Changelog

What is new in DepScope

Product updates, infra improvements, new API endpoints, and integrations.

2026-05-05release

v0.9.0 — Auto-discovery via server.instructions

MCP server now sends a system-prompt directive at handshake. Claude Code, Cursor, Windsurf and other clients receive the 'INVOKE PROACTIVELY' brief automatically — no more manual rule files needed. Companion Claude Code plugin (skill + MCP) shipped at github.com/cuttalo/depscope-claude-plugin. All npm versions <0.9.0 deprecated with upgrade hint.

2026-04-21release

depscope-cli on npm + GitHub Action

Published `depscope-cli` to npm — `npx -y depscope-cli audit express request lodash` returns a prescriptive action list. Plus `cuttalo/depscope-audit-action@v1` to fail PRs on deprecated/malicious/CVE-active packages.

2026-04-21api

AI-native endpoints: /api/ai/brief + /api/ai/stack + /api/migration

Three new endpoints designed for LLM agents: 300-token compact brief, one-call stack audit (up to 50 pkgs), and curated migration paths with literal before/after code diffs. Token cost cut from ~6k per decision to ~300.

2026-04-21integration

23 MCP tools: ai_brief, audit_stack, get_migration_path

MCP server now exposes 23 tools (was 20). audit_stack replaces N per-package calls with one prescriptive verdict. get_migration_path returns ready-to-paste code diffs for 10 curated migrations (request→axios, moment→dayjs, urllib2→requests, flask→fastapi, ...).

2026-04-21data

Threat intelligence: CISA KEV + EPSS + OpenSSF malicious

Each vulnerability now carries in_kev (actively exploited per CISA), epss_prob (exploit probability), and threat_tier (theoretical/likely/actively_exploited). Malicious detection cross-checks 224k OpenSSF entries with a sanity guard that prevents false positives on mainstream packages.

2026-04-21fix

Multi-ecosystem coverage fixes

PyPI license now resolves via classifier+license_expression fallback (django, numpy, pandas no longer null). Maven POM parser inherits license/description from parent POM (Apache Commons, Spring, Netty). Go short names auto-resolve via GitHub search (gin → github.com/gin-gonic/gin).

2026-04-19feature

3 new verticals: Error Fix, Compat Matrix, Known Bugs

Added /explore/errors (searchable error → fix database), /explore/compat (stack compatibility matrix) and /explore/bugs (known bugs per version).

2026-04-19integration

12 new MCP tools for Claude Code and Cursor

Expanded MCP server from 8 to 20 tools. Agents can now query errors, compat stacks, bugs, trending data directly.

2026-04-18infra

Expanded to 19 ecosystems

Added Pub (Dart/Flutter), Hex (Elixir), Swift, CocoaPods, CPAN, Hackage, CRAN, Conda, Homebrew on top of npm, PyPI, Cargo, Go, Composer, Maven, NuGet, RubyGems.

2026-04-17api

Package compare API: /api/compare/{eco}/{a,b,c}

New endpoint returns side-by-side health, vulnerability and maintenance data for up to 10 packages with a recommended winner.

2026-04-16api

Trending packages endpoint goes live

Live trending data based on actual AI agent queries. Rank, weekly growth, ecosystem breakdown.

2026-04-15data

14,700+ packages indexed

Health score, vulnerabilities (OSV), maintainers, deprecation, license audit and bundle size for 14,700+ packages.

Want updates in your feed? Subscribe to /feed.xml.