 |
VOOZH | about |
|
VOOZH | about |
This page provides an overview of the dependency model and security posture for @perplexity-ai/mcp-server. It covers:
@modelcontextprotocol/sdk's own transitive dependency treeFor package metadata, npm scripts, and the bin entry point, see Package Metadata and Scripts. For detailed dependency documentation, see Core Dependencies. For a full security discussion, see Security Architecture. For development toolchain details, see Development Tooling.
The server declares five direct runtime dependencies in package.json51-57
| Package | Version Constraint | Resolved | Role |
|---|---|---|---|
@modelcontextprotocol/sdk | ^1.21.1 | 1.27.1 | MCP protocol; McpServer, transports |
express | ^4.21.2 | 4.22.1 | HTTP server for HTTP mode |
cors | ^2.8.5 | 2.8.5 | CORS middleware for HTTP mode |
undici | ^6.20.0 | 6.23.0 | Outbound HTTP client to Perplexity API |
zod | ^3.25.46 | 3.25.76 | Runtime schema validation of API responses |
Minimum Node.js version: >=18 (package.json68-70).
Note: express appears both as a direct dependency (^4.21.2, used in src/http.ts) and as a transitive dependency of @modelcontextprotocol/sdk at a different major version (^5.2.1). npm resolves these independently as two separate installations.
Sources: package.json51-57 package-lock.json6-34
Diagram: Runtime packages mapped to the source modules that import them
Sources: package.json51-57 package-lock.json577-616
@modelcontextprotocol/sdk pulls in a substantial dependency tree. The notable sub-systems are listed below.
| SDK Transitive Dep | Version | Purpose within SDK |
|---|---|---|
hono | ^4.11.4 | Web framework used in SDK's HTTP transport |
@hono/node-server | ^1.19.9 | Node.js adapter for Hono |
ajv + ajv-formats | ^8.17.1 / ^3.0.1 | JSON Schema validation of MCP messages |
eventsource + eventsource-parser | ^3.0.2 / ^3.0.0 | SSE client used for streaming MCP connections |
express | ^5.2.1 | HTTP framework within SDK (separate from app's express@4) |
express-rate-limit | ^8.2.1 | Rate-limiting on SDK's HTTP endpoints |
jose | ^6.1.3 | JWT/JWK operations for OAuth token verification |
pkce-challenge | ^5.0.0 | PKCE code challenge generation for OAuth flows |
zod + zod-to-json-schema | ^3.25 || ^4.0 | Schema definition and JSON Schema export |
cross-spawn | ^7.0.5 | Cross-platform subprocess spawning (stdio transport) |
content-type | ^1.0.5 | HTTP Content-Type header parsing |
raw-body | ^3.0.0 | Raw HTTP body reading |
json-schema-typed | ^8.0.2 | Type-safe JSON Schema definitions |
Diagram: SDK internal sub-system structure
Sources: package-lock.json577-616
Development tooling is never included in published packages. The files field in package.json30-36 explicitly limits what gets published to dist/*.js (excluding test and config files), README.md, and .claude-plugin.
| Package | Version | Role |
|---|---|---|
typescript | ^5.9.3 | TypeScript compiler (tsc) |
tsx | ^4.19.4 | Zero-build TypeScript runner for dev scripts |
vitest | ^4.0.5 | Test runner |
@vitest/coverage-v8 | ^4.0.5 | V8-based code coverage |
shx | ^0.4.0 | Cross-platform shell commands (chmod +x) |
@types/cors | ^2.8.17 | TypeScript types for cors |
@types/express | ^5.0.0 | TypeScript types for express |
@types/node | ^20 | TypeScript types for Node.js builtins |
Sources: package.json58-67
The following table summarizes the security-relevant design decisions. Detailed discussion is in Security Architecture.
| Concern | Mechanism | Location |
|---|---|---|
| API key protection | Checked at startup; never logged; passed only as Authorization: Bearer header | src/index.ts, src/server.ts |
| CORS enforcement | cors() middleware with ALLOWED_ORIGINS allowlist | src/http.ts |
| npm publish auth | OIDC id-token permission; no static token stored | .github/workflows/publish.yml |
| MCP registry auth | DNS + private key; MCP_REGISTRY_PRIVATE_KEY secret extracted to temp file, then deleted | .github/workflows/publish-mcp.yml |
| OAuth/PKCE readiness | jose and pkce-challenge available via SDK for token-based client authentication | @modelcontextprotocol/sdk transitive deps |
| Outbound request isolation | undici ProxyAgent proxied through optional HTTPS proxy | src/server.ts, src/logger.ts |
| Log level default | PERPLEXITY_LOG_LEVEL defaults to ERROR; debug output never reaches stdout | src/logger.ts |
Diagram: Security-sensitive data flows
Sources: package.json22-36 package-lock.json577-616
The package declares "node": ">=18" in package.json68-70 This constraint is shared by most of the dependency tree. Key minimum-version drivers include:
undici 6.x requires Node.js >=18.17@hono/node-server requires Node.js >=18.14.1vitest 4.x requires Node.js ^20.0.0 || ^22.0.0 || >=24.0.0In CI, Node.js 20 is used (.github/workflows/test.yml .github/workflows/publish.yml). See Automated Testing Workflow for details.
Sources: package.json68-70 package-lock.json537-548 package-lock.json3722-3730