Why Anthropic’s archived Postgres MCP server still dominates 312K monthly installs

The Model Context Protocol (MCP) ecosystem is evolving rapidly, yet one package refuses to fade into obscurity. Despite being officially archived and labeled as unsafe for production, @modelcontextprotocol/server-postgres racked up 312,391 downloads last month alone. This figure represents a tripling of installs in just five months, with no signs of slowing down.

The server’s continued popularity raises a critical question: who is using it, and why are they ignoring Anthropic’s stark warning to avoid it in production environments? The answer lies in a combination of convenience, overlooked disclaimers, and the sheer absence of a viable alternative.

How the server bridges AI and databases

The MCP server acts as a translator between AI models—like Claude or Cursor—and a PostgreSQL database. Once configured with a connection string, it exposes a single tool: query, which executes read-only SQL commands. Additionally, it generates a resource for each table’s schema, giving models the structural context needed to interpret data.

For developers, this integration eliminates a tedious workflow. Instead of manually copying data from a database client into a chat interface, they can ask the model, "Show me the top 10 customers by revenue last month," and receive an immediate, accurate response pulled directly from their database. This capability has made the server the de facto solution for teams eager to connect their AI agents to critical data sources.

Why Anthropic shifted to archiving reference servers

In early 2025, Anthropic reorganized its MCP server repositories. The actively maintained servers repo now hosts seven servers designed for protocol demos or local-only use. Meanwhile, 14 other servers—including those for Postgres, GitHub, Slack, and Redis—were moved to a separate servers-archived repository.

The migration came with a clear disclaimer: "NO SECURITY GUARANTEES ARE PROVIDED FOR THESE ARCHIVED SERVERS." These servers are no longer maintained, receive no security updates, and should not be used in production.

The rationale behind this move is straightforward. Servers that interact with third-party systems or handle sensitive credentials were deemed high-risk. Anthropic’s decision to archive them signals a preference to avoid ownership of tools that could introduce vulnerabilities. However, the lack of a maintained alternative leaves developers in a bind—particularly those seeking an official solution for database integration.

What keeps developers installing an archived package

Three key factors explain the server’s enduring popularity despite its archived status.

• Critical workflow integration: Developers are rapidly wiring AI agents to their databases. The manual process of querying databases and pasting data into chat interfaces is inefficient. Once teams experience the convenience of direct database access, they rarely revert to the old method.

• Hidden disclaimers in the wrong places: The installation process via npx @modelcontextprotocol/server-postgres works seamlessly. The npm package page does not display the "archived" label—it simply describes the server’s functionality. Users only encounter the warning when navigating to the GitHub repository, which resides in a different namespace (modelcontextprotocol/servers-archived). For those arriving via tutorials or AI-generated recommendations, the disclaimer may never come to light.

• Functionality trumps risk in early stages: For prototypes, demos, or small-scale experiments, the server performs as advertised. Read-only queries against a non-critical database pose minimal risk. However, the line between experimentation and production use blurs as teams grow more reliant on the tool. Many may not realize they’ve crossed into risky territory until it’s too late.

Security gaps that demand attention

The server’s simplicity comes at a cost. With just 130 lines of TypeScript, its security model is rudimentary. While it uses a READ ONLY transaction to prevent writes like DROP TABLE, this safeguard is far from comprehensive.

• No statement timeout: A poorly written query, such as SELECT pg_sleep(3600), can tie up a database connection for an hour.
• No row or result limits: A command like SELECT * FROM events returns the entire table, potentially overwhelming the model’s context window.
• No table or column restrictions: Sensitive data like api_key or stripe_secret in a users table is exposed to the model, which may then transmit it to third-party providers.
• Flawed schema introspection: The discovery query merges columns from multiple schemas if a table name is duplicated, and it lacks critical metadata like primary keys, foreign keys, or indexes.

These oversights make the server ill-suited for production environments, where data integrity and security are paramount. Yet, its ease of use and immediate utility continue to attract developers who may not fully grasp the risks.

The future of database-integrated AI agents hinges on the development of secure, maintained alternatives. Until then, the archived Postgres MCP server remains a tempting yet perilous choice—one that developers will likely continue to install, despite the warnings.