Claude Code, Cursor, Copilot, Aider, Continue, Windsurf. Before any of them suggests npm install express, they hit the npm registry. Before they suggest pip install django, they hit PyPI. Before they warn about vulnerabilities, they hit OSV.
Millions of agents. The same queries. Over and over.
Something is wrong with this picture.
The Math of Waste
Let's do some napkin math. Claude Code alone has tens of thousands of daily active users. Cursor has a million. Copilot has 15 million paid seats. Add the long tail of smaller agents, CI pipelines, and automated dependency checkers.
Each of these agents, independently:
- Queries npm/PyPI/Cargo/Maven/… to verify package existence
- Fetches version metadata to avoid hallucinating wrong versions
- Checks OSV for vulnerabilities before recommending an install
- Re-downloads the same JSON responses, millions of times
The data doesn't change every millisecond. Express 5.2.1's health status is the same whether you ask at 09:00 or 09:05. But every agent asks independently.
This isn't just inefficient. It's:
- Wasted bandwidth for public registries (npm serves ~150B downloads/month — a meaningful fraction is just duplicated metadata checks)
- Wasted tokens — every LLM re-processes identical JSON responses it could have skipped entirely
- Wasted energy — data centers running queries that return the exact same bytes
- Rate limiting pressure on the public registries we all depend on
We ran into this ourselves while building an AI agent. We realized we were solving the wrong problem.
The Inversion
What if the answer isn't building another tool that calls the registries, but building shared infrastructure that calls them once?
That's DepScope. Not a product. Not a SaaS. Infrastructure.
The design is simple:
- One service fetches package metadata from all major registries
- It caches results in Redis (1h TTL for metadata, 6h for vulnerabilities)
- It persists everything in PostgreSQL
- Any AI agent — or any human — hits one endpoint and gets a structured answer
curl https://depscope.dev/api/check/npm/express
Returns health score, vulnerabilities, latest version, alternatives, and a recommendation — all in one call.
No auth. No API key. No signup. It's a public utility.
What We Actually Index
We indexed 14,744 packages across 17 ecosystems:
| Ecosystem | Packages | % with health < 60 |
|---|---|---|
| npm | 8,632 | 55% |
| PyPI | 3,282 | 56% |
| Cargo | 1,219 | 73% |
| RubyGems | 493 | 71% |
| Composer | 484 | 25% |
| NuGet | 301 | 37% |
| Maven | 242 | 98% |
| Go | 73 | 68% |
| Pub, Hex, Swift, CocoaPods, CPAN, Hackage, CRAN, Conda, Homebrew | on-demand |
8,334 packages out of 14,744 have a health score below 60/100. That's the data your AI agent is recommending from, except it doesn't know.
143 indexed packages are deprecated but still being suggested by AI agents every day — request, mimic-fn, path-is-absolute, read-pkg-up, camel-case. Ring a bell?
The Real Numbers Behind "Free"
People ask why this is free. The honest answer: it's cheaper to run it once for everyone than to have millions of agents doing the same thing.
A single VM with 4GB of RAM serves the entire platform. Redis eats the repeat queries. PostgreSQL keeps the history. The actual cost scales with how many unique packages get queried, not with how many agents query them.
The marginal cost of serving the 1,000,000th request for express is zero.
So yes — free. No rate limit on cached data. No paywall on security info. No premium tier for "advanced features" that should be table stakes.
How to Use It (Seriously, It's One Line)
Whatever AI coding agent you're using, add this once. You never have to think about it again.
Claude Code — in CLAUDE.md:
## DEPSCOPE — Before any install: curl depscope.dev/api/check/{eco}/{pkg}
Cursor — in .cursorrules:
Before any install: curl depscope.dev/api/check/{eco}/{pkg} — no auth, free
Windsurf — in .windsurfrules:
Before any install: curl depscope.dev/api/check/{eco}/{pkg}
Copilot — in .github/copilot-instructions.md:
Before any install: curl depscope.dev/api/check/{eco}/{pkg} — free, no auth
ChatGPT — search "DepScope" in the GPT Store.
