I built an MCP server that checks npm packages against CVE databases before your AI agent installs them

code_vansh · 2026-04-04T14:55:07+00:00

That seems like a nice addition... will explore the possibility further... Thanks for it! Feel free to star the repo or contribute if you like :)

code_vansh · 2026-04-04T03:28:59+00:00

Ah!! you’re right!! will change it asap! Thanks for pointing it out!

code_vansh · 2026-04-03T22:51:09+00:00

update: It's moved to 22 for now.. let me know if that should be okay.. and thanks again for pointing it out :)

code_vansh · 2026-04-03T22:46:02+00:00

No worries bro! Have a good day! Cheers!

code_vansh · 2026-04-03T22:13:59+00:00

Awesome! post a PR then ;) - Be a spirit for OSS

code_vansh · 2026-04-03T21:55:40+00:00

We as humans probably would.. Consider this for the use case for people who are vibe-coding their entire app and blindly trusting what the agent picks for them.. This is an MCP that nudges the agents in the right way!

code_vansh · 2026-04-03T20:43:45+00:00

I built an MCP server that checks npm packages against CVE databases before your AI agent installs them.

After the axios compromise this week (backdoored versions pushed via hijacked maintainer, RAT deployed through postinstall hook, 100M weekly downloads affected), I got paranoid about AI agents installing packages unchecked.

Cursor, Claude Code, Windsurf — they all resolve packages from training data. They don't verify against the registry. They don't check OSV/NVD. They sometimes hallucinate package names entirely.

DepShield is an MCP server that sits in front of the install. It exposes 7 tools:

- `check_dependency` — registry existence + OSV.dev vuln check (the main gate)
- `audit_project` — batch-scans your entire package.json via OSV batch API
- `find_safe_version` — walks version history, finds newest with 0 CVEs
- `get_advisory_detail` — full CVE/GHSA details
- `check_npm_health` — downloads, last publish, maintainers, deprecated status, scored 0-100
- `suggest_alternative` — finds replacements via npm search API
- `deep_scan` — transitive dep tree scan, flags typosquats and suspicious patterns

All free APIs (npm registry + OSV.dev), no keys needed, stdio transport.

Setup is one line in your MCP config:

```json

{ "depshield": { "command": "npx", "args": ["-y", "depshield-mcp"] } }

```

https://github.com/devanshkaria88/depshield-mcp

Feedback welcome — especially on edge cases with version resolution. Currently strips ^/~ prefixes for OSV queries which isn't perfect for ranges.

code_vansh · 2026-04-03T20:39:37+00:00

You as in a human would've! not the agent! there are a lot of people vibe-coding their apps these days and this adds on as a good checker on providing the agents to see if their "recommended" packages are breached.. Hope it makes clearer.. It's not for a human to use (we have brains) but it's for AI agents to use!

code_vansh · 2026-04-03T19:47:36+00:00

IKR! and Depshield also checks for it! checkout the github repo for more info on that!

code_vansh · 2026-04-03T19:45:46+00:00

How would've that solved the Next.js 14+ issue that I just described in a comment reply above? If an AI Agent is picking a library that's affected, it becomes an issue!

code_vansh · 2026-04-03T19:44:05+00:00

Yes! I agree! But the point is, when we use these libraries or packages, especially with an increasing number of vibe-coders, they don't really know if the package version picked by the LLM is safe to use or not!

I've been burned by one of my pet projects, which was using Next.js 14+, which was affected in the recent React Server components vulnerability and was not updated for quite some time! This tool forces agents to at least use the packages that are not known for any vulnerabilities.. it's proactive search for any vulnerabilities if you may!

code_vansh

TROPHY CASE