Zero Dependencies · Apache-2.0 · Node.js 18+ ·

Know before you
npm install

AI agents install packages 100x faster than humans can review. depguard is the security layer for the vibe coding era — audit every dependency before it enters your project, while saving up to 99% of AI tokens compared to manual research.

npm install -g depguard-cli View on GitHub 
$ depguard-cli audit depguard-cli

Package          depguard-cli@1.3.1
Score            95/100
Vulnerabilities  None found
License          Apache-2.0 (compatible)
Dependencies     0 (zero runtime deps)
Scripts          Clean

$ depguard-cli should-use "http client"

Action   use-native
API      globalThis.fetch()
Built into Node 18+. No package needed.
The Problem

Supply chain attacks are accelerating

In the vibe coding era, AI agents install packages faster than anyone can review. npm audit only checks known CVEs — it doesn't score maintenance, scan install scripts, check licenses, or tell you when to write your own. That gap is where attacks live.

2,200+
Malicious packages detected on npm in 2025
8M+
Weekly downloads compromised by event-stream attack
100x
Faster package installs with AI agents vs manual review
9
Attack pattern categories depguard detects in install scripts
99%
AI tokens saved per audit vs manual web search and reasoning
How It Works

Three steps to safe dependencies

Run a command or let your AI agent call the MCP tool. Same audit, same score, same protection.

Audit

Run one command or let your MCP-connected AI agent call depguard automatically during code generation.

npx depguard-cli audit express

Analyze

depguard queries 2 advisory databases, analyzes install scripts for 9 attack patterns, and scores across 5 weighted dimensions.

npm + GitHub Advisory DB

Decide

Get a clear, data-driven recommendation: install, caution, write-from-scratch, or use a native Node.js alternative.

Score 85/100 → install
Capabilities

Everything npm audit should have been

Six integrated tools. Zero dependencies. One clear answer.

Vulnerability Triage

Combines npm Registry and GitHub Advisory Database. Deduplicates results, filters by installed version, and suggests specific upgrade paths.

Fix Suggestions

Supply Chain Detection

Static analysis of install scripts catches reverse shells, credential exfiltration, obfuscated payloads, and remote code execution. No code is ever executed.

9 Attack Patterns

Package Scoring

Every package scored 0–100 across security, maintenance, popularity, license, and dependency count. Transparent, reproducible, configurable weights.

Configurable

Smart Advisor

Checks 20+ native Node.js alternatives before recommending npm packages. Saves bloat, reduces attack surface, eliminates unnecessary dependencies.

20+ Alternatives

AI-Native MCP Server

Built-in MCP server with 6 tools. Your AI agent audits packages during code generation. Token savings tracked per response to quantify ROI.

6 MCP Tools

License Compliance

15+ SPDX licenses ranked by permissiveness. Instantly know if a dependency's license is compatible with your project. No legal review needed.

15+ Licenses
Try It

See depguard in action

This is a limited demo with pre-loaded data for 6 popular packages. For live audits on any package, install depguard-cli locally.

AVAILABLE PACKAGES: express, lodash, react, axios, chalk, moment
// Select a package above or type one to see the audit report
$ depguard-cli audit ___
Scoring Model

Transparent, reproducible scores

Every package scored 0–100 across five weighted dimensions. You can configure the weights to match your risk profile.

Security
30%
Maintenance
25%
Popularity
20%
License
15%
Dependencies
10%
≥ 60
Install
Safe to use. Meets quality standards.
40 – 59
Caution
Review before using. Potential risks.
< 40
Write Your Own
Better to implement the functionality yourself.
Real Threats

These attacks happened

Major npm supply chain incidents and how depguard detects the patterns that made them possible.

