Skip to content

[docs] Do not encourage downloading the MCP with npx -y and @latest #47211

New issue
New issue
Open
Open
[docs] Do not encourage downloading the MCP with npx -y and @latest#47211
Assignees
hasdfa
Labels
scope: mcpChanges related to MCP.status: waiting for maintainerThese issues haven't been looked at yet by a maintainer.support: docs-feedbackFeedback from documentation page.
@connorshea

Description

@connorshea
connorshea
opened on Nov 7, 2025

Related page

https://mui.com/material-ui/getting-started/mcp/

Kind of issue

Other

Issue description

I appreciate that this is somewhat common for MCP implementations at the moment due to the lack of good standards around it, but it would be preferable if - at the very least - it were clearly communicated that this has some risks associated with it in terms of auto-running the latest code at all times, in what is likely a privileged execution environment (e.g. usually claude or github copilot would have access to quite a bit of information).

Namely, the concern is if the package were compromised in the future, the recommended setup would make the user fairly vulnerable to that attack, and it may be a good idea to install the package in the user's repo directly to pick the version based on the lockfile.

Context

No response

Search keywords: mui, mcp, npx, security

Metadata

Metadata

Assignees

Labels

scope: mcpChanges related to MCP.status: waiting for maintainerThese issues haven't been looked at yet by a maintainer.support: docs-feedbackFeedback from documentation page.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions