Hi MCP maintainers — opening this as a constructive heads-up rather than a complaint. Apologies if there is a better channel for this.
While running a 200-package validation of an open-source MCP supply-chain scanner I built (weiseer/mcp-doctor) against the most-installed MCP-related npm packages, I noticed that several of the official @modelcontextprotocol/server-* packages on npm have not had a release in over a year and do not include a repository URL in their published package.json.
Concrete list (data pulled from the npm registry on 2026-05-30):
| Package |
Days since last release |
repository field in package.json |
@modelcontextprotocol/create-server |
550 |
none |
@modelcontextprotocol/server-postgres |
541 |
none |
@modelcontextprotocol/server-gdrive |
501 |
none |
@modelcontextprotocol/server-github |
416 |
none |
@modelcontextprotocol/server-slack |
399 |
none |
@modelcontextprotocol/server-puppeteer |
382 |
none |
Two questions that would help downstream users:
-
Are these packages intentionally archived in favor of new locations (server-archived org? other replacement?) — if so, the most user-friendly action would be npm deprecate with a pointer to the new location, so anyone who runs npm audit or a supply-chain scanner gets clear guidance.
-
If they are still recommended for use, could the published package.json include a repository field? Without it, supply-chain tools cannot do source-to-binary verification, and there is no canonical place for downstream users to file issues.
I am happy to help with whatever the right path is — including opening PRs to whichever repos host the current source, if pointed at them. The 200-package dataset is at api.weiseer.com/dataset/scan_200.json for reference.
Thanks for everything you build.
— wei (wei@weiseer.com)
Hi MCP maintainers — opening this as a constructive heads-up rather than a complaint. Apologies if there is a better channel for this.
While running a 200-package validation of an open-source MCP supply-chain scanner I built (weiseer/mcp-doctor) against the most-installed MCP-related npm packages, I noticed that several of the official
@modelcontextprotocol/server-*packages on npm have not had a release in over a year and do not include arepositoryURL in their publishedpackage.json.Concrete list (data pulled from the npm registry on 2026-05-30):
repositoryfield in package.json@modelcontextprotocol/create-server@modelcontextprotocol/server-postgres@modelcontextprotocol/server-gdrive@modelcontextprotocol/server-github@modelcontextprotocol/server-slack@modelcontextprotocol/server-puppeteerTwo questions that would help downstream users:
Are these packages intentionally archived in favor of new locations (server-archived org? other replacement?) — if so, the most user-friendly action would be
npm deprecatewith a pointer to the new location, so anyone who runsnpm auditor a supply-chain scanner gets clear guidance.If they are still recommended for use, could the published
package.jsoninclude arepositoryfield? Without it, supply-chain tools cannot do source-to-binary verification, and there is no canonical place for downstream users to file issues.I am happy to help with whatever the right path is — including opening PRs to whichever repos host the current source, if pointed at them. The 200-package dataset is at api.weiseer.com/dataset/scan_200.json for reference.
Thanks for everything you build.
— wei (wei@weiseer.com)