dev.depscope/mcp
Saves tokens, energy & blocks unsafe packages — 22 tools, 19 ecosystems, 1.2M+ pkgs, MIT.
Ask AI about dev.depscope/mcp
Powered by Claude · Grounded in docs
I know everything about dev.depscope/mcp. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
DepScope MCP Server
Package intelligence MCP server for AI agents. Stops AI coding agents (Claude, ChatGPT, Cursor, Windsurf, Copilot) from installing hallucinated, deprecated, or malicious packages across 19 ecosystems.
→ Backed by depscope.dev — 1.2M+ packages indexed, 19,000+ vulnerabilities tracked, real-time.
What's new in v0.9.0
The MCP server now sends a system-prompt directive to your AI client at handshake (server.instructions). Claude Code, Cursor, Windsurf and other MCP clients receive a proactive-invocation brief automatically — manual rule files (CLAUDE.md, .cursorrules, .windsurfrules) are now optional. Existing rules still work; they're just redundant.
What the model sees at every session start:
- The 19-ecosystem coverage list
- An "INVOKE PROACTIVELY" directive with explicit triggers (install, version bump, lockfile change, "module not found" errors, library comparison)
- Three pillars: token-saving, energy-saving, security
- Standard invocation flow:
check_malicious→check_typosquat→check_package→install_command
For Claude Code there is also a companion plugin that bundles the MCP server with a skill carrying rich frontmatter triggers:
git clone https://github.com/cuttalo/depscope-claude-plugin ~/.claude/plugins/depscope
All npm versions <0.9.0 are now deprecated. Run npm update -g depscope-mcp if you installed globally.
Why this exists
LLMs frequently invent package names that look real but don't exist (fastapi-turbo, lodahs, tokio-stream-extras). When an agent tries to install one, it might hit an attacker's typosquat. DepScope verifies every package before install.
Quick start
Claude Desktop / Cursor / Windsurf (remote MCP)
Add to your MCP config:
{
"mcpServers": {
"depscope": {
"url": "https://mcp.depscope.dev/mcp"
}
}
}
Local (stdio via npx)
{
"mcpServers": {
"depscope": {
"command": "npx",
"args": ["-y", "depscope-mcp"]
}
}
}
Tools (22)
| Tool | Purpose |
|---|---|
check_package | Full package check: deprecated/CVE/health/recommendation |
get_health_score | 0-100 score with breakdown (maintenance/popularity/security/maturity/community) |
get_vulnerabilities | Open CVEs from OSV + KEV/EPSS |
package_exists | Hallucination detector (404 = LLM invented it) |
find_alternatives | Curated alternatives for deprecated/abandoned packages |
get_typosquat | Suspicious name similarity check |
get_breaking_changes | Migration plan between versions |
get_bugs | Known bugs from GitHub issues |
compare_packages | Side-by-side health/license/vuln comparison |
resolve_error | Map error message → likely cause + fix |
search_errors | Find similar error reports across ecosystems |
check_compat | Stack compatibility check |
get_latest_version | Latest stable + maturity signal |
| ... and 9 more | full list in tools.js |
Ecosystems (19)
npm · pypi · cargo · go · composer · maven · nuget · rubygems · pub · hex · swift · cocoapods · cpan · hackage · cran · conda · homebrew · jsr · julia
Pricing
Free. No auth required. Generous rate limits. The MCP server is open-source (AGPL-3.0); the backend (depscope.dev API) is proprietary.
License
AGPL-3.0-or-later. Backend is proprietary; this client is open.
Links
- depscope.dev — homepage
- docs — integration guide
- Glama listing
- awesome-mcp-servers