npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@claytivi/driftguard-mcp

v1.0.2

Published

MCP server for context-aware dependency vulnerability scanning. Finds which npm audit warnings actually matter in your code.

Downloads

44

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cherishclaycherishclay

Keywords

mcpmcp-serversecurityvulnerabilitydependencynpm-auditsupply-chainsbomcvereachability-analysisclaudecursorwindsurf

Readme

DriftGuard MCP

npm version npm downloads GitHub stars License: MIT Node.js MCP

Know which vulnerabilities actually matter in your codebase — before attackers do.

The Problem

npm audit dumps hundreds of warnings. Most are transitive, unreachable, or irrelevant. You waste hours triaging noise while real risks hide in the flood.

DriftGuard is an MCP server that scans your dependency tree, cross-references CVE databases, and tells your AI assistant which vulnerabilities are actually exploitable in YOUR code — with context, severity ranking, and fix suggestions.

On a mid-size Next.js project: 47 npm audit warnings → 6 actionable findings. 4 fixable with a single version bump.

Features

  • Context-aware scanning — analyzes how you actually use vulnerable packages, not just that they exist
  • Contextual severity scoring — severity × exploitability × dependency depth = actionable priority score
  • One-command remediation — get exact upgrade commands and breaking change warnings
  • Supply chain monitoring — detect typosquatting, maintainer takeovers, and suspicious publish patterns
  • Compliance reports — generate markdown security reports for SOC2/audit documentation
  • Runs 100% locally — your source code never leaves your machine

Quick Start

Claude Code

claude mcp add driftguard -- npx @claytivi/driftguard-mcp

Cursor

Add to .cursor/mcp.json:

{
  "mcpServers": {
    "driftguard": {
      "command": "npx",
      "args": ["-y", "@claytivi/driftguard-mcp"]
    }
  }
}

Windsurf

Add to ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "driftguard": {
      "command": "npx",
      "args": ["-y", "@claytivi/driftguard-mcp"]
    }
  }
}

Usage

Once connected, ask your AI assistant:

"Scan my dependencies for real vulnerabilities"
"Which of my npm audit warnings are actually reachable in my code?"
"What's the safest way to upgrade lodash?"
"How does qs end up in my dependencies?"
"Generate a security report for the audit"
"Score my dependency risk"

Tools

| Tool | What it does | |------|-------------| | scan_dependencies | Full vulnerability scan with priority bucketing: Act Now, Plan to Fix, Noise | | check_cve | Look up a specific CVE and check if your project is affected | | dependency_risk_score | Overall dependency health score (1-10) with breakdown | | safe_upgrade_path | Safest upgrade for a package — version, breaking changes, install command | | dependency_tree | Trace how a package enters your tree through transitive deps | | generate_report | Markdown compliance report for SOC2/audit documentation |

How the Scoring Works

DriftGuard adjusts raw CVSS scores with contextual factors your tools ignore:

| Factor | Adjustment | Why | |--------|-----------|-----| | Transitive depth | -0.5/level | Deeper deps are harder to exploit | | Dev dependency | -2.0 | Not in production runtime | | Known exploit | +1.0 | Active exploitation = urgency | | Old CVE (>2yr, no exploit) | -1.0 | Likely low real-world risk |

Result: scores clamped 1-10, bucketed into Act Now (7+), Plan to Fix (4-6.9), Noise (1-3.9).

Environment Variables

| Variable | Required | Description | |----------|----------|-------------| | NVD_API_KEY | No | NVD API key (5 → 50 req/30s rate limit) | | GITHUB_TOKEN | No | GitHub PAT for Advisory database | | DRIFTGUARD_API_KEY | No | Unlocks unlimited scans |

Pricing

| | Free | Pro | Team | Enterprise | |---|---|---|---|---| | Price | $0 | $19/mo | $49/mo | $149/mo | | Scans | 3/week | Unlimited | Unlimited | Unlimited | | CVE databases | NVD + OSV | + GitHub Advisory | + GitHub Advisory | + GitHub Advisory | | Supply chain monitoring | — | Yes | Yes | Yes | | Compliance reports | — | Yes | Yes | Yes | | Priority support | — | — | Yes | Yes | | Team dashboard | — | — | Yes | Yes | | SSO & audit logs | — | — | — | Yes |

Free tier requires no account. Install and scan immediately.

FAQ

Q: How is this different from npm audit? A: npm audit tells you a vulnerability exists somewhere in your tree. DriftGuard tells you if your code can actually reach it, how severe the real risk is, and exactly what to do about it. Most projects see 80-90% of audit noise eliminated.

Q: Does it send my code anywhere? A: No. DriftGuard runs locally as an MCP server. It analyzes your lockfile and cross-references public CVE databases. Your source code never leaves your machine.

Q: What lockfiles are supported? A: npm (package-lock.json v2/v3), pnpm (pnpm-lock.yaml v8/v9), yarn (yarn.lock v1).

Q: Does it work offline? A: Results are cached for 24h in ~/.driftguard/cache.db. Repeat scans of the same packages work offline within that window.

Q: Do I need an API key for the free tier? A: No. Install and use immediately. API key is only needed for Pro+ features.

Q: Can I use this in CI/CD? A: Yes. Run npx @claytivi/driftguard-mcp --ci for non-interactive mode with JSON output. Pro plan required for CI usage.

Q: What languages/ecosystems are supported? A: JavaScript/TypeScript (npm/yarn/pnpm) at launch. Python (pip/poetry) and Go modules on the roadmap.

Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feat/my-feature)
  3. Write tests first (TDD)
  4. Ensure all tests pass (npm test)
  5. Open a pull request

License

MIT