JSPM

@depsshield/mcp-server

0.3.1
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 26
  • Score
    100M100P100Q41717F
  • License MIT

Model Context Protocol server for DepsShield - Real-time dependency security scoring for AI agents

Package Exports

  • @depsshield/mcp-server
  • @depsshield/mcp-server/build/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@depsshield/mcp-server) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@depsshield/mcp-server

Model Context Protocol (MCP) server for DepsShield - Real-time security risk assessment for AI coding agents.

Overview

DepsShield provides AI agents with instant security risk assessments for npm packages. When your AI assistant needs to evaluate dependencies, it can use DepsShield to make informed decisions about package safety in real-time.

Key Features:

  • Real-time vulnerability detection from OSV.dev (Google's open-source vulnerability database)
  • Comprehensive risk scoring (0-200 point scale)
  • Risk levels: LOW / MEDIUM / HIGH / CRITICAL
  • Fast responses with intelligent caching
  • Works with Claude Desktop, Cline, and other MCP-compatible tools

Installation

Add DepsShield to your Claude Desktop config:

macOS:

~/Library/Application Support/Claude/claude_desktop_config.json

Windows:

%APPDATA%\Claude\claude_desktop_config.json

Configuration:

{
  "mcpServers": {
    "depsshield": {
      "command": "npx",
      "args": ["-y", "@depsshield/mcp-server"]
    }
  }
}

Restart Claude Desktop, and DepsShield will be available!

Other MCP Clients

For Cline, Continue, or other MCP-compatible tools, refer to their documentation for configuring MCP servers with the command:

npx -y @depsshield/mcp-server

Usage

In Claude Desktop

Once configured, ask Claude to use DepsShield:

Example 1: Assess a single package

You: "What's the security risk of using lodash version 4.17.20?"

Claude: lodash@4.17.20 has a MEDIUM risk level (score: 70/200).
        It has 2 known vulnerabilities. I recommend updating to
        lodash@4.17.21 or later.

Example 2: Analyze project dependencies

You: "Analyze the security of my project dependencies"

Claude: *reads package.json, uses DepsShield*
        I found 3 packages with security concerns:
        - axios@0.21.1: CRITICAL risk (1 high-severity CVE)
        - lodash@4.17.20: MEDIUM risk (2 medium-severity CVEs)
        - express@4.18.2: LOW risk (well-maintained)

Available Tools

assess_package

Assess security risk of a single npm package.

Input:

{
  package: string;      // Package name (e.g., "lodash")
  version?: string;     // Optional version (defaults to latest)
  ecosystem?: 'npm';    // Currently only npm supported
}

Output:

{
  total: number;                    // Risk score 0-200
  riskLevel: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
  components: {
    vulnerabilityScore: number;     // 0-100 (from known CVEs)
    maintenanceScore: number;       // 0-50 (last update recency)
    popularityScore: number;        // 0-50 (download count)
  };
  vulnerabilities: Array<{
    id: string;                     // CVE or GHSA ID
    summary: string;
    severity: string;
    publishedAt: string;
    fixedIn?: string[];             // Versions where fixed
  }>;
  recommendation: string;           // Actionable advice
}

analyze_dependencies

Analyze all dependencies from a package.json file.

Input:

{
  dependencies: Record<string, string>;      // Dependencies object
  devDependencies?: Record<string, string>;  // Optional dev dependencies
  ecosystem?: 'npm';
}

Output:

{
  total: number;              // Total packages analyzed
  assessed: number;           // Successfully assessed
  failed: number;             // Failed assessments
  vulnerabilities: {
    total: number;            // Total vulnerabilities found
  };
  riskLevels: {
    critical: number;
    high: number;
    medium: number;
    low: number;
  };
  results: Array<{
    package: string;
    requestedVersion: string;
    assessment?: DepsShieldScore;
    error?: string;
  }>;
}

How It Works

DepsShield uses the Model Context Protocol (MCP) to expose security tools to AI agents:

  1. AI agent asks "What tools are available?"
  2. DepsShield responds with assess_package and analyze_dependencies
  3. AI agent calls a tool with specific package information
  4. DepsShield fetches vulnerability data from OSV.dev and package metadata from npm registry
  5. DepsShield calculates risk score and returns assessment
  6. AI agent presents results to the user

Data Sources:

  • Vulnerability data: OSV.dev - Google's open-source vulnerability database
  • Package metadata: npm public registry
  • Caching: Results are cached for faster subsequent requests

Communication:

  • Uses stdin/stdout (no network ports needed)
  • Secure and lightweight
  • Works across all platforms

Troubleshooting

Server not appearing in Claude Desktop

  1. Check config file path - Make sure you edited the correct claude_desktop_config.json
  2. Restart Claude Desktop - Fully quit and relaunch the application
  3. Check logs:
    • macOS: ~/Library/Logs/Claude/mcp.log
    • Windows: %APPDATA%\Claude\logs\mcp.log

Connection or performance issues

  1. Check internet connection - DepsShield needs access to OSV.dev and npm registry
  2. First request is slower - Cached results are much faster on subsequent requests
  3. Check Claude logs - Error messages will appear in the MCP log file

Still having issues?

Open an issue at: https://github.com/depsshield/depsshield/issues

Performance

  • Single package assessment: ~2-3 seconds (first request)
  • Cached results: ~50-200ms
  • Multiple packages: Processed efficiently in parallel
  • Rate limiting: 100 requests per hour per IP address

Future Enhancements

  • Support for PyPI, Maven, and other ecosystems
  • Enhanced vulnerability severity analysis
  • Historical risk tracking
  • Webhook notifications when package risk changes

Privacy & Security

  • No data collection: DepsShield does not collect or store any information about your projects
  • Public data only: Uses only publicly available vulnerability and package data
  • No authentication required: Free to use for all users
  • Rate limiting: Fair use limits prevent abuse while allowing normal usage

Contributing

Contributions are welcome! Please open an issue or pull request at https://github.com/depsshield/depsshield.

License

MIT

Part of DepsShield - AI-native security intelligence platform Status: Public Beta