deptrust checks safer package versions for AI coding agents
deptrust is a that helps check package versions before they install or recommend them. It looks for known security problems in packages from many developer ecosystems, including JavaScript, Python, Rust, Go, Ruby, .NET, Java, PHP, Dart, iOS, Elixir, Haskell, and . It runs on the local computer and does not depend on a hosted deptrust service.
It queries public package registries and OSV security data directly. It was built because tools like Claude and Codex can suggest old or unsafe package versions. It can also run as an MCP server, so an AI agent can quickly check whether a specific dependency version has known .
Installation options include pnpx, Homebrew, and go install.
Key points
- deptrust checks dependency versions against known data.
- It works as both a and an MCP server.
- It runs locally and queries public package registries plus OSV directly.
- It targets a real AI-coding problem: agents recommending old or risky versions.
- It can be installed with pnpx, Homebrew, or go install.