Reports which of your code's API usages break before you upgrade a dependency (Python + .NET).
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"bumpguard": {
"command": "bumpguard-mcp"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Guard your dependency bumps. BumpGuard is a Model Context Protocol (MCP) server that tells your AI coding agent exactly which lines of your code break when you upgrade a dependency — and verifies AI‑written code against the API that is actually installed, so it stops calling functions that don't exist.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'bumpguard-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked bumpguard-mcp against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Compress tool outputs, logs, files, and RAG chunks before they reach the LLM. 60-95% fewer tokens, same answers. Library, proxy, MCP server.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
MCP Security Weekly
Get CVE alerts and security updates for io.github.appcreationsca/bumpguard and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Guard your dependency bumps. BumpGuard is a Model Context Protocol (MCP) server that tells your AI coding agent exactly which lines of your code break when you upgrade a dependency — and verifies AI‑written code against the API that is actually installed, so it stops calling functions that don't exist.
It does this by static analysis only. BumpGuard never imports or executes third‑party code; it reads a package's real public API straight from its source.
Docs tell your agent what should exist. BumpGuard tells it what actually exists here.
The #1 frustration developers report with AI coding tools is code that's "almost right, but not quite." A huge slice of that is API drift and hallucination:
pydantic.BaseSettings or openai.ChatCompletion.create(...) — perfectly valid two versions ago, gone in the version you have installed.pandas from 1.5 to 2.2 and discover the breakage one stack trace at a time.BumpGuard closes that gap with ground truth from your environment instead of the model's memory.
A real example — upgrading pydantic 1 → 2 in code that uses BaseSettings:
// check_upgrade(package="pydantic", to_version="2.0.3", from_version="1.10.13", code="...")
{
"safe_to_upgrade": false,
"summary": { "breaking": 1, "total_api_changes": 4919, "breaking_api_changes": 2015 },
"findings": [
{
"symbol": "pydantic.BaseSettings",
"line": 2,
"severity": "breaking",
"message": "You use 'pydantic.BaseSettings', which no longer exists in the target version...",
"suggestion": "Consider 'pydantic.v1.env_settings.BaseSettings'"
}
]
}
Out of 2,015 breaking API changes, BumpGuard surfaced the one that affects this code — with the line number and a fix hint.
| Tool | What it answers |
|---|---|
check_upgrade ⭐ | "If I upgrade package to to_version, what in this code breaks?" Diffs the installed (or from_version) API against the target and reports only the changes your code actually hits, with severity and fix hints. |
diff_versions | "What changed between two versions of this library?" The raw breaking‑change list, no code scan — good for planning a migration. |
verify_snippet | "Do the imports and API calls in this code really exist here?" Catches hallucinated/typo'd package names (slopsquatting) and attributes that aren't on the installed package. |
check_import | "Is this package installed? If not, what's the closest real name?" |
list_symbols | "What's the real public API of this package?" Discover functions/classes/methods + signatures instead of guessing — for the installed version or any fetched version. |
list_languages | Which ecosystem providers are available. |
Every answer is grounded in evidence (installed version, source location). Because analysis is static, "no findings" means "nothing proven to break," not a guarantee — BumpGuard is explicit about that in its output.
pip install bumpguard-mcp
Requires Python 3.10+. The server speaks MCP over stdio.
Install BumpGuard into the same environment as the project you're working on, so it sees the packages you actually have insta