FeralDeps, local dependency and vulnerability scanner for Java projects
Yet another dependency scanner in a space Snyk and Dependabot already dominate.
deptrust is a CLI that checks package versions for known vulnerabilities across npm, PyPI, crates.io, Go modules, RubyGems, NuGet, Maven, Packagist, pub.dev, CocoaPods, Hex.pm, Hackage, GitHub Actions, and more. It runs locally as a CLI and as an MCP server.
It runs locally as a CLI and as an MCP server. It calls public package registry and OSV APIs directly; there is no hosted deptrust service.
I built this because AI coding agents kept suggesting outdated or vulnerable package versions. I kept having to manually tell tools like Claude and Codex to use newer, safer versions.
deptrust gives the agent a quick way to verify whether a dependency version has known vulnerabilities before it installs or recommends it.
You can install it with:
1. pnpx @clidey/deptrust@latest install
2. brew install clidey/tap/deptrust
3. Or directly with go: go install github.com/clidey/deptrust/cmd/deptrust@latest
Yet another dependency scanner in a space Snyk and Dependabot already dominate.
Real-world bug bounty wins ($625+), but dependency confusion detection is a known category.
Reimplements dependency functions locally with test verification, challenging the "dependencies are good" mantra.
Graph theory metrics prioritize vulnerabilities better than CVSS scores alone.
CTF-style flags for voice prompt injection make learning LLM security actually fun.
Wraps native audits (npm audit, cargo audit) + license scanning, but Snyk and Dependabot already do this.