npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@buygit/mcp-server

v0.9.4

Published

MCP server for the BuyGit Open Index — 78k+ curated, license-tagged Git assets. 14 tools, 7 resource templates, 4 prompts. Every response carries 4-axis signals (license + supply-chain risk + popularity + pricing) — the industry-unique combination no othe

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

buygitmcpbuygitmcp

Keywords

mcpmodel-context-protocolbuygitgitdiscoveryanthropicclaudecursorclineaiagent

Readme

@buygit/mcp-server

The only MCP that returns license + supply-chain risk + popularity + price in a single call. 78,094 curated Git assets. Zero config. MIT. Free forever.

MCP server for the BuyGit Open Index — 78,094 curated, deduplicated, license-tagged Git assets from GitHub, Codeberg, npm, crates.io, WordPress, HuggingFace, and 17 other sources — to Claude Desktop, Cursor, Cline, Continue, ChatGPT Apps SDK, and any MCP 2025-11-25 client.

npm license

Companion: @buygit/cli — same answers from your shell. npx @buygit/cli search "react form" --license MIT.

Companion: buygit-vscode extension — license-compat + audit from the VS Code command palette + explorer right-click. See packages/vscode-extension.

Works in Antigravity, Claude Desktop, Claude Code, Cursor, Cline, Codex CLI, Continue, Gemini CLI, OpenCode, Roo Code, Windsurf, Zed, and any MCP 2025-11-25 client. Full install matrix in CLIENTS.md.

Cursor one-click install: cursor://anysphere.cursor-deeplink/mcp/install?name=buygit&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsIkBidXlnaXQvbWNwLXNlcnZlckBsYXRlc3QiXX0=

What is BuyGit?

BuyGit is an open marketplace and discovery platform for Git-based digital products — source code, templates, SaaS starters, boilerplates, plugins, AI agents, ML models, and developer tools.

Unlike raw GitHub search, BuyGit curates, deduplicates, and enriches every listing with structured metadata:

  • License classification — SPDX identifier + category (permissive / weak-copyleft / strong-copyleft / proprietary) + plain-English compatibility warnings
  • Supply-chain risk scoring — 0-100 composite score based on dependency hygiene, secret scan status, malware flags, and maintenance signals
  • Popularity scoring — log-scaled 0-100 star score normalized across sources (GitHub, npm, crates.io, etc.)
  • Pricing tier — free vs. paid, with USD price for premium listings
  • Repository health — stars, forks, language, last commit date, archived/disabled status, upstream health

The catalog currently indexes 78,094 crawler-imported listings from 17+ sources, with continuous crawling adding new assets daily. BuyGit also supports seller-curated premium listings (marketplace), but the MCP server exposes only the public crawler-imported catalog — no auth required.

Key URLs:

Why BuyGit over raw GitHub search?

Every tool returns a 4-axis signals block — the differentiator. No other MCP gives you this in one call.

{
  "license_category": "permissive",
  "license_warning": null,
  "popularity": 75,
  "risk": 0,
  "price_usd": 0,
  "pricing_tier": "free"
}

| User question | github-mcp | Smithery code-search | context7 | Socket MCP | BuyGit MCP | |---|:-:|:-:|:-:|:-:|:-:| | "MIT-compatible image diff library" | raw search, no license | raw search | docs only | safety only | license-filtered | | "Is this dependency safe to bundle?" | — | — | — | Socket score | Socket + popularity + license fused | | "Compare A vs B by license + activity" | 4+ calls | 4+ calls | — | — | 1 call | | "Alternative to GPL X, but MIT-only" | — | — | — | — | buygit_find_alternative | | "Is GPL-3.0 safe in my MIT project?" | — | — | — | — | license_warning field | | "Explain this listing for me" | — | — | — | — | buygit_explain (AI summary) | | "Deep audit with companion MCPs" | manual | — | — | separate | buygit_deep_audit (federation) |

We also tell you when NOT to use us — see WHEN_NOT_TO_USE.md.

What you get

14 tools, 7 resource templates, 4 prompts — all backed by the public, read-only, free-forever BuyGit Open Index API. Full client install matrix in CLIENTS.md (13 clients).

| Tool | One-line value | |---|---| | buygit_search | Curated, license-tagged, risk-scored search across 78,094 assets. fields= sparse fieldset + summary_mode=compact for token savings. | | buygit_get_listing | Replaces 3 separate MCP calls — license + risk + popularity + repo signals + similar in one shot | | buygit_list_categories | Full taxonomy with per-category counts | | buygit_trending | Curated trending (not GitHub Trending noise), license-aware | | buygit_compare | Single-call 2-5 way comparison with license_warning | | buygit_stats | Catalog meta — totals by license, category, source, plus data_freshness | | buygit_random | Surprise me — license + risk badges on every pick | | buygit_find_alternative | License-filtered, risk-scored alternatives — the answer GitHub search cannot give | | buygit_check_license_compat | "Is GPL-3 safe in my MIT project?" Returns compatible / review / incompatible with note. The only MCP that answers this without a separate SCA tool. | | buygit_audit_repo | Audit any external GitHub repo URL — same 4-axis signals as catalog rows, via live GitHub probe. Falls back to richer cached signals when URL is in our index. | | buygit_explain | v0.9.0 · AI-powered listing summary (overview / license / risk / usage focus). Gated on ANTHROPIC_API_KEY. Uses Claude Haiku for cost-efficient summaries. | | buygit_diff_versions | v0.9.0 · Time-window signal diff — shows how a listing's license, popularity, and risk changed between snapshots. | | buygit_deep_audit | v0.9.0 · Federated deep audit — chains Socket, OpenSSF Scorecard, and TruffleHog companion MCPs alongside BuyGit's own signals for a comprehensive security audit. | | search_tools | Meta routing tool — give it a plain-English intent, get the ranked tool to call next. MCP Tool Search Tool semantic. |

