The MCP SDK Looks Safe. Its Supply Chain Has 11 CRITICAL Single-Maintainer Packages.

1 / 2

The MCP SDK Looks Safe. Its Supply Chain Has 11 CRITICAL Single-Maintainer Packages.

DEV Community·Pico·about 1 month ago

#tIkALoEi

#ai #javascript #critical #package #maintainer #json

Reading 0:00

15s threshold

The Model Context Protocol is becoming the standard plumbing for AI tools. Claude, Cursor, Windsurf, and a growing list of AI assistants connect to MCP servers to browse the web, read files, query databases, and execute code. If you're building an AI product in 2026, you're probably using @modelcontextprotocol/sdk . Here's what the package itself looks like when scored by behavioral commitment: @modelcontextprotocol/sdk — score: 75/100 | 6 maintainers | 31M downloads/week | 1.4 years old Enter fullscreen mode Exit fullscreen mode Six maintainers. Respectable. Score of 75. No CRITICAL flag. You might stop there. Don't stop there. The Direct Dependencies When I mapped the full supply chain to depth 2, the picture changes fast: curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \ -H "Content-Type: application/json" \ -d '{"package": "@modelcontextprotocol/sdk", "depth": 2}' Enter fullscreen mode Exit fullscreen mode 21 nodes. 11 CRITICAL. 4 WARN.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

The MCP SDK Looks Safe. Its Supply Chain Has 11 CRITICAL Single-Maintainer Packages.