mcp-ai-memory
ermermermermidk/mcp-ai-memoryA production-ready Model Context Protocol (MCP) server for semantic memory management
High risk — review the findings below
We found multiple concerning patterns in this package. Some of these might be legitimate (for example, a build tool might need to run commands), but you should review each finding below and decide if the explanations make sense for what this package claims to do.
What We Found(11 issues)
Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.
Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.
Technical details
Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.
"latest"Finding Summary
0
Critical
0
High
11
Medium
0
Low
0
Info