier).Test Plan
Related
🤖 Generated with Claude Code