menu

Your AI coding agent is suggesting packages from 2024 — the fix is a shared API

posted Originally published at dev.to 3 min read

AI coding agents — Claude, Cursor, ChatGPT, Copilot, Aider — recommend npm / PyPI / Cargo packages to millions of developers every day.

Three things are broken at the same time.

1. Tokens burned at scale

Every time your agent decides which package to install, it fetches raw registry JSON. For express@5.2.1 that's about 3 KB of keys the model mostly ignores: file hashes, nested maintainer metadata, deprecated publish configs, download counts from 2019, the schema versions of fields nobody uses.

Your LLM pays for every one of those tokens as input, on every install decision, across every parallel session. Multiply by millions of AI-assisted developers and the model waste is enormous — plus the downstream energy cost on the compute side.

2. The model is suggesting packages from months ago

Training cutoff was 6-12 months before the answer.

  • Recent CVEs are invisible (XZ backdoor, Log4Shell-class issues post-cutoff).
  • Deprecated libraries still get recommended with enthusiasm (request, left-pad@0.x, ...).
  • Sometimes the model hallucinates a package name that never existed in a registry.

Every npm install based on a stale AI suggestion is a blind supply-chain bet.

3. There's no shared layer

Claude, Cursor, ChatGPT and Copilot each fetch the same metadata from the same public registries independently. Billions of redundant calls a day, hammering registry.npmjs.org, pypi.org, crates.io with the same questions over and over.

No shared cache. No shared source of truth. Each agent re-invents the lookup every time.

DepScope: the shared layer

DepScope is a single API that AI coding agents query before suggesting a package install. Open infrastructure, MIT, EU-hosted.

Three things it does:

A compact, token-efficient response

curl https://depscope.dev/api/prompt/npm/express

Returns a short natural-language string:

express@5.2.1 is safe_to_use. Health 85/100 (risk: low).
0 known vulnerabilities on the latest version.
11.2M weekly downloads. Published 2 weeks ago by a maintainer
with 47 other npm packages. Alternatives: fastify, hono, koa.

Roughly 74% smaller payload than raw registry JSON for the same install decision. Fewer tokens burned per query, no pre-processing the model has to do to extract the signal.

Live OSV + GitHub Advisory Database

CVEs are looked up in real time against OSV.dev and the GitHub Advisory Database, then filtered to show only vulnerabilities affecting the current release. Django has 272 historical vulnerability records on OSV; DepScope shows the one that actually applies to 5.2.4.

No stale training data, no false positives from long-patched CVEs.

17 ecosystems in one endpoint

npm, pypi, cargo, go, maven, nuget, rubygems, composer, pub, hex, swift, cocoapods, cpan, hackage, cran, conda, homebrew.

One API, one MCP server, one GitHub Action — covers the ecosystems your agent will realistically encounter.

Add it to your agent

Claude Code

Drop in CLAUDE.md:

## DEPSCOPE — before suggesting any package install
Before recommending any package, call:
  curl https://depscope.dev/api/prompt/{ecosystem}/{package}

Use the returned health/CVE/deprecation info to decide.
No auth, 200 req/min, 17 ecosystems.

Cursor / Windsurf

In .cursorrules or .windsurfrules:

Before recommending or installing any package, call:
curl https://depscope.dev/api/prompt/{ecosystem}/{package}
Use the returned data to validate the suggestion.

MCP (Claude Desktop, Cursor, Windsurf)

npm install -g depscope-mcp

{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["depscope-mcp"]
    }
  }
}

14 tools auto-registered. Your agent will call check_package, get_vulnerabilities, find_alternatives, resolve_error and others automatically when making install decisions.

CI (GitHub Actions)

- uses: cuttalo/depscope@main
  with:
    ecosystem: npm

Audits your project's dependencies on every push / PR.

Any agent via HTTP

curl https://depscope.dev/api/prompt/pypi/django
curl https://depscope.dev/api/vulns/cargo/tokio
curl https://depscope.dev/api/alternatives/npm/request
curl -X POST https://depscope.dev/api/scan -d '{"ecosystem":"npm","packages":{"express":"*","lodash":"*"}}'

Open infrastructure

Package intelligence is infrastructure, not a premium product. It should exist once, for everyone, not be reinvented by every single AI coding agent session.

Built with FastAPI + PostgreSQL 17 + Redis. Hosted in the EU by Cuttalo srl. Feedback at depscope@cuttalo.com.

1 Comment

Good point AI tools like ChatGPT or GitHub Copilot aren’t great at current package decisions.

Main issues:

  • stale training data
  • missed CVEs
  • occasional hallucinated packages

A shared, real-time validation layer like DepScope makes sense less guesswork, better security, fewer wasted tokens.

Feels like something AI dev workflows will standardize on pretty quickly.

1 vote

@[DuchessCodes] thank you for ur feedback

0

More Posts

I’m a Senior Dev and I’ve Forgotten How to Think Without a Prompt

Karol Modelskiverified - Mar 19

Comparison: Universal Import vs. Plaid/Yodlee

Pocket Portfolio - Mar 12

Sovereign Intelligence: The Complete 25,000 Word Blueprint (Download)

Pocket Portfolio - Apr 1

The Future of Finance is Client-Side AI

Pocket Portfolio - Mar 24

Your Tech Stack Isn’t Your Ceiling. Your Story Is

Karol Modelskiverified - Apr 9
chevron_left

More From Depscope

Adding DepScope as an MCP tool inside Cursor in under 5 minutes

Related Jobs

View all jobs →

Commenters (This Week)

3 comments
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!