This MCP server acts as a bridge between the official Hacker News API and AI-powered tools that support the Model Context Protocol, such as Claude and Cursor.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"mcp-hacker-news": {
"args": [
"-y",
"mcp-hacker-news"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A Model Context Protocol (MCP) server for Hacker News built with TypeScript.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: Hoisted install imports lockfile alias outside node_modules
## Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted `node_modules` directory. Traversal aliases could escape that directory, while reserved aliases such as `.bin` or `.pnpm` could overwrite pnpm-owned layout. This patch validates package-name semantics and path containment before graph insertion or filesystem work. ## Security boundary - The
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in search
Web and local search using Brave Search API
The official MCP server implementation for the Perplexity API Platform
Production ready MCP server with real-time search, extract, map & crawl.
mini cli search engine for your docs, knowledge bases, meeting notes, whatever. Tracking current sota approaches while being all local
MCP Security Weekly
Get CVE alerts and security updates for Mcp Hacker News and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A Model Context Protocol (MCP) server for Hacker News built with TypeScript.
This MCP server acts as a bridge between the official Hacker News API and AI-powered tools that support the Model Context Protocol, such as Claude and Cursor.
It enables these tools to fetch and interact with live Hacker News data (posts, comments, users) via standardized MCP endpoints.
Add to your Claude desktop config (claude_desktop_config.json) or your Cursor config file (mcp.json) :
{
"mcpServers": {
"mcp-hacker-news": {
"command": "npx",
"args": ["-y", "mcp-hacker-news"]
}
}
}

⚠️ If you are unsure about your Node.js version, run
node --versionin your terminal. Make sure it showsv18.x.xor higher.
How to upgrade Node.js
git clone https://github.com/paablolc/mcp-hacker-news.git
cd mcp-hacker-news
pnpm install
pnpm build
pnpm inspector
npx @modelcontextprotocol/inspector node dist/index.js

This MCP server exposes the following fixed resources, each corresponding to a core Hacker News endpoint:
| Resource URI | Description | Hacker News API Endpoint |
|---|---|---|
hackernews://top | Top stories | /v0/topstories |
hackernews://new | Newest stories | /v0/newstories |
hackernews://best | Best (algorithmic) stories | /v0/beststories |
These three collections match the main list endpoints officially provided by the Hacker News API.
Other types of stories (Ask HN, Show HN, Jobs, etc.) and item-specific lookups are available as tools (see below), allowing for flexible querying with custom parameters.
The following tools are available for advanced or parameterized queries. These allow you to fetch other Hacker News content beyond the fixed resources above:
| Tool Name | Description |
|---|---|
getTopStories | Fetch top stories (customizable limit) |
getBestStories | Fetch best stories (customizable limit) |
getNewStories | Fetch newest stories (customizable limit) |
getAskHNStories | Fetch "Ask HN" posts |
getShowHNStories | Fetch "Show HN" posts |
getJobStories | Fetch job postings |
getItem | Retrieve a specific item (story, comment, etc.) |
getUser | Retrieve a user pro |