# osv-advisory-mcp-server MCP server

Query OSV.dev for package vulnerabilities and batch-audit dependency lists via MCP.

## Links
- Registry page: https://www.getdrio.com/mcp/io-github-cyanheads-osv-advisory-mcp-server
- Repository: https://github.com/cyanheads/osv-advisory-mcp-server

## Install
- Command: `npx -y @cyanheads/osv-advisory-mcp-server`
- Endpoint: https://osv-advisory.caseyjhand.com/mcp
- Auth: Not captured

## Setup notes
- Package: Npm @cyanheads/osv-advisory-mcp-server v0.1.1
- Environment variable: OSV_REQUEST_TIMEOUT_MS (default 10000)
- Environment variable: MCP_LOG_LEVEL (default info)
- Package: Npm @cyanheads/osv-advisory-mcp-server v0.1.1
- Environment variable: OSV_REQUEST_TIMEOUT_MS (default 10000)
- Environment variable: MCP_HTTP_HOST (default 127.0.0.1)
- Environment variable: MCP_HTTP_PORT (default 3010)
- Environment variable: MCP_HTTP_ENDPOINT_PATH (default /mcp)
- Environment variable: MCP_AUTH_MODE (default none)
- Environment variable: MCP_LOG_LEVEL (default info)
- Remote endpoint: https://osv-advisory.caseyjhand.com/mcp

## Tools
- osv_list_ecosystems (Osv List Ecosystems) - Return the list of supported ecosystem identifier strings for use with osv_query and osv_query_batch. Ecosystem strings are case-sensitive exact matches — passing "pypi" instead of "PyPI" returns an error from the API. Use this tool to discover valid ecosystem strings before querying, or to verify an ecosystem identifier from a lockfile format. The list is static (maintained from the OSV schema spec) and may occasionally lag newly added ecosystems. Endpoint: https://osv-advisory.caseyjhand.com/mcp
- osv_query (Osv Query) - Query known vulnerabilities for a single package version across any supported ecosystem. Returns all matching OSV advisories with severity (CVSS vectors), CVE aliases, affected version ranges, and first safe version. Use osv_list_ecosystems to validate the ecosystem string before querying — ecosystem strings are case-sensitive exact matches and an invalid value returns an error, not empty results. Endpoint: https://osv-advisory.caseyjhand.com/mcp
- osv_get_vulnerability (Osv Get Vulnerability) - Fetch the full advisory record for an OSV vulnerability ID. Returns the complete record: summary, full details text, CVE aliases, all affected packages and version ranges, fix versions, CVSS severity vectors, CWE weakness IDs, and references. Use when osv_query or osv_query_batch returns a vuln ID and you need the full advisory context — eligibility criteria, scope of affected packages, or remediation guidance. Endpoint: https://osv-advisory.caseyjhand.com/mcp
- osv_query_batch (Osv Query Batch) - Query vulnerabilities for multiple packages in one call — the primary tool for dependency audits, SBOM scanning, and lockfile triage. Pass an array of {name, ecosystem, version} tuples (up to 1000). Each entry in the response corresponds positionally to the input. For 200 or more packages, results spill to a DataCanvas table (returned as canvas_id) for SQL aggregation. Each finding includes CVE aliases for chaining to nist-nvd-mcp-server for CVSS scoring. Invalid ecosystem strings are rejected before querying — call osv_list_ecosystems to validate. Endpoint: https://osv-advisory.caseyjhand.com/mcp

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: io.github.cyanheads
- Version: 0.1.1
- Runtime: Npm
- Transports: STDIO, HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 31, 2026
- Source: https://registry.modelcontextprotocol.io