VulnFeed
Scans composer.lock files to detect known vulnerabilities in PHP dependencies and recommend fix versions.
Scans npm package-lock.json files to detect known vulnerabilities in dependencies and recommend fix versions.
Scans pnpm-lock.yaml files to detect known vulnerabilities in dependencies and recommend fix versions.
Scans pip requirements.txt and Pipfile.lock files to detect known vulnerabilities in Python dependencies and recommend fix versions.
Scans Gemfile.lock files to detect known vulnerabilities in Ruby dependencies and recommend fix versions.
Scans Cargo.lock files to detect known vulnerabilities in Rust dependencies and recommend fix versions.
Scans yarn.lock files to detect known vulnerabilities in dependencies and recommend fix versions.
VulnFeed — Dependency Vulnerability Monitoring for Claude Code
An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.
Free tier — 10 scans/day, 1 monitored project, no signup required.
Homepage: vulnfeed.novadyne.ai
Install
uvx vulnfeed-mcpMCP client config
Add to your MCP client config (~/.claude/settings.json for Claude Code, claude_desktop_config.json for Claude Desktop):
Free tier (no signup, no API key):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"]
}
}
}Paid ($14/mo, unlimited scans + projects):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"],
"env": {
"VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
}
}
}
}Get a license key at vulnfeed.novadyne.ai.
Tools
Scanning
Tool | Description |
| Auto-detect and scan all lockfiles in a directory |
| Scan a specific lockfile |
| Check a single package for vulnerabilities |
| Detailed CVE info with EPSS + fix versions |
Monitoring
Tool | Description |
| Register for continuous monitoring |
| New vulns since last scan |
| Update snapshot after upgrading packages |
| See all monitored projects |
| Remove from monitoring |
Supported lockfiles
package-lock.json(npm)yarn.lock(Yarn)pnpm-lock.yaml(pnpm)requirements.txt(pip)Pipfile.lock(Pipenv)go.sum/go.mod(Go)Cargo.lock(Rust)Gemfile.lock(Ruby)composer.lock(PHP)
How it works
Parses your lockfile to extract dependency names + versions
Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
Enriches with EPSS exploit probability scores
Filters noise — suppresses low-EPSS, non-critical CVEs by default
Sorts by exploitability — most likely to be exploited first
Returns fix version recommendations from package registries
Smart filtering
By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.
Pass show_all=True to any scan tool to see everything.
Continuous monitoring
monitor_project— takes a baseline snapshot of current deps + known vulnscheck_alerts— diffs against baseline, surfaces only new vulnsRun
check_alertsperiodically to catch newly published CVEs
License
MIT
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/infai-tech/vulnfeed-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server