Report by Endor Labs

State of Dependency Management 2025: Security in the AI-Code Era

6 FINDINGSPublished Nov 4, 2025
View Original Report →

Key Findings

40% of the more than 10,000 Model Context Protocol (MCP) servers created in under a year had no license in 2025.

Endor LabsState of Dependency Management 2025: Security in the AI-Code Era ·Nov 4, 2025
MCP EcosystemSoftware DevelopmentSecurity Risks

The proportion of safe dependency recommendations increased from 20% to 57% when AI agents were equipped with security tools in 2025.

Endor LabsState of Dependency Management 2025: Security in the AI-Code Era ·Nov 4, 2025
AI coding agentAI DevelopmentSoftware Vulnerabilities

Only 20% of dependency versions recommended by AI coding assistants were found to be safe to use in 2025.

Endor LabsState of Dependency Management 2025: Security in the AI-Code Era ·Nov 4, 2025
AI coding agentAI DevelopmentSoftware Vulnerabilities

44-49% of dependencies imported by AI coding agents contained known security vulnerabilities in 2025.

Endor LabsState of Dependency Management 2025: Security in the AI-Code Era ·Nov 4, 2025
AI coding agentAI DevelopmentDependency Management

About 75% of the more than 10,000 Model Context Protocol (MCP) servers were built by individuals without enterprise-grade protections in 2025.

Endor LabsState of Dependency Management 2025: Security in the AI-Code Era ·Nov 4, 2025
MCP EcosystemSoftware DevelopmentSecurity Risks

82% of the more than 10,000 Model Context Protocol (MCP) servers interact with sensitive APIs, creating additional vulnerabilities in 2025.

Endor LabsState of Dependency Management 2025: Security in the AI-Code Era ·Nov 4, 2025
MCP EcosystemSoftware DevelopmentSecurity RisksAPIsVulnerabilities