Any agent with HTTP access:
curl https://depscope.dev/api/check/npm/express
That's it. Your agent now verifies packages before suggesting installs. No hallucinated versions. No deprecated libraries. No surprise vulnerabilities.
What It Returns
{
"package": "express",
"ecosystem": "npm",
"latest_version": "5.2.1",
"health": {
"score": 85,
"risk": "low",
"breakdown": {
"maintenance": 25,
"security": 25,
"popularity": 20,
"maturity": 15,
"community": 10
}
},
"vulnerabilities": { "count": 0 },
"recommendation": {
"action": "safe_to_use",
"summary": "express@5.2.1 is safe to use (health: 85/100)"
}
}
One request. Full picture. Cached in 50ms.
Side Effects That Matter
The security angle is real — 402 vulnerabilities tracked, with filtering to show only those affecting the latest version (Django went from 272 historical "vulnerabilities" to the 1 that actually matters today).
But the real story is systemic: when one cache serves every agent, we stop hammering the public registries we all depend on. Fewer calls to npm. Fewer calls to PyPI. Less wasted data center compute. Less energy. Fewer tokens burned by agents processing duplicate JSON.
It's the most boring optimization possible. It's also the one nobody was doing.
Other Endpoints Worth Knowing
LLM-optimized plain text — save ~74% tokens vs JSON when an agent reads the result:
curl https://depscope.dev/api/prompt/npm/express
Public trending — what the ecosystem is actually installing right now:
curl https://depscope.dev/api/trending
Compare packages — rank them side by side:
curl https://depscope.dev/api/compare/npm/express,fastify,hono
Find alternatives when something's deprecated:
curl https://depscope.dev/api/alternatives/npm/request
# Returns: axios, got, node-fetch
Scan a project — POST your package.json deps:
curl -X POST https://depscope.dev/api/scan \
-H "Content-Type: application/json" \
-d '{"ecosystem":"npm","packages":{"express":"*","lodash":"*"}}'
Just the health score (fast):
curl https://depscope.dev/api/health/npm/react
Beyond package health
In the last few days DepScope expanded from pure package health into adjacent verticals, still on the same free API and the same shared-infrastructure philosophy:
-
Error → Fix Database — POST a stack trace or error snippet to
/api/error/resolveand get verified solutions with package+version context. No more agents re-searching the sameERR_PACKAGE_PATH_NOT_EXPORTEDfor the millionth time. -
Compatibility Matrix —
/api/compatreturns whetherNext 16 + React 19 + Prisma 6is a verified combo before you attempt the upgrade. Every agent that suggests a bump should hit this first. -
Known Bugs per version —
/api/bugs/{ecosystem}/{package}returns non-CVE known issues affecting specific versions (regressions, production incidents, edge cases). The stuff that never reaches an advisory but still breaks your build.
All three share the same infrastructure principle: cache the answer once, serve every agent. Same endpoint convention, same free tier, same 200 req/min, no auth.
Three verticals, one API. That's 12 MCP tools now covering package health, error resolution, and stack compatibility — so your AI agent has the full picture before it types install.
What you can do now
If you use an AI coding agent: copy one line into your config. Done.
If you build an AI agent or an IDE with AI features: integrate DepScope instead of hitting registries directly. Your users get faster responses, you save infrastructure cost, and you stop contributing to the problem.
If you run a public registry: we'd love to hear from you. Fewer redundant calls = less load for you.
It's not complicated. It's shared infrastructure. The oldest idea on the internet.
Try It
- Website: depscope.dev
- API Docs: depscope.dev/api-docs
- OpenAPI: depscope.dev/openapi.json
- MCP Server (12 tools): npm install -g depscope-mcp
- RapidAPI: available on the hub
# Try it right now
curl https://depscope.dev/api/check/npm/express
Open Source
DepScope is MIT-licensed. Source, issues, and contributions welcome:
- Repo: github.com/cuttalo/depscope
- GitHub Action (audit deps on push/PR):
- uses: cuttalo/depscope@main
with:
ecosystem: npm
- Security disclosure: depscope.dev/security/disclosure
Built with FastAPI + PostgreSQL + Redis by Cuttalo srl. Feedback at depscope@cuttalo.com.
Top comments (0)