Quick story, then the practical part. We scanned five official MCP reference servers from the @modelcontextprotocol npm namespace. Standard tooling against the package manifest: 0 findings Enter fullscreen mode Exit fullscreen mode Then we re-ran the same check against the installed dependency tree: 10 HIGH findings Enter fullscreen mode Exit fullscreen mode Same five servers. Same advisory database. The difference was that the second scan walked into a package the first one never had reason to query: @modelcontextprotocol/sdk@1.0.1 . The advisories were public. The fixes were already shipped. The scan just didn't reach that far down.…