Theme 4 — Dependency Hygiene
Problem
Dependabot reports 0 open alerts (good), but the plugin's dependencies are unpinned and undeclared, so there is no lockfile-equivalent to make installs reproducible or to let Dependabot/CI reason about versions:
- MCP server floats to latest.
.mcp.json runs npx -y @pinecone-database/mcp with no version constraint — every session pulls whatever is newest, so a breaking MCP release ships to all users with no gate.
- Python script deps are implicit.
skills/*/scripts/*.py import pinecone (the FTS skill requires pinecone ≥ 9.0, per README/SKILL.md) but there is no per-script uv inline-metadata block (# /// script … dependencies = [...] ///) or any manifest pinning the SDK. Runs resolve to whatever uv/pip grabs at execution time.
Proposed fix & acceptance
- Pin the MCP server to a known-good major/minor in
.mcp.json (e.g. @pinecone-database/mcp@<version>), or document a deliberate floating policy.
- Add uv inline script metadata (PEP 723
# /// script) to each skills/*/scripts/*.py declaring requires-python and pinned/bounded dependencies (at minimum pinecone>=9.0 where the FTS API is used), so runs are reproducible and version-auditable.
- Confirm no accidental beta/pre-release pins; the FTS preview API (
2026-01.alpha) is a deliberate server-side API version, not a package pre-release — document that distinction.
Definition of done: MCP server version is pinned or its floating documented; every Python script declares its dependencies with explicit version bounds; installs are reproducible; zero open Dependabot alerts maintained.
Blast radius
needs-verification — pinning could surface an incompatibility that only shows at runtime; verify each skill's scripts still run against the pinned versions.
Depends on
#28 (validation CI safety net) — land the CI check that import-tests the scripts before/with pinning so regressions are caught.
Theme 4 — Dependency Hygiene
Problem
Dependabot reports 0 open alerts (good), but the plugin's dependencies are unpinned and undeclared, so there is no lockfile-equivalent to make installs reproducible or to let Dependabot/CI reason about versions:
.mcp.jsonrunsnpx -y @pinecone-database/mcpwith no version constraint — every session pulls whatever is newest, so a breaking MCP release ships to all users with no gate.skills/*/scripts/*.pyimportpinecone(the FTS skill requirespinecone≥ 9.0, per README/SKILL.md) but there is no per-script uv inline-metadata block (# /// script … dependencies = [...] ///) or any manifest pinning the SDK. Runs resolve to whateveruv/pipgrabs at execution time.Proposed fix & acceptance
.mcp.json(e.g.@pinecone-database/mcp@<version>), or document a deliberate floating policy.# /// script) to eachskills/*/scripts/*.pydeclaringrequires-pythonand pinned/boundeddependencies(at minimumpinecone>=9.0where the FTS API is used), so runs are reproducible and version-auditable.2026-01.alpha) is a deliberate server-side API version, not a package pre-release — document that distinction.Definition of done: MCP server version is pinned or its floating documented; every Python script declares its dependencies with explicit version bounds; installs are reproducible; zero open Dependabot alerts maintained.
Blast radius
needs-verification — pinning could surface an incompatibility that only shows at runtime; verify each skill's scripts still run against the pinned versions.
Depends on
#28 (validation CI safety net) — land the CI check that import-tests the scripts before/with pinning so regressions are caught.