npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@cyanheads/osv-advisory-mcp-server

v0.1.12

Published

Query OSV.dev for package vulnerabilities, batch-audit dependency lists, and fetch full advisory records via MCP. STDIO or Streamable HTTP.

Readme

Version License Docker MCP SDK npm TypeScript Bun

Install in Claude Desktop Install in Cursor Install in VS Code

Framework

Public Hosted Server: https://osv-advisory.caseyjhand.com/mcp


Tools

4 tools for querying the OSV.dev vulnerability database — single package lookups, batch dependency audits, and full advisory fetch:

| Tool | Description | |:---|:---| | osv_query_package | Query known vulnerabilities for a single package version by name, ecosystem, and version | | osv_query_batch | Batch vulnerability query for an array of package tuples — one call for a full dependency list or SBOM audit | | osv_get_vulnerability | Fetch the full advisory record for a single OSV vulnerability ID | | osv_list_ecosystems | Return the list of supported ecosystem identifier strings |

osv_query_package

The primary "is this package version vulnerable?" tool.

  • Accepts name, ecosystem (case-sensitive exact match — use osv_list_ecosystems to validate), and version
  • Returns all matching advisories: OSV IDs, CVE aliases, CVSS severity vectors, derived severity label, first safe versions, affected version ranges (SEMVER/ECOSYSTEM/GIT), and CWE IDs
  • aliases field surfaces CVE IDs for chaining to nist-nvd-mcp-server for CVSS base scores, EPSS exploitation probability, and CISA KEV status
  • No API key required — OSV.dev is fully public and keyless

osv_query_batch

The primary tool for dependency audits, SBOM scanning, and lockfile triage.

  • Accepts an array of {name, ecosystem, version} tuples (1–1000 packages per call)
  • Ecosystem strings are validated by OSV.dev itself, not a static allowlist — an unrecognized ecosystem surfaces as that entry's per-package error rather than failing the whole batch
  • Returns per-package results positionally matching the input, with vulnerable, vulnCount, vulns (including aliases and severityLabel), and fixedVersions
  • Includes aggregate summary: totalPackages, vulnerableCount, cleanCount, errorCount, totalVulns, worstSeverity

osv_get_vulnerability

Fetch the complete advisory record by OSV ID.

  • Accepts any OSV ID prefix: GHSA- (GitHub), PYSEC- (Python), RUSTSEC- (Rust), GO- (Go), DSA-/DLA- (Debian), CVE- (direct CVE fallbacks)
  • Returns: summary, full advisory details text, all CVE aliases, all affected packages and their version ranges, fix versions, CVSS severity vectors, CWE weakness IDs, and references (ADVISORY, FIX, REPORT, etc.)
  • Use after osv_query_package or osv_query_batch returns a vuln ID and you need the full advisory context — remediation guidance, scope of affected packages, or eligibility criteria

osv_list_ecosystems

Return the list of valid ecosystem identifier strings. Ecosystem strings are case-sensitive exact matches"pypi" is not "PyPI". Call this tool before querying to validate ecosystem strings from lockfiles or user input. The list is static (sourced from the OSV schema spec) and may occasionally lag newly added ecosystems.

Features

Built on @cyanheads/mcp-ts-core:

  • Declarative tool definitions — single file per tool, framework handles registration and validation
  • Unified error handling — handlers throw, framework catches, classifies, and formats
  • Pluggable auth: none, jwt, oauth
  • Swappable storage backends: in-memory, filesystem, Supabase, Cloudflare KV/R2/D1
  • Structured logging with optional OpenTelemetry tracing
  • STDIO and Streamable HTTP transports

OSV-specific:

  • No API key required — OSV.dev is fully public, keyless, and has no published rate limit
  • Parallel single-package queries in osv_query_batch return full records including aliases (CVE IDs) that the upstream batch endpoint omits
  • Per-package queries isolate failures — one invalid ecosystem or upstream error surfaces as that row's error, leaving the rest of the batch intact

Agent-friendly output:

  • aliases (CVE IDs) prominently surfaced on every vuln entry — the primary composition point for chaining to nist-nvd-mcp-server for CVSS base scores, EPSS, and CISA KEV status
  • severityLabel derived from database_specific.severity (GHSA records) or the highest CVSS base score; null rather than fabricated when neither source is available
  • Echo of query parameters (queryMeta) on osv_query_package output so agents can verify the request was applied correctly
  • Batch aggregate summary (worstSeverity, vulnerableCount, cleanCount) for quick triage without reading per-package rows

Getting started

Public Hosted Instance

A public instance is available at https://osv-advisory.caseyjhand.com/mcp — no installation required. Point any MCP client at it via Streamable HTTP:

{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "type": "streamable-http",
      "url": "https://osv-advisory.caseyjhand.com/mcp"
    }
  }
}

Self-Hosted / Local

Add the following to your MCP client configuration file. No API key is required — OSV.dev is fully public.

