Author here. mpak is a package manager for MCPB bundles (the standard bundle format for MCP servers).
We built this to power our own platform internally and thought it might be useful to the broader community. Most of it is open source.
The problem: MCP servers are code, not packages. Every server has different install procedures, runtimes, and configs. Beyond the UX annoyance, this creates real issues:
1. Cold starts: pip install or npm install at runtime kills latency. MCPB vendors dependencies, so startup is just unzip and execute (some of ours were taking 60+ seconds to `npm install`)
2. Non-deterministic builds: Same repo, different day, different behavior. Transitive deps shift. Bundles are immutable artifacts, same SHA = same behavior.
3. Security: You can scan a bundle before running it. Generate SBOMs. Run grype/syft/trivy. Know what you're executing before you execute it.
The CLI:
```
mpak search weather
mpak pull @publisher/weather
mpak run @publisher/weather
```
Publishing is a GitHub Action (uses OIDC, no API keys):
- uses: NimbleBrainInc/mcpb-pack@v2
There's also a TypeScript SDK if you're building an MCP client and want to add bundle support programmatically.
Tag a release, bundle gets built and registered automatically.
MCPB is the spec (from the MCP maintainers). We run a public registry at mpak.dev, but the format is what matters. The goal is ecosystem-wide adoption, not lock-in.
barefootsanders•2w ago
We built this to power our own platform internally and thought it might be useful to the broader community. Most of it is open source.
The problem: MCP servers are code, not packages. Every server has different install procedures, runtimes, and configs. Beyond the UX annoyance, this creates real issues:
1. Cold starts: pip install or npm install at runtime kills latency. MCPB vendors dependencies, so startup is just unzip and execute (some of ours were taking 60+ seconds to `npm install`) 2. Non-deterministic builds: Same repo, different day, different behavior. Transitive deps shift. Bundles are immutable artifacts, same SHA = same behavior. 3. Security: You can scan a bundle before running it. Generate SBOMs. Run grype/syft/trivy. Know what you're executing before you execute it.
The CLI:
```
mpak search weather
mpak pull @publisher/weather
mpak run @publisher/weather
```
Publishing is a GitHub Action (uses OIDC, no API keys): - uses: NimbleBrainInc/mcpb-pack@v2
There's also a TypeScript SDK if you're building an MCP client and want to add bundle support programmatically.
Tag a release, bundle gets built and registered automatically.
MCPB is the spec (from the MCP maintainers). We run a public registry at mpak.dev, but the format is what matters. The goal is ecosystem-wide adoption, not lock-in.
CLI: npm i -g @nimblebrain/mpak
Registry: https://mpak.dev
Spec: https://github.com/modelcontextprotocol/mcpb
(PS We're also packaging up skills on it too.)
Happy to answer questions about the format or architecture.