Resources let you @-mention a listing, category, comparison, or any cacheable static asset and have it attached as conversation context — no tools/call required:

  • buygit://listing/{slug} — full listing detail with 4-axis signals
  • buygit://category/{slug} — category top 20
  • buygit://compare/{slug-a}+{slug-b}+{slug-c} — single-fetch 2-5 way compare
  • buygit://trending/{period} — day/week/month trending, pin once and re-reference
  • buygit://stats — catalog meta + data_freshness, pin to know catalog scale
  • buygit://category-tree — full taxonomy lookup table
  • buygit://license/{spdx} — compatibility matrix row for any SPDX id

Prompts (slash-menu in Claude Desktop):

  • starter_for_stack — "Find me a starter kit for {stack}"
  • alternative_to — "Alternatives to {repo}"
  • audit_my_dependency — "Is {slug} safe to ship?"
  • explore_category — "What's hot in {category}?"

Install

Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json on macOS or %APPDATA%\Claude\claude_desktop_config.json on Windows:

{
  "mcpServers": {
    "buygit": {
      "command": "npx",
      "args": ["-y", "@buygit/mcp-server@latest"]
    }
  }
}

Restart Claude Desktop. The first tool call may take a few seconds while npx resolves the package.

Cursor

Edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "buygit": {
      "command": "npx",
      "args": ["-y", "@buygit/mcp-server@latest"]
    }
  }
}

Cline (VS Code extension)

Open the Cline MCP settings (Cline: Open MCP Servers from the command palette) and add:

{
  "buygit": {
    "command": "npx",
    "args": ["-y", "@buygit/mcp-server@latest"]
  }
}

Continue

Continue picks up MCP servers from ~/.continue/config.json:

{
  "mcpServers": {
    "buygit": {
      "command": "npx",
      "args": ["-y", "@buygit/mcp-server@latest"]
    }
  }
}

Self-hosted via Docker

docker run -i --rm ghcr.io/buygit/mcp-server:latest

The container runs stdio MCP. Pipe stdin/stdout from your client.

Try it

After you've added the config and restarted your client, ask:

  • "Find me a Next.js SaaS starter under MIT with more than 500 stars."
  • "What's trending in AI agents this week on BuyGit?"
  • "Tell me about next-saas-starter-pro — is the secret scan clean?"
  • "Compare react-saas-template and nextjs-stripe-starter."
  • "Explain the license risk of some-gpl-library for my MIT project."
  • "Run a deep audit on github.com/some-org/some-repo."

The model will call the right tools, attach the canonical BuyGit links, and let you click through.

Configuration

| Env var | Default | Purpose | |---|---|---| | BUYGIT_API_BASE | https://buygit.com | Override for staging / self-hosted mirror | | BUYGIT_MCP_TRANSPORT | stdio | stdio (default, all clients) · http (Streamable HTTP) | | BUYGIT_TIMEOUT_MS | 15000 | Per-request timeout in milliseconds. Increase for slow networks. | | BUYGIT_EXPLAIN_MODEL | claude-haiku-4-5-20251001 | Anthropic model for buygit_explain summaries. | | ANTHROPIC_API_KEY | (none) | Required only for buygit_explain. All other tools work without any key. | | BUYGIT_COMPANION_TOOL_MAP | (built-in) | JSON override for companion MCP tool names in buygit_deep_audit. |

Architecture

┌─────────────────────────────────────────────┐
│  AI Agent (Claude, GPT, Gemini, …)          │
│  ↕ MCP JSON-RPC (stdio or Streamable HTTP)  │
├─────────────────────────────────────────────┤
│  @buygit/mcp-server                         │
│  14 tools · 7 resources · 4 prompts         │
│  Zod input validation · structuredContent   │
│  Retry w/ exponential backoff (429/503)     │
├─────────────────────────────────────────────┤
│  undici Pool → buygit.com REST API          │
│  Public · Read-only · No auth · Free        │
└─────────────────────────────────────────────┘

Privacy & licensing

The BuyGit Open Index API is public, read-only, no auth. There is no key to install. Requests are not personally identifiable (the server doesn't log the queries you make).

The catalog excludes seller-curated listings — only crawler-imported public-repo metadata is exposed. Each result includes a url field linking back to the canonical BuyGit page; please surface that link when redistributing.

This package is MIT licensed. The API responses are licensed for indexing + attribution per the BuyGit API terms.

Links

Develop

cd packages/mcp-server
pnpm install
pnpm build
node dist/index.js   # connects on stdio — feed it MCP JSON-RPC over stdin

Or run the watch build while developing:

pnpm dev

Run tests:

pnpm test           # 57 tests (handler + server + federation)

To smoke-test against the live API:

BUYGIT_API_BASE=https://buygit.com node dist/index.js
# then in another process, send a `tools/list` JSON-RPC frame