Show HN: CLI that helps AI agents avoid vulnerable dependencies(github.com)
github.com
Show HN: CLI that helps AI agents avoid vulnerable dependencies
https://github.com/clidey/deptrust
6 コメント
I use Aikido safe chain, how does this compare? https://www.npmjs.com/package/@aikidosec/safe-chain
From what I see Aikido safe chain wraps the actual executable for npm, pnpm, pip etc with a proxy server that intercepts the requests to it and checks them.
deptrust does not wrap any executable and queries the advisory and package information directly. My goal with it was more focused on using it in Claude Code/Codex.
deptrust does not wrap any executable and queries the advisory and package information directly. My goal with it was more focused on using it in Claude Code/Codex.
Codacy has done this for a while https://www.npmjs.com/package/codacy-cli
And this tool makes it Claude Code native https://www.npmjs.com/package/@codacy/verity-cli
And this tool makes it Claude Code native https://www.npmjs.com/package/@codacy/verity-cli
If this was a claude plugin with a hook on my dep files, I'd be in.
I've added a hook that can be installed for Claude and Codex.
It runs locally as a CLI and as an MCP server. It calls public package registry and OSV APIs directly; there is no hosted deptrust service.
I built this because AI coding agents kept suggesting outdated or vulnerable package versions. I kept having to manually tell tools like Claude and Codex to use newer, safer versions.
deptrust gives the agent a quick way to verify whether a dependency version has known vulnerabilities before it installs or recommends it.
You can install it with:
1. pnpx @clidey/deptrust@latest install
2. brew install clidey/tap/deptrust
3. Or directly with go: go install github.com/clidey/deptrust/cmd/deptrust@latest