A
license-
quality-
maintenanceMCP servers are installed via npx -y @scope/package — which silently downloads
the latest version every time your AI tool starts, with no integrity check.
mcp-lock fixes this by recording exact tarball hashes on first run and detecting
any changes on every run after that — the same guarantee npm ci gives you for
Node.js projects.
Last updated