JFrog MCP Server

Official

Overview Schema Related Servers Score Discussions

jfrog_get_package_versions

Retrieve versions of a package with publication dates and filter by vulnerability status. Supports Python, Node, Java, Go, .NET, Hugging Face, and Ruby packages.

Instructions

Useful for when you need to get a list of versions of a publicly available package. it can tell you each version's publication date. Can also filter based on version vulnerability status.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`name`	Yes	The name of the package, as it appears in the package repository.
`type`	Yes	The type of package.

Implementation Reference

tools/catalog.ts:137-192 (handler)

The core handler function that constructs a GraphQL query to fetch the latest 10 versions of a package from JFrog Catalog, processes the response, and returns validated version information including version, published date, and license.

export async function getPackageVersions(options: JFrogCatalogPackageSchema) {
  const query = `query GetCatalogPackageVersions($type: String!, $name: String!, $first: Int) {
      package(type: $type, name: $name) {
        name
        description
        vcsUrl
        homepage
        versions(first: $first, orderBy: {field: PUBLISHED, direction: DESC}) {
          edges {
            node {
              version
              published
              licenseInfo {
                expression
              }
            }
          }
        }
      }
    }`;

  const variables = {
    type: options.type,
    name: options.name,
    first: 10
  };

  function processResponse(response: unknown): JFrogCatalogPackageVersionResponseSchema[] {

    const validatedResponse = JFrogCatalogGraphQLResponseSchema.parse(response);
    if (!validatedResponse.data?.package?.versions?.edges) {
      throw new Error("Invalid response format from JFrog API: Missing required data");
    }

    return validatedResponse.data.package.versions.edges.map(edge => ({
      version: edge.node.version,
      published: edge.node.published,
      licenseInfo: edge.node.licenseInfo
    }));
  }

  const processedData = await jfrogRequest(
    "xray/catalog/graphql",
    {
      method: "POST",
      body: JSON.stringify({ query, variables })
    },
    (response) => processResponse(response)
  );

  if (!Array.isArray(processedData)) {
    throw new Error("Invalid processed data format. Expected an array.");
  }

  return JFrogCatalogPackageVersionResponseSchema.array().parse(processedData);
}

tools/catalog.ts:363-373 (registration)

Tool registration object defining the name, description, input schema, and a thin wrapper handler that parses arguments and delegates to the core getPackageVersions function. This object is included in the CatalogTools export array used by the main tools index.

const getCatalogPackageVersionsTool = {
  name: "jfrog_get_package_versions",
  description: "Useful for when you need to get a list of versions of a publicly available package. " +
        "it can tell you each version's publication date. Can also filter based on version vulnerability status.",
  inputSchema: zodToJsonSchema(JFrogCatalogPackageSchema),
  //outputSchema: zodToJsonSchema(JFrogCatalogPackageVersionResponseSchema),
  handler: async (args: any) => {
    const parsedArgs = JFrogCatalogPackageSchema.parse(args);
    return await getPackageVersions(parsedArgs);
  }
};

schemas/catalog.ts:14-17 (schema)

Input schema using Zod for validating the tool's parameters: package type (e.g., npm, maven) and package name.

export const JFrogCatalogPackageSchema = z.object({
  type: z.enum(JFrogCatalogSupportedPackageTypes).describe("The type of package."),
  name: z.string().describe("The name of the package, as it appears in the package repository.")
});

schemas/catalog.ts:28-32 (schema)

Output schema element for each package version returned by the tool, including version, published date, and optional license info.

export const JFrogCatalogPackageVersionResponseSchema = z.object({
  version: z.string().describe("The version of the package, as it appears in the package repository."),
  published: z.string().describe("A timestamp of when this version was published."),
  licenseInfo: JFrogCatalogLicenseInfoResponseSchema.optional().describe("License information about this package.")
});

common/utils.ts:55-92 (helper)

Reusable helper function called by the handler to perform the actual HTTP POST request to the JFrog Catalog GraphQL endpoint, handling authentication via env vars, headers, and post-processing.

export async function jfrogRequest(
  urlPath: string,
  options: RequestOptions = {},
  postProcess: (data: unknown) => unknown = (x) => x
): Promise<unknown> {
  const headers: Record<string, string> = {
    "Content-Type": "application/json",
    "User-Agent": USER_AGENT,
    ...options.headers,
  };

  if (process.env.JFROG_ACCESS_TOKEN) {
    headers["Authorization"] = `Bearer ${process.env.JFROG_ACCESS_TOKEN}`;
  }


  const baseUrl = normalizeJFrogBaseUrl(process.env.JFROG_URL || "");
  const path = urlPath.startsWith("/") ? urlPath.substring(1) : urlPath;
  const url = baseUrl ? `${baseUrl}${path}` : urlPath;

  try {
    const axiosConfig: AxiosRequestConfig = {
      method: options.method || "GET",
      url,
      headers,
      data: options.body,
    };

    const response = await axios(axiosConfig);
    return postProcess(response.data);
    return response.data;
  } catch (error) {
    if (axios.isAxiosError(error) && error.response) {
      throw createJFrogError(error.response.status, error.response.data);
    }
    throw error;
  }
}

Tool Definition Quality

B3.2/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It mentions the tool can 'filter based on version vulnerability status,' which adds behavioral context beyond basic retrieval. However, it doesn't disclose critical traits like whether this is a read-only operation, authentication requirements, rate limits, error handling, or pagination for large result sets. The description is insufficient for a mutation-sensitive agent.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise and front-loaded, stating the primary purpose in the first sentence. The second sentence adds useful context about publication dates and filtering. There's no wasted text, but it could be slightly more structured (e.g., separating core functionality from optional features).

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given no annotations and no output schema, the description is moderately complete for a read-focused tool. It covers the purpose and some behavioral aspects (filtering), but lacks details on return values, error cases, or authentication needs. For a tool with 2 parameters and no structured safety hints, it should provide more context to be fully helpful.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, with clear descriptions for both parameters ('name' and 'type' with enum values). The description adds no additional parameter semantics beyond what the schema provides, such as format examples or constraints. With high schema coverage, the baseline score of 3 is appropriate, as the schema does the heavy lifting.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'get a list of versions of a publicly available package' and 'tell you each version's publication date.' It specifies the verb ('get'), resource ('versions of a publicly available package'), and key capability (publication dates). However, it doesn't explicitly differentiate from siblings like 'jfrog_get_package_info' or 'jfrog_get_package_version_vulnerabilities,' which may overlap in functionality.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage context: 'when you need to get a list of versions' and mentions filtering by 'version vulnerability status,' which hints at when to use it. However, it lacks explicit guidance on when to choose this tool over alternatives like 'jfrog_get_package_info' or 'jfrog_get_package_version_vulnerabilities,' and doesn't state any exclusions or prerequisites.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

jfrog_get_package_infoB
@jfrog/mcp-jfrog
npmVersionsA
@Nekzus/npm-sentinel-mcp
get_latest_version
@mkearl/dependency-mcp
npmVersionsA
@Nekzus/mcp-server
get_package_versions
@devqxi/pubdev-mcp-server
jfrog_get_package_version_vulnerabilitiesC
@jfrog/mcp-jfrog

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jfrog/mcp-jfrog'

If you have feedback or need assistance with the MCP directory API, please join our Discord server