depsonar
Detects Actix projects and provides dependency management.
Detects Astro projects and provides dependency and vulnerability management.
Included in framework CVE database for curated advisories.
Manages Bun dependencies.
Manages Composer (PHP) dependencies and runs audit.
Scans, audits, and updates Dart/Flutter dependencies using pubspec.yaml.
Detects Django projects and provides dependency and vulnerability management.
Audits Docker images for outdated or end-of-life base images.
Detects Express projects and includes in framework CVE database.
Detects Fastify projects and provides dependency management.
Detects Flask projects and provides dependency management.
Manages Flutter dependencies via pubspec.yaml.
Detects Gin projects and provides dependency management.
Checks global Git version as part of toolchain audit.
Audits GitHub Actions workflows for deprecated actions across all workflows.
Scans, audits, and updates Go dependencies using go.mod.
Manages Gradle dependencies for Kotlin/Java projects.
Detects Hono projects and provides dependency management.
Scans, audits, and updates Kotlin/Java dependencies using build.gradle.kts.
Detects Laravel projects and provides dependency management.
Detects Next.js projects, provides migration detection (Pages to App Router), and includes in framework CVE database.
Scans, audits, and updates Node.js dependencies using package.json and supports npm, pnpm, yarn, bun.
Manages npm dependencies, runs npm audit, and provides vulnerability scanning.
Detects Nuxt projects and provides migration detection and vulnerability scanning.
Scans, audits, and updates PHP dependencies using composer.json.
Manages pnpm dependencies and runs audit.
Manages Python dependencies via Poetry.
Scans live CVE vulnerabilities for PyPI packages via osv.dev.
Scans, audits, and updates Python dependencies via requirements.txt, pyproject.toml, or Pipfile.
Detects Remix projects and provides dependency management and vulnerability scanning.
Scans, audits, and updates Ruby dependencies using Gemfile.
Scans, audits, and updates Rust dependencies using Cargo.toml.
Detects SolidStart projects and provides dependency management.
Detects exposed Stripe API keys in project files via secret scanner.
Groups dependencies by Supabase ecosystem and provides update suggestions.
Detects SvelteKit/Svelte projects, provides migration detection (runes), and includes in framework CVE database.
Scans, audits, and updates Swift dependencies using Package.swift.
Checks global Vercel CLI version as part of toolchain audit.
Groups dependencies by Vite ecosystem and provides update suggestions.
Manages Yarn dependencies.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@depsonarscan my project for outdated dependencies"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
depsonar is an MCP server that keeps your projects' dependencies up to date, scans for vulnerabilities, detects framework migrations, and audits your entire dev infrastructure — directly from Cursor, Claude, or any MCP-compatible AI assistant.
Supports Node.js, Python, Rust, Go, PHP, Ruby, Dart/Flutter, Swift, and Kotlin/Java.
Why depsonar?
With AI-generated "vibe coding" projects, dependency maintenance is an afterthought. WordPress solved this with one-click updates. depsonar brings the same experience to modern development — plus security scanning, migration detection, and infrastructure auditing.
Related MCP server: GitHub PR Review MCP Server
Features
Dependency Management
Multi-language: 9 languages, auto-detected
Framework-aware: SvelteKit, Next.js, Nuxt, Astro, Django, Laravel, Express...
Safe updates: 3 levels (patch/minor/latest) with dry-run preview
Batch operations: Update all projects at once
Ecosystem grouping: Results grouped by Svelte, Supabase, Tailwind, Vite, etc.
Security & Compliance
Live CVE scanning via osv.dev API (npm, PyPI, crates.io, Go, PHP, Ruby)
Framework CVE database: Curated advisories for Svelte, Next.js, Vite, Express, Axios
Native audit integration: npm audit, cargo audit, pip-audit, composer audit, govulncheck
Secret scanner: Detects AWS keys, GitHub tokens, Stripe keys, database URLs, and more
License compliance: Flags GPL/AGPL copyleft, non-commercial, and unknown licenses
Migration & Maintenance
Migration detector: Identifies code patterns that need changing (Svelte 4→5 runes, Next.js Pages→App Router)
Changelog preview: See breaking changes before updating
Deprecated detection: Finds unmaintained packages and suggests replacements
Health scores: 0-100 per project based on deps, security, lockfile, runtime
Background checker: Scheduled scans via macOS launchd or Linux cron
Infrastructure Audit
Runtime versions: Node.js, Python, Rust, Go, PHP, Ruby, Dart, Swift (EOL detection)
Global toolchain: npm, pnpm, yarn, bun, cargo, pip, git, docker, vercel, supabase, wrangler
Docker image audit: Detects outdated/EOL base images
GitHub Actions audit: Flags deprecated actions across all workflows
Environment check: .env sync, lockfile freshness, config validation
Quick Start
Option 1: npx (zero install)
Add to ~/.cursor/mcp.json:
{
"mcpServers": {
"depsonar": {
"command": "npx",
"args": ["-y", "depsonar"]
}
}
}Option 2: Global install
npm install -g depsonar{
"mcpServers": {
"depsonar": {
"command": "depsonar"
}
}
}Option 3: Clone
git clone https://github.com/Soflution1/depsonar.git
cd depsonar && npm install && npm run build{
"mcpServers": {
"depsonar": {
"command": "node",
"args": ["/path/to/depsonar/dist/index.js"]
}
}
}Restart Cursor after editing the config.
