@modelcontextprotocol/sdk
Model Context Protocol implementation for TypeScript
5
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
jspahrsummerspcarletonfweinbergerthedspashwin-antochafik
Keywords
modelcontextprotocolmcp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Official Anthropic MCP SDK with 78 versions, SLSA provenance, and active GitHub repo. Dormancy signal is not indicative of takeover for this well-established package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Actively maintained Anthropic open-source project; adding maintainers is expected as the MCP ecosystem grows. SLSA provenance mitigates takeover risk. | ai | |
| dependencies | unvetted-dep:jose | AI (dependencies): jose is a well-known JWT/JOSE library; expected in an SDK implementing OAuth/auth flows. | ai | |
| dependencies | unvetted-dep:ajv-formats | AI (dependencies): ajv-formats is a standard companion to ajv for JSON Schema validation; legitimate use. | ai | |
| dependencies | unvetted-dep:zod | AI (dependencies): zod is a widely-used, well-known TypeScript validation library; its use in the MCP SDK is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:hono | AI (phantom-deps): hono is a runtime dependency used in optional server transport code; phantom-dep finding is a false positive for this package. | ai | |
| dependencies | unvetted-dep:eventsource | AI (dependencies): eventsource is expected for SSE transport support in the MCP SDK; legitimate use. | ai | |
| dependencies | unvetted-dep:hono | AI (dependencies): hono is a well-known web framework used for server transport in the MCP SDK; legitimate use. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.29.0 | 17 / 23 | |
| 1.28.0 | 17 / 23 | |
| 1.27.1 | 17 / 23 | |
| 1.27.0 | 17 / 23 | |
| 1.26.0 | 17 / 22 |
v1.28.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.