discogs-mcp-server

The server demonstrates strong security practices including extensive input validation using Zod schemas for all tool parameters, which mitigates common injection vulnerabilities. Custom error handling prevents excessive information disclosure. The `DISCOGS_PERSONAL_ACCESS_TOKEN` is mandated via environment variables and users are explicitly warned against sharing it. Network host binding is configurable, allowing restriction to localhost. The project actively manages dependencies, as evidenced by explicit `pnpm` overrides for known vulnerabilities in `glob`, `hono`, `js-yaml`, and `qs`. The use of a forked `dotenv` is noted to prevent stdout logging conflicts, indicating a functional, non-malicious purpose. While an older `node-fetch` version is present in dependencies, the server's core `DiscogsService` leverages the native `fetch` API in Node.js (which uses `undici` in Node.js 18+), reducing reliance on the potentially vulnerable `node-fetch` package.