Skip to content

Dependency hygiene: pin MCP server and declare Python script dependencies #30

Description

@jhamon

Theme 4 — Dependency Hygiene

Problem

Dependabot reports 0 open alerts (good), but the plugin's dependencies are unpinned and undeclared, so there is no lockfile-equivalent to make installs reproducible or to let Dependabot/CI reason about versions:

  • MCP server floats to latest. .mcp.json runs npx -y @pinecone-database/mcp with no version constraint — every session pulls whatever is newest, so a breaking MCP release ships to all users with no gate.
  • Python script deps are implicit. skills/*/scripts/*.py import pinecone (the FTS skill requires pinecone ≥ 9.0, per README/SKILL.md) but there is no per-script uv inline-metadata block (# /// script … dependencies = [...] ///) or any manifest pinning the SDK. Runs resolve to whatever uv/pip grabs at execution time.

Proposed fix & acceptance

  • Pin the MCP server to a known-good major/minor in .mcp.json (e.g. @pinecone-database/mcp@<version>), or document a deliberate floating policy.
  • Add uv inline script metadata (PEP 723 # /// script) to each skills/*/scripts/*.py declaring requires-python and pinned/bounded dependencies (at minimum pinecone>=9.0 where the FTS API is used), so runs are reproducible and version-auditable.
  • Confirm no accidental beta/pre-release pins; the FTS preview API (2026-01.alpha) is a deliberate server-side API version, not a package pre-release — document that distinction.

Definition of done: MCP server version is pinned or its floating documented; every Python script declares its dependencies with explicit version bounds; installs are reproducible; zero open Dependabot alerts maintained.

Blast radius

needs-verification — pinning could surface an incompatibility that only shows at runtime; verify each skill's scripts still run against the pinned versions.

Depends on

#28 (validation CI safety net) — land the CI check that import-tests the scripts before/with pinning so regressions are caught.

Metadata

Metadata

Assignees

Labels

maintenanceRepo maintenance sweep

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions