Unpinned npx/bunx package reference

AI security governance · MCP security

Severity

medium

What it is

An npx or bunx command references a package without a pinned version, enabling supply chain attacks.

How Igris detects it

Igris's Version Pinning Checker flags this during MCP security scans of your configuration.

References

Related MCP security rules

Secure your AI estate with Igris