MCP PostgreSQL Server

1.2.1 verified Sat Apr 25 auth: no javascript

MCP server providing PostgreSQL database operations—query, schema inspection, data manipulation—for MCP-compatible clients. Current stable version: 1.2.1, released January 2025. Security-focused: v1.2.0 fixed SQL injection in column names and SSL validation. Supports environment variables, DATABASE_URL, or config file; auto-configures SSL for AWS RDS. Releases are frequent (two in Jan 2025) with security patches and fixes. Key differentiator: MCP-native protocol integration vs generic database drivers.

Common errors

error (node:xxx) [PG] Deprecation Warning: pg@9.0 will drop support for concurrent queries on a single client. Use a pool instead. ↓

cause Using Promise.all() to run multiple queries on a single pg.Client concurrently.

fix

Update to mcp-postgres@1.2.1 or later, which sequences queries.

error Error: Invalid input syntax for type ... ... at column '...' ↓

cause SQL injection attempt or malformed column name (unquoted special characters).

fix

Upgrade to >=1.2.0 which properly quotes identifiers.

error Error: getaddrinfo ENOTFOUND ... ↓

cause PostgreSQL hostname not resolvable or incorrect.

fix

Check DB_HOST or DATABASE_URL value. Ensure the host is reachable and resolveable.

Warnings

breaking v1.2.0: Fixed SQL injection via unquoted column names in update_data, delete_data, insert_data, count_rows, alter_table, create_table. Update immediate if using these tools with untrusted input. ↓

fix Upgrade to >=1.2.0

breaking v1.2.0: SSL mode 'require' now validates server certificates (rejectUnauthorized: true). Previously it disabled validation, allowing MITM attacks. ↓

fix Update to >=1.2.0 and ensure valid certificates.

gotcha v1.2.1: pg.Client does not support concurrent queries. Using Promise.all() on a single client will cause a deprecation warning in pg@9.0. ↓

fix Upgrade to v1.2.1 which runs queries sequentially.

gotcha Config file must be named 'config.json' in the working directory. No other names or paths are supported. ↓

fix Rename or move config file to ./config.json

deprecated Use of DATABASE_URL is deprecated in favor of individual environment variables (DB_HOST, etc.). ↓

fix Switch to individual env vars: DB_HOST, DB_PORT, etc.

Install

npm install mcp-postgres

yarn add mcp-postgres

pnpm add mcp-postgres

Imports

default (server instance)
wrong
```
const server = require('mcp-postgres')
```
correct
```
import server from 'mcp-postgres'
```
ESM-only package; no CommonJS support. The server starts automatically on import when run as a CLI.

PostgresServer

wrong

import { PostgresServer } from 'mcp-postgres'

correct

import { PostgresServer } from 'mcp-postgres'

Class-based export for programmatic usage

Config

import type { Config } from 'mcp-postgres'

TypeScript type for configuration object

Quickstart

Programmatic setup of MCP PostgreSQL server with environment variables, connecting via stdio transport.

import { PostgresServer } from 'mcp-postgres';
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
// The package is typically run as a CLI tool.
// To run programmatically:
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
const server = new PostgresServer({
  host: process.env.DB_HOST ?? 'localhost',
  port: parseInt(process.env.DB_PORT ?? '5432'),
  user: process.env.DB_USER ?? 'postgres',
  password: process.env.DB_PASSWORD ?? '',
  database: process.env.DB_NAME ?? 'postgres',
  sslmode: process.env.DB_SSL_MODE ?? 'disable'
});
const transport = new StdioServerTransport();
await server.connect(transport);
console.error('MCP PostgreSQL Server running on stdio');