fix: resolve pnpm audit vulnerabilities by removing @pnpm/workspace.* deps

[felixweinberger]

Motivation and Context

pnpm audit reports 3 HIGH severity vulnerabilities:

• cross-spawn@7.0.3 (needs ≥7.0.5) - ReDoS vulnerability
• tar@7.5.2 (needs ≥7.5.4) - Path traversal vulnerabilities (x2)

These come from @pnpm/workspace.find-packages which pulls in a deep chain of pnpm internal packages (@pnpm/npm-lifecycle → @yarnpkg/shell → vulnerable deps).

We only use these packages in typedoc.config.mjs to find workspace packages for docs generation - easily replaced with simpler code.

How Has This Been Tested?

• pnpm audit now reports 0 vulnerabilities
• pnpm docs:check passes - TypeDoc still finds the correct packages
• Verified cross-spawn is now only at 7.0.6 (patched) and tar is completely removed from deps

Breaking Changes

None. This only affects dev tooling (TypeDoc config).

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

cc @jmhefner who originally added the typedoc config

[changeset-bot]

⚠️ No Changeset found

Latest commit: e0d900a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1422

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1422

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1422

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1422

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1422

commit: e0d900a