@cyanheads/secedgar-mcp-server

Query SEC EDGAR filings, XBRL financials, and company data through MCP. STDIO & Streamable HTTP.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cyanheads

Keywords

mcpmcp-servermodel-context-protocolsecedgarsec-edgarxbrlfilingsfinancial-datatypescriptbunstdiostreamable-http

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:node-cron	AI (phantom-deps): Config-file reference; stable pattern for this package.	ai	2026/06/03
phantom-deps	phantom-dep:better-sqlite3	AI (phantom-deps): Config-file reference; stable pattern for this package.	ai	2026/06/03
phantom-deps	phantom-dep:domhandler	AI (phantom-deps): Config-referenced dependency; stable pattern for this package.	ai	2026/06/01
provenance	no-provenance	AI (provenance): Provenance not yet enabled; low-risk package with clean publisher history.	ai	2026/06/01
dependencies	unvetted-dep:@duckdb/node-api	AI (dependencies): @duckdb/node-api is the official DuckDB Node.js API; legitimate native binding, not a supply-chain risk.	ai	2026/05/31
publish-pattern	new-deps-added	AI (publish-pattern): zod is a widely-used, well-established validation library; not a supply-chain risk here.	ai	2026/05/31
phantom-deps	phantom-dep:pino-pretty	AI (phantom-deps): pino-pretty is a logging transport typically referenced in config/options, not directly imported; stable false positive for this package.	ai	2026/05/19
phantom-deps	phantom-dep:@duckdb/node-api	AI (phantom-deps): DuckDB may be loaded via dynamic import or abstraction layer; phantom-dep heuristic is unreliable for this usage pattern.	ai	2026/05/19

Versions (showing 22 of 22)

Version	Deps	Published
0.8.1	11 / 8	2026-06-02
0.7.3	11 / 8	2026-06-01
0.7.2	10 / 8	2026-06-01
0.7.1	8 / 8	2026-05-31
0.7.0	8 / 8	2026-05-30
0.6.2	5 / 8	2026-05-29
0.6.1	5 / 8	2026-05-26
0.6.0	5 / 8	2026-05-26
0.5.2	5 / 8	2026-05-23
0.5.1	4 / 8	2026-05-17
0.5.0	4 / 8	2026-05-17
0.4.5	3 / 8	2026-05-16
0.4.4	3 / 8	2026-05-08
0.4.3	3 / 8	2026-05-04
0.4.2	3 / 8	2026-05-04
0.4.1	3 / 8	2026-05-01
0.4.0	3 / 8	2026-04-24
0.3.0	3 / 8	2026-04-21
0.2.0	3 / 8	2026-04-17
0.1.11	3 / 8	2026-03-30
0.1.10	3 / 8	2026-03-28
0.1.9	3 / 8	2026-03-24

v0.8.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.