The following versions of Superpowers MCP are currently supported with security updates:
| Version | Supported |
|---|---|
| 6.0.x | ✅ |
| 5.1.x | ✅ |
| 5.0.x | ❌ |
| 4.3.x | ❌ |
| < 4.3 | ❌ |
If you discover a security vulnerability in Superpowers MCP, please report it responsibly:
- Email: Send details to posidomhu@gmail.com
- Subject: Use "[Security] Superpowers MCP - Brief Description"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Released: Within 30 days (depending on severity)
| Check | Status |
|---|---|
| npm audit vulnerabilities | 0️⃣ Zero — all 37 prior advisories resolved |
innerHTML usage |
0️⃣ Zero — entire codebase uses safe DOM APIs |
eval / new Function / document.write |
0️⃣ Zero occurrences |
| Hardcoded secrets in tracked files | 0️⃣ Zero — .gitignore covers .env*, *.pem, *.key, *.token, credentials* |
| World-writable files | 0️⃣ Zero |
| XSS vectors (brainstorming Visual Companion & server) | ✅ Patched — DOM XSS fixed in v5.1.1, remaining innerHTML eliminated in v6.0.0, reflected server-side XSS fixed in v6.0.1 |
ReDoS (path-to-regexp) |
✅ Patched — upgraded to v8.4.2 in v5.1.1 |
CORS / Lambda / Set-Cookie (hono) |
✅ Patched — upgraded to v4.12.26 in v5.1.2 |
When using Superpowers MCP:
- Keep the package updated to the latest version (
npm update -g superpowers-mcp) - Review skill files before execution in sensitive environments
- Report any suspicious behavior immediately
- The brainstorming Visual Companion starts a local HTTP server on an ephemeral port — only accessible from localhost