The Problem
AI coding agents (Claude Code, Cursor, Copilot) regularly suggest packages that are:
- Deprecated without knowing it
- Vulnerable to known CVEs
- Abandoned with no maintainer activity for years
Every agent hits the npm registry, PyPI, and vulnerability databases independently. Millions of redundant requests for the same data.
The Solution: DepScope
DepScope aggregates package data from registries and vulnerability databases once, then serves it to any agent (or human) instantly.
curl https://depscope.dev/api/check/npm/express
Returns:
{
"package": "express",
"latest_version": "5.2.1",
"health": {
"score": 85,
"risk": "low",
"breakdown": {
"maintenance": 25,
"security": 25,
"popularity": 20,
"maturity": 15,
"community": 10
}
},
"vulnerabilities": { "count": 0 },
"recommendation": {
"action": "safe_to_use",
"summary": "express@5.2.1 is safe to use (health: 85/100)"
}
}
Features
Check any package
# npm
curl https://depscope.dev/api/check/npm/express
# PyPI
curl https://depscope.dev/api/check/pypi/django
# Cargo
curl https://depscope.dev/api/check/cargo/tokio
Compare packages side by side
curl https://depscope.dev/api/compare/npm/express,fastify,hono
Returns a ranked comparison:
| Package | Health | Vulns | Downloads/week |
|---|---|---|---|
| fastify | 92/100 | 0 | 5.2M |
| hono | 88/100 | 0 | 1.8M |
| express | 85/100 | 0 | 35M |
Scan an entire project
curl -X POST https://depscope.dev/api/scan \
-H "Content-Type: application/json" \
-d '{"ecosystem":"npm","packages":{"express":"*","lodash":"*","axios":"*"}}'
Returns project risk level + per-package audit:
{
"project_risk": "low",
"packages_scanned": 3,
"packages": [
{ "package": "express", "health_score": 85, "vulnerabilities": { "count": 0 } },
{ "package": "lodash", "health_score": 88, "vulnerabilities": { "count": 0 } },
{ "package": "axios", "health_score": 82, "vulnerabilities": { "count": 0 } }
]
}
Quick endpoints
# Health score only (fast)
curl https://depscope.dev/api/health/npm/react
# Vulnerabilities only
curl https://depscope.dev/api/vulns/npm/lodash
# Version info only
curl https://depscope.dev/api/versions/pypi/fastapi
Health Score Algorithm
The score (0-100) is calculated from 5 signals. No AI, no LLM — pure algorithm, runs in milliseconds:
| Signal | Max Points | How it's calculated |
|---|---|---|
| Maintenance | 25 | Days since last release. <30d = 25pts, <90d = 20pts, <180d = 15pts |
| Security | 25 | Known CVEs from OSV database, filtered to latest version only |
| Popularity | 20 | Weekly downloads from registry. >10M = 20pts, >1M = 17pts |
| Maturity | 15 | Total version count. >50 = 15pts, >20 = 12pts |
| Community | 15 | Number of active maintainers + GitHub stars |
The key innovation: we only show vulnerabilities that affect the latest version. Django went from 272 "vulnerabilities" (historical noise) to just 1 that actually matters.
How It Works Under the Hood
Agent asks "is express safe?"
│
▼
DepScope checks Redis cache
│
Cache hit? ──yes──▶ Return in 0ms
│
no
│
▼
Fetch from npm registry ─────────────┐
Fetch from OSV (vulnerabilities) ─────┤
Fetch downloads from npm API ─────────┤
│ │
▼ │
Calculate health score ◀──────────────┘
│
▼
Cache in Redis (1 hour TTL)
Save to PostgreSQL (permanent)
│
▼
Return full report
We pre-process the top 272 most popular packages every 6 hours, so most requests are served from cache instantly.
For AI Agents
DepScope is designed to be called by AI agents before they suggest any package installation.
Direct API (any agent with HTTP access)
Any AI agent that can make HTTP requests can use DepScope:
GET https://depscope.dev/api/check/npm/express
No auth. No API key. No signup. Just call it.
ChatGPT / OpenAI Actions
https://depscope.dev/.well-known/ai-plugin.json
OpenAPI Spec (Swagger)
https://depscope.dev/openapi.json
Interactive docs at depscope.dev/docs
MCP Server (Claude Code, Cursor, Windsurf)
{
"mcpServers": {
"depscope": {
"command": "npx",
"args": ["depscope-mcp"]
}
}
}
GitHub: depscope-mcp
Real Examples
Express.js
$ curl -s https://depscope.dev/api/check/npm/express | jq '.recommendation'
{
"action": "safe_to_use",
"summary": "express@5.2.1 is safe to use (health: 85/100)"
}
Comparing web frameworks
$ curl -s https://depscope.dev/api/compare/npm/express,fastify,hono | jq '.winner'
"fastify"
A deprecated package
$ curl -s https://depscope.dev/api/check/npm/request | jq '.recommendation'
{
"action": "find_alternative",
"issues": ["Package is deprecated"],
"summary": "request is deprecated — find an alternative package"
}
Why Free?
We believe package intelligence should be infrastructure, not a premium feature.
The idea is simple: we do the heavy lifting once, so every AI agent benefits. Instead of millions of agents independently hitting npm + PyPI + OSV + GitHub, we aggregate it all and serve cached results in milliseconds.
272 packages pre-cached. 3 ecosystems. Zero cost to use.
Try It
- Website: depscope.dev
- API Docs: depscope.dev/api-docs
- Swagger: depscope.dev/docs
- Live Stats: depscope.dev/stats
- MCP Server: GitHub
# Try it right now
curl https://depscope.dev/api/check/npm/express
Built by Cuttalo srl with FastAPI + PostgreSQL + Redis on a single VM. Feedback welcome at depscope@cuttalo.com
This article was originally published by DEV Community and written by Vincenzo Rubino.
Read original article on DEV Community