Package Intelligence for AI Agents

Save tokens. Save energy.
Ship safer code.

One API for package health across 17 ecosystems. Cached for every AI agent. Free, no auth.

−74% tokenssaves energysafer code
npmPyPICargoGoComposerMavenNuGetRubyGemsPubHexSwiftCocoaPodsCPANHackageCRANCondaHomebrewJSRJulia
22 MCP tools·17 ecosystems·Free · no auth·Hallucination Benchmark →

Add DepScope to your AI agent

One line in your config. Your agent saves tokens, your users save energy, you ship safer code.

NewRemote MCP — zero install

Claude Desktop / Cursor / Windsurf (recent versions) can connect with just a URL — no npm install -g needed. All tools auto-registered.

{ "mcpServers": { "depscope": { "url": "https://mcp.depscope.dev/mcp" } } }
CLAUDE.md (project or ~/.claude/CLAUDE.md)
## DEPSCOPE
Before suggesting any npm/PyPI/Cargo/Go/etc. package, call:
  curl https://depscope.dev/api/prompt/{ecosystem}/{package}
Reject if action="avoid". Free, no auth, 17 ecosystems.

More than package health

Four dimensions of package intelligence. Explore them all.

Trending
Hot now
Errors
Fix any
Compat
Test stack
Bugs
Per version

Why it matters

Problem · security

Your AI agent guesses

Stale training data suggests wrong versions, deprecated libraries, known vulnerabilities.

Problem · waste

Everyone fetches the same data

Agents independently hit npm, PyPI, OSV. Same queries, millions of times. Wasted compute, tokens, CO2.

Solution

One API call. Done.

Health score, vulnerabilities, recommendation. 17 ecosystems. Cached. Free. No auth.

With vs. without DepScope

MomentWithout DepScopeWith DepScope
Package suggestionStale training dataLive health check before suggesting
Vulnerability checkNoneOSV + registry advisories, severity + fix
Threat severity (KEV/EPSS)CVE list, no priorityCISA Known-Exploited + EPSS score per CVE — know what to patch first
Malicious package detectionNews headlines (after the breach)OpenSSF malicious feed (224k entries) cross-checked + sanity guard for false positives
Typosquat detectionHopeLevenshtein distance vs. popular packages, ratio-aware
DeprecationInvisibleFlagged with reason + curated migration path with code diff
Stack audit (N packages)N separate registry/CVE fetchesOne audit_stack call returns prioritized action list
Token cost per decision4–8k tokens (npm page + GitHub issues + CVE DB)~300 tokens (one ai_brief)
Discovery of issuesIn productionBefore a single line of code

Sample responses

Pick the format that fits your agent. All free, all zero-auth.

GET /api/ai/brief/npm/request

~300 tokens · drop-in for LLM system prompts

PACKAGE npm/[email protected]  (Apache-2.0)
VERDICT: AVOID — DEPRECATED
HEALTH: 32/100 (critical)
DOWNLOADS_WEEK: 15,181,809
VULNS: 1 (active_exploited: 0)
DEPRECATED_BECAUSE: request has been deprecated
ALTERNATIVES: axios; got; node-fetch
SOURCE: depscope.dev (canonical)
GET /api/check/npm/express

Full JSON · 18 fields incl. KEV/EPSS, malicious, typosquat

{
  "health": { "score": 80, "risk": "low" },
  "vulnerabilities": {
    "count": 0,
    "actively_exploited_count": 0,
    "details": [{ "vuln_id", "in_kev", "epss_prob", "threat_tier" }]
  },
  "malicious": { "is_malicious": false },
  "typosquat": { "is_suspected": false },
  "maintainer_trust": { "bus_factor_3m", "alerts" },
  "recommendation": { "action": "safe_to_use" }
}
POST /api/ai/stack — audit a whole stack in one call
STACK AUDIT — 3 packages
  ok: 2  risk: 1  critical: 0  total_dl_week: 253,800,813

ACTION ITEMS:
  1. REPLACE: npm/[email protected] deprecated → suggested: axios, got

PACKAGES:
  npm/[email protected]  health:80  vulns:0
  npm/[email protected]  health:32  vulns:1
  npm/[email protected]  health:97  vulns:0

Which tool should I call?

Three decisions cover 95% of agent use cases.

If you want…
A decision in one paragraph
SAFE / AVOID / URGENT / DO NOT INSTALL + alternatives, ready for the system prompt.
ai_brief(eco, pkg)
~300 tokens · plain text
If you want…
JSON to parse programmatically
All fields (health.breakdown, vulns.details, maintainer_trust) for code/CI/UI use.
check_package(eco, pkg)
~2000 tokens · full JSON
If you want…
Just a go/no-go gate
Single number. Cheapest call. Use only when you've already decided to install.
get_health_score(eco, pkg)
~50 tokens · single integer
Multiple packages at once
audit_stack([{eco,pkg},...])
One call replaces N. Returns prioritized action items.
A name you don't recognise
package_exists · check_typosquat · check_malicious
Anti-hallucination + supply-chain hygiene before any install.

DepScope for refactoring

Three tools that, used in sequence, replace a refactor copilot.

  1. 1
    resolve_error(error_text) — diagnose
    Map the stack trace or error message to a verified fix or known-bug entry. Skips Stack Overflow.
  2. 2
    get_breaking_changes(eco, pkg, from, to) — plan
    List the verified breaking changes between two majors (with migration hints) before bumping.
  3. 3
    get_migration_path(eco, from_pkg, to_pkg) — execute
    Curated migration with literal before/after code diffs ready to apply (request → axios, moment → dayjs, urllib2 → requests, flask → fastapi, ...).
No competitor exposes these three steps in this order via a single MCP. Free.

Ready to ship safer code?

No signup. No API key. Start with a single curl.

Integration GuideAPI Docs