deptrust: a CLI that scans packages across languages for known vulnerabilities

deptrust: a CLI that scans packages across languages for known vulnerabilities

deptrust is a that checks whether the package versions a project depends on have known . It covers nearly every major package ecosystem: npm, PyPI, crates.io (Rust), Go modules, RubyGems, NuGet, Maven, Packagist (PHP), pub.dev (Dart), CocoaPods, Hex.pm, Hackage, and .

It runs locally as a plain CLI, but it can also run as an MCP server, meaning an AI agent can call it directly to check for as part of its workflow. It ships with a ready-made skill and a hook, making it easy to wire into automated coding pipelines.

Key points

  • Supports 12+ major package ecosystems including npm, PyPI, and Go modules
  • Can run as a local CLI or as an MCP server
  • Comes with a prebuilt skill and hook for agent automation
  • Also checks dependencies used in workflows
Read original