/ 100

13 days ago

npm

dpesch/mantisbt-mcp-server

MCP server for MantisBT REST API – read and manage bug tracker issues

→ dpesch/mantisbt-mcp-server· npm: @dpesch/mantisbt-mcp-server· listed on npm

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

npm Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

⚠️

Known vulnerabilities in dependencies: 2 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

✅

37 tools verified — handlers match their declared behaviour

23 read-only tools verified — handlers contain no write/delete/exec

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

✅

Open source with a license and README

Anyone can audit the code, the license is declared, and the publisher documents what it does.

🔐

You'll be asked for 2 credentials: MANTIS_API_KEY, MCP_HTTP_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// known CVEs in dependencies2 high

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

high@modelcontextprotocol/sdk@1.0.0GHSA-8r9q-7v3j-jr4g

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

high@modelcontextprotocol/sdk@1.0.0GHSA-w48q-cv73-mx4w

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Depend on this server? Get alerted when its CVEs change.Watch this server free →

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

🔐 secretMANTIS_API_KEY— "": "your-api-token"

configMANTIS_BASE_URL— "": "https://your-mantis.example.com/api/rest",

configMANTIS_CACHE_DIR— ~/.cache/mantisbt-mcp Directory for the metadata cache

configMANTIS_CACHE_TTL— 3600 Cache lifetime in seconds

configMANTIS_SEARCH_BACKEND— vectra Vector store backend: vectra (pure JS) or sqlite-vec (requires manual install)

configMANTIS_SEARCH_DIR— {MANTIS_CACHE_DIR}/search Directory for the search index

configMANTIS_SEARCH_ENABLED— false Set to true to enable semantic search

configMANTIS_SEARCH_MODEL— Xenova/paraphrase-multilingual-MiniLM-L12-v2 Embedding model name (downloaded once on first use, ~80 MB)

configMANTIS_SEARCH_THREADS

configMANTIS_UPLOAD_DIR

configMCP_HTTP_HOST— 127.0.0.1 Bind address for HTTP mode. Changed from 0.0.0.0 to 127.0.0.1 — the server now listens on localhost only by default. Set to 0.0.0.0 for Docker or remote access.

🔐 secretMCP_HTTP_TOKEN— When set, the /mcp endpoint requires Authorization: Bearer <token>. The /health endpoint is always public.

configMCP_TEST_ENVIRONMENT

configPORT— 3000 Port for HTTP mode

configTRANSPORT— stdio Transport mode: stdio or http

config_PREPUSH_FILTER_ACTIVE

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/dpesch-mantisbt-mcp-server-1q66u3)](https://m8ven.ai/mcp/dpesch-mantisbt-mcp-server-1q66u3)

commit: b6e58d3fe0b6c515b85478774e8bfc3c361742b7

code hash: b86845f6f399142b8b05d13e235fa52462786d59bc9848652847299938284de4

verified: 6/16/2026, 12:44:35 PM

view raw JSON →