modelcontextprotocol/typescript-sdk — Repobility public scan

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Sign up free Scan another repo

Scan timing: clone 1.44s · analysis 3.35s · 4.2 MB · GitHub API rate-limit (preflight)

modelcontextprotocol/typescript-sdk

https://github.com/modelcontextprotocol/typescript-sdk · scanned 2026-05-24 01:20 UTC (1 week, 5 days ago) · 10 languages

1278 findings (101 legacy + 1177 scanner) 59th percentile · Typescript · medium (20-100K LoC) Scanner says 66 (higher by 10)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 5 days ago · v7 · 281 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

88.9% cov · 180 gaps

click to filter

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	80.4	0.25	20.10
`testing_score`	90.0	0.20	18.00
`documentation_score`	81.6	0.15	12.24
`practices_score`	74.0	0.15	11.10
`code_quality`	57.1	0.10	5.71
Overall		1.00	76.1

Severity distribution — click a segment to filter

Active filters: layer: api × excluding tests × Reset all

Severity: Critical 1 High 81 Medium 18 Low 154 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 101 9-layer 180 Crowd 0 Layer: Security 6 Quality 98 Software 81 Frontend 57 Cicd 15 Api 24

Exclude dismissed / FP Exclude test files

Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.

Scan summary Repository scanned at 65.8/100 with 88.9% coverage. It contains 1341 nodes across 18 cross-layer flows, written primarily in mixed languages. Engine surfaced 180 findings — concentrated in frontend (57), software (50), quality (34). Risk profile is high: 0 critical, 11 high, 17 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 24 of 281 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:14)

`packages/middleware/hono/test/hono.test.ts:14` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:26)

`packages/middleware/hono/test/hono.test.ts:26` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:35)

`packages/middleware/hono/test/hono.test.ts:35` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:38)

`packages/middleware/hono/test/hono.test.ts:38` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:49)

`packages/middleware/hono/test/hono.test.ts:49` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:52)

`packages/middleware/hono/test/hono.test.ts:52` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: GET http://localhost/health (packages/middleware/hono/test/hono.test.ts:63)

`packages/middleware/hono/test/hono.test.ts:63` calls `GET http://localhost/health` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/health` If this points at an external API, prefix it with `…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: POST http://localhost/echo (packages/middleware/hono/test/hono.test.ts:101)

`packages/middleware/hono/test/hono.test.ts:101` calls `POST http://localhost/echo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/echo` If this points at an external API, prefix it with `ht…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: POST http://localhost/echo (packages/middleware/hono/test/hono.test.ts:71)

`packages/middleware/hono/test/hono.test.ts:71` calls `POST http://localhost/echo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/echo` If this points at an external API, prefix it with `htt…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: POST http://localhost/echo (packages/middleware/hono/test/hono.test.ts:84)

`packages/middleware/hono/test/hono.test.ts:84` calls `POST http://localhost/echo` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/http:/localhost/echo` If this points at an external API, prefix it with `htt…

wiringdangling-fetchhelper:request

high 9-layer api wiring conf 1.00 Dangling fetch: POST http://localhost:${port} (packages/middleware/node/test/streamableHttp.test.ts:3046)

`packages/middleware/node/test/streamableHttp.test.ts:3046` calls `POST http://localhost:${port}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/localhost:/<p>` If this points at an external API, prefix it wit…

wiringdangling-fetchfetch

low 9-layer api wiring conf 1.00 Unused endpoint: ALL /api/auth/{*splat}

`examples/shared/src/authServer.ts` declares `ALL /api/auth/{*splat}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: ALL /mcp

`packages/server/src/server/streamableHttp.ts` declares `ALL /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /mcp

`examples/server/src/simpleStatelessStreamableHttp.ts` declares `DELETE /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /

`packages/middleware/express/src/auth/metadataRouter.ts` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api-key-form

`examples/server/src/elicitationUrlExample.ts` declares `GET /api-key-form` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /confirm-payment

`examples/server/src/elicitationUrlExample.ts` declares `GET /confirm-payment` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /mcp

`examples/server/src/jsonResponseStreamableHttp.ts` declares `GET /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /sign-in

`examples/shared/src/authServer.ts` declares `GET /sign-in` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /sse

`scripts/cli.ts` declares `GET /sse` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api-key-form

`examples/server/src/elicitationUrlExample.ts` declares `POST /api-key-form` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /confirm-payment

`examples/server/src/elicitationUrlExample.ts` declares `POST /confirm-payment` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /mcp

`packages/middleware/node/src/streamableHttp.ts` declares `POST /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /message

`scripts/cli.ts` declares `POST /message` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/941e20b9-d91f-4609-a0f4-1b7fa3f6e58f/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/941e20b9-d91f-4609-a0f4-1b7fa3f6e58f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.