DEV Community

Vincenzo Rubino
Vincenzo Rubino

Posted on • Edited on

Your AI coding agent is suggesting packages from 2024 — the fix is a shared API

#ai #webdev #security #opensource

AI coding agents — Claude, Cursor, ChatGPT, Copilot, Aider — recommend npm / PyPI / Cargo packages to millions of developers every day.

Three things are broken at the same time.

1. Tokens burned at scale

Every time your agent decides which package to install, it fetches raw registry JSON. For express@5.2.1 that's about 3 KB of keys the model mostly ignores: file hashes, nested maintainer metadata, deprecated publish configs, download counts from 2019, the schema versions of fields nobody uses.

Your LLM pays for every one of those tokens as input, on every install decision, across every parallel session. Multiply by millions of AI-assisted developers and the model waste is enormous — plus the downstream energy cost on the compute side.

2. The model is suggesting packages from months ago

Training cutoff was 6-12 months before the answer.

  • Recent CVEs are invisible (XZ backdoor, Log4Shell-class issues post-cutoff).
  • Deprecated libraries still get recommended with enthusiasm (request, left-pad@0.x, ...).
  • Sometimes the model hallucinates a package name that never existed in a registry.

Every npm install based on a stale AI suggestion is a blind supply-chain bet.

3. There's no shared layer

Claude, Cursor, ChatGPT and Copilot each fetch the same metadata from the same public registries independently. Billions of redundant calls a day, hammering registry.npmjs.org, pypi.org, crates.io with the same questions over and over.

No shared cache. No shared source of truth. Each agent re-invents the lookup every time.

DepScope: the shared layer

DepScope is a single API that AI coding agents query before suggesting a package install. Open infrastructure, MIT, EU-hosted.

Three things it does:

A compact, token-efficient response 

curl https://depscope.dev/api/prompt/npm/express
Enter fullscreen mode Exit fullscreen mode

Returns a short natural-language string:

express@5.2.1 is safe_to_use. Health 85/100 (risk: low).
0 known vulnerabilities on the latest version.
11.2M weekly downloads. Published 2 weeks ago by a maintainer
with 47 other npm packages. Alternatives: fastify, hono, koa.
Enter fullscreen mode Exit fullscreen mode

Roughly 74% smaller payload than raw registry JSON for the same install decision. Fewer tokens burned per query, no pre-processing the model has to do to extract the signal.

Live OSV + GitHub Advisory Database

CVEs are looked up in real time against OSV.dev and the GitHub Advisory Database, then filtered to show only vulnerabilities affecting the current release. Django has 272 historical vulnerability records on OSV; DepScope shows the one that actually applies to 5.2.4.

No stale training data, no false positives from long-patched CVEs.

17 ecosystems in one endpoint

npm, pypi, cargo, go, maven, nuget, rubygems, composer, pub, hex, swift, cocoapods, cpan, hackage, cran, conda, homebrew.

One API, one MCP server, one GitHub Action — covers the ecosystems your agent will realistically encounter.

Add it to your agent

Claude Code

Drop in CLAUDE.md:

## DEPSCOPE — before suggesting any package install
Before recommending any package, call:
  curl https://depscope.dev/api/prompt/{ecosystem}/{package}

Use the returned health/CVE/deprecation info to decide.
No auth, 200 req/min, 17 ecosystems.
Enter fullscreen mode Exit fullscreen mode

Cursor / Windsurf

In .cursorrules or .windsurfrules:

Before recommending or installing any package, call:
curl https://depscope.dev/api/prompt/{ecosystem}/{package}
Use the returned data to validate the suggestion.
Enter fullscreen mode Exit fullscreen mode

MCP (Claude Desktop, Cursor, Windsurf) 

npm install -g depscope-mcp
Enter fullscreen mode Exit fullscreen mode 
{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["depscope-mcp"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

14 tools auto-registered. Your agent will call check_package, get_vulnerabilities, find_alternatives, resolve_error and others automatically when making install decisions.

CI (GitHub Actions) 

- uses: cuttalo/depscope@main
  with:
    ecosystem: npm
Enter fullscreen mode Exit fullscreen mode

Audits your project's dependencies on every push / PR.

Any agent via HTTP 

curl https://depscope.dev/api/prompt/pypi/django
curl https://depscope.dev/api/vulns/cargo/tokio
curl https://depscope.dev/api/alternatives/npm/request
curl -X POST https://depscope.dev/api/scan -d '{"ecosystem":"npm","packages":{"express":"*","lodash":"*"}}'
Enter fullscreen mode Exit fullscreen mode

Open infrastructure

Package intelligence is infrastructure, not a premium product. It should exist once, for everyone, not be reinvented by every single AI coding agent session.

Built with FastAPI + PostgreSQL 17 + Redis. Hosted in the EU by Cuttalo srl. Feedback at depscope@cuttalo.com.

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.