DepsShield – Real-time dependency security for MCP-enabled AI coding tools

[ganolmc]

Pre-submission Checklist

• This post follows the MCP community guidelines

What would you like to share?

I built an MCP server that adds dependency security checks to Claude Desktop, Cursor, Cline, and other MCP-compatible tools.

The problem

Supply chain attacks grew 188% this year. In September, 18 npm packages (including chalk and debug) with 2.6 billion weekly downloads were compromised in just 2 hours. AI coding assistants suggest packages at machine speed—but have no awareness of security risks.

What it does

DepsShield checks npm packages against vulnerability databases (OSV, GitHub Advisory) and returns:

• Risk scores
• Known CVEs with severity levels
• Safer alternatives when issues are found

Response time is under 3 seconds, so it doesn't interrupt your workflow.

Setup (zero installation)

Add to your Claude Desktop config:

{
  "mcpServers": {
    "depsshield": {
      "command": "npx",
      "args": ["-y", "@depsshield/mcp-server"]
    }
  }
}

Restart Claude Desktop and it's ready.

What's next

• Expanding to Python (PyPI), Java (Maven), and Go ecosystems
• Deeper risk assessment that goes beyond CVE lookups—analyzing maintainer trust patterns, dependency graph complexity, and behavioral signals to identify risks before they're publicly known

Security note

Runs locally via npx. Queries only public databases (OSV, npm registry). No credentials required, no code sent anywhere.

Feedback welcome—especially on what security signals would be most useful to surface.

Relevant Links

• npm: https://www.npmjs.com/package/@depsshield/mcp-server
• Website: https://depsshield.com
• dev.to post - https://dev.to/mike_hanol_e21eef42461b5e/why-your-ai-coding-assistant-needs-a-security-layer-and-how-to-add-one-in-2-minutes-92l