deptrust: a CLI that scans packages across languages for known vulnerabilities
deptrust is a that checks whether the package versions a project depends on have known . It covers nearly every major package ecosystem: npm, PyPI, crates.io (Rust), Go modules, RubyGems, NuGet, Maven, Packagist (PHP), pub.dev (Dart), CocoaPods, Hex.pm, Hackage, and .
It runs locally as a plain CLI, but it can also run as an MCP server, meaning an AI agent can call it directly to check for as part of its workflow. It ships with a ready-made skill and a hook, making it easy to wire into automated coding pipelines.
Key points
- Supports 12+ major package ecosystems including npm, PyPI, and Go modules
- Can run as a local CLI or as an MCP server
- Comes with a prebuilt skill and hook for agent automation
- Also checks dependencies used in workflows