Paper Reference
Dependency Vulnerabilities — arxiv:2601.17549, Implementation sections
"Compromised or vulnerable dependencies in MCP implementations"
Current State
IntentGuard has no dependency scanning, no lock file enforcement, and no CI checks for known vulnerabilities in its dependency tree.
What Should Be Implemented
- Pin all dependencies in
requirements.txt with exact versions
- Add a GitHub Actions workflow for dependency vulnerability scanning (e.g.,
pip-audit, Dependabot, or Snyk)
- Document minimal dependency philosophy in contributing guide
- Consider vendoring critical dependencies to reduce supply chain surface
Why It Matters
As a security tool, IntentGuard itself must not be a vector for supply chain attacks. Users trusting IntentGuard to guard their MCP interactions need assurance that IntentGuard's own dependencies are vetted.
Priority
High — this is table stakes for an open-source security tool.
Paper Reference
Dependency Vulnerabilities — arxiv:2601.17549, Implementation sections
Current State
IntentGuard has no dependency scanning, no lock file enforcement, and no CI checks for known vulnerabilities in its dependency tree.
What Should Be Implemented
requirements.txtwith exact versionspip-audit, Dependabot, or Snyk)Why It Matters
As a security tool, IntentGuard itself must not be a vector for supply chain attacks. Users trusting IntentGuard to guard their MCP interactions need assurance that IntentGuard's own dependencies are vetted.
Priority
High — this is table stakes for an open-source security tool.