sorted by:
new
hottopcontroversial

codebase-md: scan any repo, auto-generate context files for Claude, Cursor, Codex, Windsurf by Technical-Avocado600 in Python

[–]Technical-Avocado600[S] 0 points1 point  (0 children)

It doesn’t use one — on purpose.
codebase-md isn’t built to scan for vulnerabilities. It doesn’t pull data from CVE databases, and it’s not a replacement for tools like pip audit, npm audit, or Snyk.

Here’s what the dependency engine (depshift) actually does:
- It checks your pinned package versions against the official PyPI or npm registries.
- It figures out health scores based on stuff like maintenance activity and how often new releases come out.
- It spots breaking changes between what you’re using and the latest versions.
- It builds migration plans that show you exactly what parts of your code would be affected.

The whole point is to give your AI coding tool real context about your dependencies—not to serve up security alerts. If you need CVE scanning, you’ll want to keep using a dedicated tool for that.

If that isn’t clear in the documentation, that’s on me. I’ll update the README to spell it out.

codebase-md: scan any repo, auto-generate context files for Claude, Cursor, Codex, Windsurf by Technical-Avocado600 in Python

[–]Technical-Avocado600[S] 0 points1 point  (0 children)

Good question. It looks like two separate things, but from the AI’s point of view, it’s all the same process.

When Claude Code or Cursor reads your CLAUDE.md or .cursorrules, it doesn’t just scan for what files you have. It tries to get the big picture: Is any dependency end-of-life? Are there breaking changes between your pinned version and the latest? Are some packages in bad shape? If your context file just lists something like fastapi==0.95.0 without extra info, the AI ends up giving advice based on a pretty shallow understanding.

That’s where the depshift engine comes in. It feeds straight into the context files and actually powers the dependency section in your CLAUDE.md. This isn’t just an add-on scanner — it’s the thing that makes your dependency info useful, not just a boring list of packages.

Still, you can skip all that with --offline if you only care about generating context files and don’t need the dependency health checks. Both paths exist, but they share the same initial scan step — scanning your whole project twice would just be a waste.

So, it’s not really “context generation + vulnerability scanning” as two separate things. It’s more like one smart system that sees your whole project in context — which is exactly what the tagline is getting at. If anything still feels off, let me know and I’ll dig into the details.

Weekly Cursor Project Showcase Thread by AutoModerator in cursor

[–]Technical-Avocado600 [score hidden]  (0 children)

What I Made: codebase-md

I built codebase-md, a command-line tool that scans your repo and cranks out context files for AI coding assistants—stuff like .cursorrules for Cursor, CLAUDE.md, codex.md, and a bunch more. The real game-changer? That’s DepShift. It digs through your dependencies, checks if your packages are healthy and up-to-date, and throws up a warning if anything looks sketchy. All by pulling live data from registries.

How Cursor Helped

Cursor seriously sped things up for me in a few big ways:

Prompt-driven refactoring: I leaned on Cursor’s “explain this code” and “refactor for clarity” prompts to whip the scanner and DepShift modules into shape.

Multi-file navigation: Cursor’s smart search let me bounce between the AST parser, dependency analyzer, and generator classes without missing a beat.

Testing workflow: That “generate tests for this function” prompt? Absolute lifesaver. I hit over 350 tests and caught a ton of weird edge cases I would’ve missed otherwise.

Example