# DepScope MCP server

Package intelligence MCP for AI agents — tools, 19 ecosystems, AGPL SDK, free.

## Links
- Registry page: https://www.getdrio.com/mcp/dev-depscope-mcp
- Repository: https://github.com/cuttalo/depscope-mcp
- Website: https://depscope.dev

## Install
- Command: `npx -y depscope-mcp`
- Endpoint: https://mcp.depscope.dev/mcp
- Auth: Not captured

## Setup notes
- Package: Npm depscope-mcp v0.9.0
- Remote endpoint: https://mcp.depscope.dev/mcp

## Tools
- check_malicious - Supply-chain malware check against OpenSSF/OSV. USE WHEN: about to suggest install of an unvetted/unfamiliar package; name came from a blog/tutorial. Call BEFORE check_package for untrusted pkgs. RETURNS: {is_malicious, threat_tier, source}. Endpoint: https://mcp.depscope.dev/mcp
- check_typosquat - Typosquat detector. USE WHEN: name differs from a well-known package by 1-2 chars (`lodsh`, `reqeusts`); copy-paste from unreliable source; downloads near zero but name looks familiar. RETURNS: {is_typosquat, likely_target, confidence}. Endpoint: https://mcp.depscope.dev/mcp
- check_bulk - Fast pre-flight filter for a batch of (ecosystem, package) pairs. DB-only, <100ms for 100 items. USE WHEN: about to emit `npm install a b c …` or `pip install a b c …` — catches hallucinated names, stdlib, typos, and known-bad in ONE call. NOT a dep-tree audit (use scan_project for that). RETURNS: per-item {status: exists|stdlib|malicious|typosquat_suspect|historical_incident|unknown}. Endpoint: https://mcp.depscope.dev/mcp
- package_exists - Boolean registry existence check. USE WHEN: about to emit a package name in an install command but unsure it exists; verifying a name generated from training data. RETURNS: {exists}. Endpoint: https://mcp.depscope.dev/mcp
- get_latest_version - Latest published version + deprecation flag — the cheapest call. USE WHEN: only a version string matters (pinning a dep, answering 'what version of X'). If you also need health/vulns use check_package. RETURNS: {latest, deprecated, published_at}. Endpoint: https://mcp.depscope.dev/mcp
- get_health_score - Single 0-100 health score — cheapest go/no-go gate (>=70 safe). USE WHEN: CI gating or pkg already screened for malware/typos. NOT a first screen — run check_malicious + check_typosquat first. For a verbal verdict use get_package_prompt. RETURNS: {score, verdict}. Endpoint: https://mcp.depscope.dev/mcp
- install_command - Canonical install command(s) across every package manager of the ecosystem (npm/pnpm/yarn/bun, pip/uv/poetry, cargo, go, composer, maven+gradle, nuget, …). USE WHEN: emitting an install line and you want correct flags. RETURNS: {primary, variants[]}. Endpoint: https://mcp.depscope.dev/mcp
- get_package_prompt - LLM-optimised package brief — plain text ~300 tokens (~75% cheaper than JSON). Verdict (SAFE/AVOID/URGENT/MALICIOUS) + health + vulns + alternatives + maintainer alerts. USE WHEN: you want to reason over a package and drop the output directly in context; 'is X safe'. PREFER THIS over check_package in 95% of LLM cases. RETURNS: plain-text brief. Endpoint: https://mcp.depscope.dev/mcp
- check_package - Full machine-readable JSON report (~2k tokens). USE WHEN: you need to programmatically parse specific fields (CI gating, UI, sub-field extraction). Otherwise prefer get_package_prompt. RETURNS: {package, health:{score}, vulnerabilities[], latest, deprecated, maintainers, recommendation}. Endpoint: https://mcp.depscope.dev/mcp
- get_vulnerabilities - CVE/OSV advisories affecting the latest (or specified) version. USE WHEN: security-sensitive project; user asks 'any CVEs in X'; you already know the pkg exists. RETURNS: {vulnerability_count, vulnerabilities[]: {id, severity, cvss, fixed_in}}. Endpoint: https://mcp.depscope.dev/mcp
- find_alternatives - Curated replacements for deprecated/unhealthy packages, including stdlib built-ins (e.g. `fs.rm` for rimraf). USE WHEN: pkg flagged AVOID/URGENT; 'what to use instead of X'; before guessing a replacement name. RETURNS: {alternatives[]: {name, reason, is_stdlib}}. Endpoint: https://mcp.depscope.dev/mcp
- get_migration_path - Prescriptive migration plan between DIFFERENT packages — rationale + literal code diff + breaking changes + effort minutes. USE WHEN: replacing `request`→`axios`, `moment`→`dayjs`, `flask`→`fastapi`, etc.; both endpoints known. RETURNS: {rationale, diff, breaking_changes[], estimated_minutes}. Endpoint: https://mcp.depscope.dev/mcp