All 23 Tools
Tool | Description |
| Scan all projects for outdated deps |
| Check a specific project |
| Update a project's dependencies |
| Batch update all projects |
| Health score 0-100 for a project |
| Fresh install with optional clean |
| Security scan (npm/pip/cargo audit) |
| Curated framework CVE advisory check |
| Real-time CVE scan via osv.dev API |
| Changelogs & breaking changes before updating |
| Framework migration detector |
| Deprecated & replaced package detection |
| Secret & API key scanner |
| License compliance (GPL/AGPL flags) |
| Runtime version check (EOL detection) |
| Global tool versions |
| Docker image audit |
| GitHub Actions audit |
| .env, lockfile, config validation |
| Full infrastructure report (everything) |
| Instant alerts from background scans |
| Setup automatic background scanning |
| View/edit configuration |
Background Checker
The background checker scans your projects on a schedule and caches results. When you open Cursor, depsonar_alerts reads the cache instantly — zero wait.
A lightweight script runs every N hours via macOS launchd or Linux cron
Scans all projects, compares versions with registries
Writes results to
~/.depsonar-cache.json, exits immediatelyZero RAM between runs, zero AI tokens, zero cost
Setup from Cursor: "Setup background checking every 6 hours"
Configuration
Set your projects directory (auto-detected from ~/Cursor/App, ~/Projects, ~/Developer, ~/Code, ~/dev):
// ~/.depsonarrc.json
{
"projectsDir": "/Users/me/my-projects"
}Or from Cursor: "Set my projects directory to ~/Code"
Supported Languages
Language | Detected by | Package Manager |
Node.js |
| npm, pnpm, yarn, bun |
Python |
| pip, pipenv, poetry |
Rust |
| cargo |
Go |
| go |
PHP |
| composer |
Ruby |
| bundler |
Dart/Flutter |
| pub |
Swift |
| swift |
Kotlin/Java |
| gradle |
Framework Detection
SvelteKit · Next.js · Nuxt · Astro · Remix · SolidStart · Django · Flask · Laravel · Express · Fastify · Hono · Actix · Gin · Fiber
Architecture
depsonar/
├── src/
│ ├── index.ts # Entry: MCP server or --check mode
│ ├── checker.ts # Background scanner (cron/launchd)
│ ├── dashboard.ts # Web dashboard (http://127.0.0.1:24681)
│ ├── constants.ts # Language markers, ecosystem patterns
│ ├── types.ts # TypeScript interfaces
│ ├── schemas/index.ts # Zod input validation
│ ├── services/
│ │ ├── project.ts # Multi-lang detection, outdated parsing
│ │ ├── formatter.ts # Reports, tables, alerts formatting
│ │ ├── audit.ts # Native security audit (npm/cargo/pip)
│ │ ├── cve.ts # Curated CVE advisory database
│ │ ├── osv.ts # Live CVE via osv.dev API
│ │ ├── changelog.ts # Changelog & breaking change detection
│ │ ├── migrate.ts # Framework migration detector
│ │ ├── deprecated.ts # Deprecated package detection
│ │ ├── secrets.ts # Secret & token scanner
│ │ ├── licenses.ts # License compliance checker
│ │ ├── runtimes.ts # Runtime version checker
│ │ ├── toolchain.ts # Global toolchain checker
│ │ ├── docker.ts # Docker image auditor
│ │ ├── actions.ts # GitHub Actions auditor
│ │ └── envcheck.ts # Environment validator
│ └── tools/index.ts # 23 MCP tools
├── static/
│ ├── logo.png # depsonar logo (512x512)
│ └── banner.png # GitHub banner (1800x600)
├── package.json
├── tsconfig.json
└── LICENSE (MIT)CLI
depsonar # Start MCP server (for Cursor)
depsonar --check # Run background scan
depsonar --version # Show version
depsonar --help # List all 23 toolsAlso by Soflution
brandcheck — Check brand name availability across 27 platforms in one shot. Domains, social media, app stores, trademarks.
License
MIT — Soflution Ltd
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Soflutionltd/depsonar'
If you have feedback or need assistance with the MCP directory API, please join our Discord server