Skip to content

Fix CSP violations in browser extensions by downgrading MCP SDK#179

Open
decodifi-tyler wants to merge 3 commits into
srbhptl39:mainfrom
decodifi-tyler:fix-csp-downgrade-sdk
Open

Fix CSP violations in browser extensions by downgrading MCP SDK#179
decodifi-tyler wants to merge 3 commits into
srbhptl39:mainfrom
decodifi-tyler:fix-csp-downgrade-sdk

Conversation

@decodifi-tyler
Copy link
Copy Markdown

@decodifi-tyler decodifi-tyler commented Feb 6, 2026
edited
Loading

Downgrade @modelcontextprotocol/sdk to 1.19.1 to avoid Zod/AJV code generation causing unsafe-eval CSP errors in Chrome extensions.

@decodifi-tyler
Downgrade MCP SDK to 1.19.1 to fix CSP violations in browser extensions
422aa15 
- Downgrade @modelcontextprotocol/sdk from ^1.25.2 to ^1.19.1
- This avoids Zod/AJV code generation that uses Function() constructor
- Fixes EvalError: unsafe-eval not allowed in Chrome extension CSP
- Tested working in Chrome extension with Krisp MCP proxy
Copilot AI review requested due to automatic review settings February 6, 2026 22:06
github-actions[bot]
github-actions Bot reviewed Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. We will check and reply to you as soon as possible.

Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to eliminate Chrome extension CSP (unsafe-eval) violations by downgrading the MCP SDK dependency used by the extension.

Changes:

  • Downgraded @modelcontextprotocol/sdk in the Chrome extension from ^1.25.2 to ^1.19.1.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread chrome-extension/package.json Outdated
@decodifi-tyler
Apply suggestion from @Copilot
9fd8ccc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@decodifi-tyler decodifi-tyler mentioned this pull request Feb 6, 2026
Open
@DavidKDeutsch DavidKDeutsch mentioned this pull request Feb 12, 2026
Open
@HenKenLink
Copy link
Copy Markdown

HenKenLink commented Mar 12, 2026

'^1.20.2' not work, but '1.20.2' do. '^' will cause deps update to 1.25.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

@srbhptl39 srbhptl39 Awaiting requested review from srbhptl39 srbhptl39 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@decodifi-tyler @HenKenLink