security: implement supply chain protections

- Add minimumReleaseAge (24h) and store integrity checks in pnpm-workspace.yaml

- Enforce pnpm usage via only-allow preinstall script

- Add pnpm audit to CI workflow

- Resolve known vulnerabilities in @modelcontextprotocol/sdk and vitest/esbuild

Author: PatrickSys

.github/workflows/test.yml

@@ -22,5 +22,6 @@ jobs:
           cache: 'pnpm'
 
       - run: pnpm install --frozen-lockfile
+      - run: pnpm audit
       - run: pnpm build
       - run: pnpm test

package.json

@@ -72,6 +72,7 @@
   },
   "license": "MIT",
   "scripts": {
+    "preinstall": "npx only-allow pnpm",
     "build": "tsc",
     "prepublishOnly": "npm run build",
     "start": "node dist/index.js",
@@ -82,7 +83,7 @@
   },
   "dependencies": {
     "@lancedb/lancedb": "^0.4.0",
-    "@modelcontextprotocol/sdk": "^0.6.0",
+    "@modelcontextprotocol/sdk": "^1.25.1",
     "@typescript-eslint/typescript-estree": "^7.0.0",
     "@xenova/transformers": "^2.17.0",
     "fuse.js": "^7.0.0",
@@ -97,6 +98,6 @@
     "@types/node": "^20.11.24",
     "@types/uuid": "^9.0.8",
     "ts-node": "^10.9.2",
-    "vitest": "^1.3.0"
+    "vitest": "^4.0.16"
   }
 }