{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "type": "stdio",
      "command": "bunx",
      "args": ["@cyanheads/osv-advisory-mcp-server@latest"],
      "env": {
        "MCP_TRANSPORT_TYPE": "stdio",
        "MCP_LOG_LEVEL": "info"
      }
    }
  }
}

Or with npx (no Bun required):

{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@cyanheads/osv-advisory-mcp-server@latest"],
      "env": {
        "MCP_TRANSPORT_TYPE": "stdio",
        "MCP_LOG_LEVEL": "info"
      }
    }
  }
}

Or with Docker:

{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "type": "stdio",
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "MCP_TRANSPORT_TYPE=stdio",
        "ghcr.io/cyanheads/osv-advisory-mcp-server:latest"
      ]
    }
  }
}

For Streamable HTTP, set the transport and start the server:

MCP_TRANSPORT_TYPE=http MCP_HTTP_PORT=3010 bun run start:http
# Server listens at http://localhost:3010/mcp

Prerequisites

  • Bun v1.3.0 or higher (or Node.js v24+).
  • No API key required — OSV.dev is fully public.

Installation

  1. Clone the repository:
git clone https://github.com/cyanheads/osv-advisory-mcp-server.git
  1. Navigate into the directory:
cd osv-advisory-mcp-server
  1. Install dependencies:
bun install
  1. Configure environment:
cp .env.example .env
# edit .env if needed (no required vars)

Configuration

All configuration is validated at startup. No server-specific env vars are required — OSV.dev is keyless and fully public.

| Variable | Description | Default | |:---------|:------------|:--------| | OSV_REQUEST_TIMEOUT_MS | HTTP request timeout in milliseconds for OSV.dev API calls. | 10000 | | MCP_TRANSPORT_TYPE | Transport: stdio or http. | stdio | | MCP_HTTP_PORT | Port for HTTP server. | 3010 | | MCP_HTTP_ENDPOINT_PATH | HTTP endpoint path. | /mcp | | MCP_PUBLIC_URL | Public origin override for TLS-terminating reverse-proxy deployments. | none | | MCP_AUTH_MODE | Auth mode: none, jwt, or oauth. | none | | MCP_LOG_LEVEL | Log level (RFC 5424). | info | | LOGS_DIR | Directory for log files (Node.js only). | <project-root>/logs | | STORAGE_PROVIDER_TYPE | Storage backend. | in-memory | | OTEL_ENABLED | Enable OpenTelemetry instrumentation (spans, metrics, completion logs). | false |

See .env.example for the full list of optional overrides.

Running the server

Local development

  • Build and run:

    # One-time build
    bun run rebuild
    
    # Run the built server
    bun run start:stdio
    # or
    bun run start:http
  • Run checks and tests:

    bun run devcheck   # Lint, format, typecheck, security
    bun run test       # Vitest test suite
    bun run lint:mcp   # Validate MCP definitions against spec

Docker

docker build -t osv-advisory-mcp-server .
docker run --rm -p 3010:3010 osv-advisory-mcp-server

The Dockerfile defaults to HTTP transport, stateless session mode, and logs to /var/log/osv-advisory-mcp-server. OpenTelemetry peer dependencies are installed by default — build with --build-arg OTEL_ENABLED=false to omit them.

Project structure

| Directory | Purpose | |:----------|:--------| | src/index.ts | createApp() entry point — registers tools and inits services. | | src/mcp-server/tools | Tool definitions (*.tool.ts) — osv_query_package, osv_query_batch, osv_get_vulnerability, osv_list_ecosystems. | | src/services/osv-api | OSV.dev REST API service — fetch, retry, response normalization. | | tests/ | Unit and integration tests mirroring src/. |

Development guide

See CLAUDE.md/AGENTS.md for development guidelines and architectural rules. The short version:

  • Handlers throw, framework catches — no try/catch in tool logic
  • Use ctx.log for request-scoped logging, ctx.state for tenant-scoped storage
  • Register new tools via the barrel in src/mcp-server/tools/definitions/index.ts
  • Wrap external API calls: validate raw → normalize to domain type → return output schema; never fabricate missing fields

Contributing

Issues and pull requests are welcome. Run checks and tests before submitting:

bun run devcheck
bun run test

License

Apache-2.0 — see LICENSE for details.