Skip to content
BeClaude
Industry2026-07-01

Show HN: CLI that helps AI agents avoid vulnerable dependencies

Originally published byHacker News

deptrust is a CLI that checks package versions for known vulnerabilities across npm, PyPI, crates.io, Go modules, RubyGems, NuGet, Maven, Packagist, pub.dev, CocoaPods, Hex.pm, Hackage, GitHub Actions, and more.It runs locally as a CLI and as an MCP server. It calls public package registry and OSV...

The Hacker News launch of deptrust—a CLI tool that audits package dependencies for known vulnerabilities across a staggering range of ecosystems (npm, PyPI, crates.io, Go modules, RubyGems, NuGet, Maven, and more)—marks a pragmatic response to a growing blind spot in AI-assisted development. While the tool itself is not revolutionary in concept (dependency scanning is well-trodden ground), its design as both a local CLI and an MCP (Model Context Protocol) server signals a shift in how we expect AI agents to interact with security tooling.

What Happened

deptrust operates by querying public package registries and the OSV (Open Source Vulnerabilities) database to cross-reference installed package versions against known CVEs. It runs entirely locally, avoiding the latency and privacy concerns of cloud-based scanners. The MCP server integration is the key differentiator: it allows AI coding assistants—like Claude, Copilot, or Cursor—to call deptrust as a tool during code generation or dependency management, receiving real-time vulnerability feedback without leaving the agent’s context window.

Why It Matters

The AI coding boom has accelerated dependency churn. Agents routinely scaffold projects, add libraries, and update package.json or requirements.txt files at machine speed. Human developers often review these changes, but the sheer volume of generated code makes manual vulnerability auditing impractical. Traditional SCA (Software Composition Analysis) tools are designed for CI/CD pipelines and periodic scans, not for the rapid, iterative workflows of AI pair programming.

deptrust fills a specific gap: it provides a lightweight, agent-callable security layer that operates during the development loop, not after. By exposing itself as an MCP server, it becomes a tool that an AI agent can invoke autonomously—checking a newly added dependency before committing it. This is a subtle but important architectural choice. It treats security scanning not as a gatekeeper step in a pipeline, but as a first-class capability within the agent’s toolchain.

Implications for AI Practitioners

For developers building or using AI coding agents, deptrust offers a concrete pattern for integrating safety checks into agent workflows. The MCP protocol is still emerging, but tools like this demonstrate its utility: instead of forcing agents to rely on static knowledge or external APIs, you give them a local, deterministic tool they can call with confidence.

There are caveats. deptrust relies on OSV data, which has variable coverage across ecosystems. It will catch widely publicized CVEs but may miss zero-days or vulnerabilities in less-audited packages. It also cannot assess transitive dependency depth or license compliance—it is a vulnerability checker, not a full SBOM manager. Practitioners should treat it as a first line of defense, not a replacement for comprehensive supply chain security.

The broader takeaway is that the AI development stack is maturing. We are moving from “write code fast” to “write code that is safe to deploy.” Tools like deptrust that embed security into the agent’s runtime environment—rather than bolting it on afterward—will become essential as autonomous coding workflows scale.

Key Takeaways

  • deptrust provides local, real-time vulnerability scanning for AI agents via CLI and MCP server integration, covering 14+ package ecosystems.
  • Its MCP server design allows AI coding assistants to autonomously check dependencies during development, moving security into the agent’s workflow rather than a post-hoc pipeline step.
  • Practitioners should use deptrust as a lightweight safety layer but remain aware of its reliance on OSV data, which may have gaps in coverage for less popular packages.
  • The tool exemplifies a broader trend: embedding deterministic security tooling directly into AI agent contexts, reducing the risk of automated dependency injection.
hacker-newsagents