@depsshield/mcp-server
v0.3.0
Published
Model Context Protocol server for DepsShield - Real-time dependency security scoring for AI agents
Downloads
6
Maintainers
mikehanolReadme
@depsshield/mcp-server
Model Context Protocol (MCP) server for DepsShield - Real-time security risk assessment for AI coding agents.
Overview
DepsShield provides AI agents with instant security risk assessments for npm packages. When your AI assistant needs to evaluate dependencies, it can use DepsShield to make informed decisions about package safety in real-time.
Key Features:
- Real-time vulnerability detection from OSV.dev (Google's open-source vulnerability database)
- Comprehensive risk scoring (0-200 point scale)
- Risk levels: LOW / MEDIUM / HIGH / CRITICAL
- Fast responses with intelligent caching
- Works with Claude Desktop, Cline, and other MCP-compatible tools
Installation
Quick Start (Recommended)
Add DepsShield to your Claude Desktop config:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.jsonConfiguration:
{
"mcpServers": {
"depsshield": {
"command": "npx",
"args": ["-y", "@depsshield/mcp-server"]
}
}
}Restart Claude Desktop, and DepsShield will be available!
Other MCP Clients
For Cline, Continue, or other MCP-compatible tools, refer to their documentation for configuring MCP servers with the command:
npx -y @depsshield/mcp-serverUsage
In Claude Desktop
Once configured, ask Claude to use DepsShield:
Example 1: Assess a single package
You: "What's the security risk of using lodash version 4.17.20?"
Claude: [email protected] has a MEDIUM risk level (score: 70/200).
It has 2 known vulnerabilities. I recommend updating to
[email protected] or later.Example 2: Analyze project dependencies
You: "Analyze the security of my project dependencies"
Claude: *reads package.json, uses DepsShield*
I found 3 packages with security concerns:
- [email protected]: CRITICAL risk (1 high-severity CVE)
- [email protected]: MEDIUM risk (2 medium-severity CVEs)
- [email protected]: LOW risk (well-maintained)Available Tools
assess_package
Assess security risk of a single npm package.
Input:
{
package: string; // Package name (e.g., "lodash")
version?: string; // Optional version (defaults to latest)
ecosystem?: 'npm'; // Currently only npm supported
}Output:
{
total: number; // Risk score 0-200
riskLevel: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
components: {
vulnerabilityScore: number; // 0-100 (from known CVEs)
maintenanceScore: number; // 0-50 (last update recency)
popularityScore: number; // 0-50 (download count)
};
vulnerabilities: Array<{
id: string; // CVE or GHSA ID
summary: string;
severity: string;
publishedAt: string;
fixedIn?: string[]; // Versions where fixed
}>;
recommendation: string; // Actionable advice
}analyze_dependencies
Analyze all dependencies from a package.json file.
Input:
{
dependencies: Record<string, string>; // Dependencies object
devDependencies?: Record<string, string>; // Optional dev dependencies
ecosystem?: 'npm';
}Output:
{
total: number; // Total packages analyzed
assessed: number; // Successfully assessed
failed: number; // Failed assessments
vulnerabilities: {
total: number; // Total vulnerabilities found
};
riskLevels: {
critical: number;
high: number;
medium: number;
low: number;
};
results: Array<{
package: string;
requestedVersion: string;
assessment?: DepsShieldScore;
error?: string;
}>;
}How It Works
DepsShield uses the Model Context Protocol (MCP) to expose security tools to AI agents:
- AI agent asks "What tools are available?"
- DepsShield responds with
assess_packageandanalyze_dependencies - AI agent calls a tool with specific package information
- DepsShield fetches vulnerability data from OSV.dev and package metadata from npm registry
- DepsShield calculates risk score and returns assessment
- AI agent presents results to the user
Data Sources:
- Vulnerability data: OSV.dev - Google's open-source vulnerability database
- Package metadata: npm public registry
- Caching: Results are cached for faster subsequent requests
Communication:
- Uses stdin/stdout (no network ports needed)
- Secure and lightweight
- Works across all platforms
Troubleshooting
Server not appearing in Claude Desktop
- Check config file path - Make sure you edited the correct
claude_desktop_config.json - Restart Claude Desktop - Fully quit and relaunch the application
- Check logs:
- macOS:
~/Library/Logs/Claude/mcp.log - Windows:
%APPDATA%\Claude\logs\mcp.log
- macOS:
Connection or performance issues
- Check internet connection - DepsShield needs access to OSV.dev and npm registry
- First request is slower - Cached results are much faster on subsequent requests
- Check Claude logs - Error messages will appear in the MCP log file
Still having issues?
Open an issue at: https://github.com/depsshield/depsshield/issues
Performance
- Single package assessment: ~2-3 seconds (first request)
- Cached results: ~50-200ms
- Multiple packages: Processed efficiently in parallel
- Rate limiting: 100 requests per hour per IP address
Future Enhancements
- Support for PyPI, Maven, and other ecosystems
- Enhanced vulnerability severity analysis
- Historical risk tracking
- Webhook notifications when package risk changes
Privacy & Security
- No data collection: DepsShield does not collect or store any information about your projects
- Public data only: Uses only publicly available vulnerability and package data
- No authentication required: Free to use for all users
- Rate limiting: Fair use limits prevent abuse while allowing normal usage
Contributing
Contributions are welcome! Please open an issue or pull request at https://github.com/depsshield/depsshield.
License
MIT
Links
- GitHub: https://github.com/depsshield/depsshield
- npm: https://www.npmjs.com/package/@depsshield/mcp-server
- Issues: https://github.com/depsshield/depsshield/issues
Part of DepsShield - AI-native security intelligence platform Status: Public Beta