Package Year Severity What Happened depguard Detection
event-stream 2018 Critical Malicious dependency stole cryptocurrency wallet keys. 8M weekly downloads compromised. Script analysis flags obfuscated code + credential access patterns in flatmap-stream.
ua-parser-js 2021 Critical Hijacked account published cryptominers and password stealers via postinstall. Install script analysis catches process spawning, external network calls, credential file access.
node-ipc 2022 Critical Maintainer added code to wipe files based on geolocation. Dependency of vue-cli. Advisory database flags GHSA. Script analysis detects file system writes + network conditionals.
colors + faker 2022 High Maintainer sabotaged packages with infinite loops. Broke thousands of projects. Maintenance score drops. Advisory database flags incident. Score falls below threshold.
eslint-scope 2018 Critical Compromised token published version stealing npm tokens from ~/.npmrc. Script analysis detects credential file access (~/.npmrc) and env var exfiltration.
coa + rc 2021 Critical Hijacked accounts. Obfuscated malware in preinstall scripts. Base64 decoding + dynamic code execution detected. Process spawning flagged.
crossenv (typosquat) Ongoing High Names mimicking popular packages. Steal environment variables on install. Low popularity + script analysis flags env var exfiltration. Score far below threshold.
Integrations

Works with every AI coding tool

Built-in MCP server for the vibe coding workflow. One command to connect. Your AI agent audits packages before every install.

Claude CodeMCP Ready
Claude DesktopMCP Ready
CursorMCP Ready
WindsurfMCP Ready
Continue.devMCP Ready
ClineMCP Ready
Roo CodeMCP Ready
Any MCP ClientJSON-RPC 2.0
// One command — zero install needed
$ claude mcp add depguard -- npx -y depguard-cli --mcp

// Or add to mcp.json / claude_desktop_config.json
{
  "mcpServers": {
    "depguard": {
      "command": "npx",
      "args": ["-y", "depguard-cli", "--mcp"]
    }
  }
}
What You Get

depguard vs doing it manually

Without depguard, you need to check multiple sources, analyze scripts by hand, and make gut-feel decisions. Here's what one command replaces.

Task depguard Manual Approach
Check known CVEs✓ AutomatedSearch npm + GitHub advisories manually
GitHub Advisory Database✓ IncludedVisit github.com/advisories, search, cross-reference
Inspect install scripts✓ 9 patternsRead package source code line by line
Check maintenance health✓ ScoredCheck npm page, GitHub commits, last publish date
Verify license compatibility✓ 15+ SPDXRead LICENSE file, understand copyleft hierarchy
Evaluate package quality✓ 0–100Subjective judgement, no consistent scoring
Get fix version✓ Exact versionRead advisory, find patched version, verify semver
Find native alternatives✓ 20+ mappedKnow Node.js APIs by heart or search docs
Install vs write decision✓ Data-drivenGut feeling, team discussion, hope for the best
AI agent integration✓ 6 MCP toolsNot possible — agents install blindly
Audit entire project✓ One commandCheck each dependency individually
Time per package~2 seconds15–30 minutes of research
Smart Advisor

Skip the package. Use Node.js.

depguard checks 20+ native alternatives before recommending npm packages. Less bloat, smaller attack surface.

npm install axios
globalThis.fetch()
Built-in HTTP client. Full Request/Response API.
Node 18+
npm install uuid
crypto.randomUUID()
RFC 4122 v4 UUID generation. Cryptographically secure.
Node 19+
npm install lodash.clonedeep
structuredClone()
Deep clone any serializable value. Handles circular refs.
Node 17+
npm install dotenv
process.loadEnvFile()
Load .env files natively. No parsing library needed.
Node 21.7+
npm install glob
fs.glob()
Native file globbing. Async iterator interface.
Node 22+
npm install jest
node:test
Built-in test runner with describe, it, and assertions.
Node 18+
npm install yargs
util.parseArgs()
Parse CLI arguments with type validation. Built-in.
Node 18.3+
npm install better-sqlite3
node:sqlite
Embedded SQLite database. Synchronous API.
Node 22.5+
Get Started

30 seconds to safer dependencies

No configuration. No account. No dependencies to install.

$ npx depguard-cli audit express
$ npx depguard-cli should-use "date formatting"
$ npx depguard-cli score react
Install from npm Star on GitHub
Contact

Get in touch

Questions, partnerships, security reports, or feedback — reach out through any of these channels.

Bug Reports & Features
GitHub Issues
Open an issue for bug reports, feature requests, or security pattern contributions.
Community
GitHub Discussions
Ask questions, share how you use depguard, or discuss the roadmap with the community.
Author
Jorge Morais
Open source developer. Building security tools for the AI coding era. Connect on LinkedIn.