- get_breaking_changes - Breaking changes between two majors of the SAME package (`next@14`→`15`). USE WHEN: user is bumping a major; before recommending a major upgrade. Different from get_migration_path (same pkg vs. different pkg). RETURNS: {breaking_changes[]: {area, description, hint}}. Endpoint: https://mcp.depscope.dev/mcp
- pin_safe - Highest version below the chosen CVE severity tier, respecting a semver constraint. USE WHEN: writing a package.json/requirements.txt line; resolving dependabot by lowest-risk patched version. RETURNS: {recommended_version, walk_log[]}. Endpoint: https://mcp.depscope.dev/mcp
- scan_project - Audit a project's dependencies in one shot. Returns a single-sentence `verdict` (e.g. "DO NOT INSTALL — 1 hallucinated: fastapi-turbo") that an agent can paste into its reply, plus per-package health/vulns/recommendation. Detects hallucinated packages, deprecated, typosquats, critical vulnerabilities. Accepts EITHER {ecosystem, packages:[name@ver, …]} (up to 100, returns JSON) OR {packages:[{ecosystem, package}, …]} (up to 50, mixed ecosystems, returns text brief). USE WHEN: user pastes package.json/requirements.txt/Cargo.toml; agent generated install command; 'is my stack OK'. RETURNS: JSON with `verdict`, `project_risk`, `summary.hallucinated_packages`, `summary.deprecated_packages`, per-package health. Endpoint: https://mcp.depscope.dev/mcp
- compare_packages - Side-by-side comparison (health, vulns, downloads, maintainers, last release) of 2-10 packages in the same ecosystem. USE WHEN: 'X vs Y' / 'should I pick X or Y'. RETURNS: table-shaped JSON, one row per package. Endpoint: https://mcp.depscope.dev/mcp
- check_compatibility - Is this specific multi-package version combo verified to work together? USE WHEN: pinning a stack (next@15 + react@19 + node@22); before recommending a version matrix. RETURNS: {compatible, conflicts[], notes}. Endpoint: https://mcp.depscope.dev/mcp
- resolve_error - Map error OR free-text query to a verified fix. USE WHEN: user pastes a concrete error/stack (ENOENT, ImportError, build failure) — pass `error`. OR user describes a symptom ('webpack slow', 'pip stuck') — pass `query`. Always prefer this over guessing a fix. RETURNS: exact-match {status, solution, confidence, source_url} or search results [{title, summary, source_url}]. Endpoint: https://mcp.depscope.dev/mcp
- get_known_bugs - Non-CVE known bugs for a specific package version. USE WHEN: unexpected behavior that is NOT a security issue; a pinned version misbehaves. RETURNS: {bugs[]: {title, fixed_in, workaround}}. Endpoint: https://mcp.depscope.dev/mcp
- get_trust_signals - One-call aggregate of ALL non-CVE supply-chain trust signals: maintainer trust (bus factor, ownership changes), OpenSSF Scorecard, quality (criticality, release velocity, publish security), and SLSA/Sigstore provenance. USE WHEN: deep-vetting a package beyond CVEs (hardened/regulated env, SBOM/compliance, small-pkg ownership review, choosing between healthy candidates). Runs 4 backend endpoints in parallel. RETURNS: {maintainer, scorecard, quality, provenance} — each may be null if its backend call failed. Endpoint: https://mcp.depscope.dev/mcp
- get_trending - Live trending packages with rank-delta and weekly growth %. USE WHEN: 'what is rising in npm/PyPI/Cargo right now'; recommendation not biased by training-data cutoff. RETURNS: {items[]: {name, rank, rank_delta, weekly_growth_pct}}. Endpoint: https://mcp.depscope.dev/mcp
- contact_depscope - Inbound ticket: bug/listing/security/anomaly/partnership. USE WHEN: reporting wrong data (`bug`), requesting a new pkg/ecosystem index (`listing`), disclosing a DepScope security issue (`security`), flagging a concrete mismatch in another tool's output vs. authoritative source (`anomaly` — provide tool_called+observed+expected), or partnership/press (`partnership`). RETURNS: {ticket_id} or {anomaly_id}. Endpoint: https://mcp.depscope.dev/mcp

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: dev.depscope
- Version: 0.9.24
- Runtime: Npm
- Transports: STDIO, HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 5, 2026
- Source: https://registry.modelcontextprotocol.io