VulnFeed
VulnFeed scans project dependencies for known CVEs, enriches results with EPSS exploit probability scores, and recommends fix versions.
Scanning
scan_project— Auto-detect and scan all lockfiles in a project directoryscan_lockfile— Scan a specific lockfile (npm, Yarn, pnpm, pip, Pipenv, Go, Rust, Ruby, PHP)check_package— Check a single package by name, version, and ecosystem (npm, PyPI, Go)lookup_cve— Get detailed info on a specific CVE or GHSA ID, including severity, EPSS score, affected versions, and fix recommendations
Continuous Monitoring
monitor_project— Register a project for monitoring by taking a baseline snapshotcheck_alerts— Diff current vulnerabilities against the baseline to surface only new findings since last scanupdate_deps— Refresh a monitored project's dependency snapshot after upgradeslist_monitored— View all projects registered for monitoringunmonitor_project— Remove a project from monitoring
Key Features
Queries OSV.dev (NVD + GitHub Advisories) for CVE data
Enriches results with EPSS exploit probability scores
Smart filtering suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0) by default, reducing noise by ~80%; override with
show_all=TrueSorts results by exploitability (most dangerous first) and provides fix version recommendations
Scans composer.lock files to detect known vulnerabilities in PHP dependencies and recommend fix versions.
Scans npm package-lock.json files to detect known vulnerabilities in dependencies and recommend fix versions.
Scans pnpm-lock.yaml files to detect known vulnerabilities in dependencies and recommend fix versions.
Scans pip requirements.txt and Pipfile.lock files to detect known vulnerabilities in Python dependencies and recommend fix versions.
Scans Gemfile.lock files to detect known vulnerabilities in Ruby dependencies and recommend fix versions.
Scans Cargo.lock files to detect known vulnerabilities in Rust dependencies and recommend fix versions.
Scans yarn.lock files to detect known vulnerabilities in dependencies and recommend fix versions.
VulnFeed — Dependency Vulnerability Monitoring for Claude Code
An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.
Free tier — 10 scans/day, 1 monitored project, no signup required.
Homepage: vulnfeed.novadyne.ai
Install
uvx vulnfeed-mcpMCP client config
Add to your MCP client config (~/.claude/settings.json for Claude Code, claude_desktop_config.json for Claude Desktop):
Free tier (no signup, no API key):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"]
}
}
}Paid ($14/mo, unlimited scans + projects):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"],
"env": {
"VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
}
}
}
}Get a license key at vulnfeed.novadyne.ai.
x402 micropayments
VulnFeed also accepts x402 micropayments — AI agents can pay per scan with USDC on Base, no API key or signup needed. When the free tier limit is reached, the API returns HTTP 402 with payment requirements that x402-compatible clients handle automatically.
$0.01 per scan
$0.002 per CVE lookup
$0.05 per project monitor setup
Related MCP server: mcp-pypi
Tools
Scanning
Tool | Description |
| Auto-detect and scan all lockfiles in a directory |
| Scan a specific lockfile |
| Check a single package for vulnerabilities |
| Detailed CVE info with EPSS + fix versions |
Monitoring
Tool | Description |
| Register for continuous monitoring |
| New vulns since last scan |
| Update snapshot after upgrading packages |
| See all monitored projects |
| Remove from monitoring |
Supported lockfiles
package-lock.json(npm)yarn.lock(Yarn)pnpm-lock.yaml(pnpm)requirements.txt(pip)Pipfile.lock(Pipenv)go.sum/go.mod(Go)Cargo.lock(Rust)Gemfile.lock(Ruby)composer.lock(PHP)
How it works
Parses your lockfile to extract dependency names + versions
Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
Enriches with EPSS exploit probability scores
Filters noise — suppresses low-EPSS, non-critical CVEs by default
Sorts by exploitability — most likely to be exploited first
Returns fix version recommendations from package registries
Smart filtering
By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.
Pass show_all=True to any scan tool to see everything.
Continuous monitoring
monitor_project— takes a baseline snapshot of current deps + known vulnscheck_alerts— diffs against baseline, surfaces only new vulnsRun
check_alertsperiodically to catch newly published CVEs
License
MIT
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/novadyne-hq/vulnfeed-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server