Translates a lockfile diff into a human-readable upgrade plan for npm and PyPI.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"dep-diff": {
"args": [
"-y",
"@digicatalyst/dep-diff-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
MCP server that translates a lockfile diff into a human-readable upgrade plan.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@digicatalyst/dep-diff-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @digicatalyst/dep-diff-mcp against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
Manage Supabase projects — databases, auth, storage, and edge functions
MCP Security Weekly
Get CVE alerts and security updates for io.github.DigiCatalyst-Systems/dep-diff-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
MCP server that translates a lockfile diff into a human-readable upgrade plan.
Point your AI assistant (Cursor, Claude Desktop, Claude Code) at a Dependabot PR, npm outdated output, or any pair of package versions, and get back a ranked upgrade plan: semver class, breaking changes pulled from GitHub release notes, CVEs fixed in the range, migration guide links, and a clear recommendation per package.
One command, user scope (available in every project):
claude mcp add -s user dep-diff -- npx -y @digicatalyst/dep-diff-mcp
Project scope (writes .mcp.json at repo root, team-shared):
claude mcp add -s project dep-diff -- npx -y @digicatalyst/dep-diff-mcp
With an explicit token (skip this if you have the gh CLI authenticated — see GitHub token below):
claude mcp add -s user --env GITHUB_TOKEN=ghp_xxx dep-diff -- npx -y @digicatalyst/dep-diff-mcp
Verify:
claude mcp list
Restart the Claude Code session to pick up the server.
Add to your MCP client config:
~/.cursor/mcp.json~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows){
"mcpServers": {
"dep-diff": {
"command": "npx",
"args": ["-y", "@digicatalyst/dep-diff-mcp"]
}
}
}
Restart your MCP client. Ask something like "what's risky in this Dependabot PR?" and the tools are invoked automatically.
The server hits the GitHub API to read release notes. Without a token you get 60 requests per hour (GitHub's anonymous limit) — enough for occasional single-package queries, not enough for bulk lockfile analysis.
The server resolves a token in this order:
GITHUB_TOKEN environment variable, if set.gh auth token — if the GitHub CLI is installed and authenticated, the server uses that token automatically. No config change needed.gh CLIIf you already have gh installed (brew install gh && gh auth login), stop here — the server picks up your existing auth. No plaintext token anywhere.
Create a fine-grained token at https://github.com/settings/tokens:
dep-diff-mcpPublic Repositories (read-only) — no private repo accessrepo, workflow, user, or any write scopeThen reference it in the MCP config:
{
"mcpServers": {
"dep-diff": {
"command": "npx",
"args": ["-y", "@digicatalyst/dep-diff-mcp"],
"env": { "GITHUB_TOKEN": "github_pat_xxx" }
}
}
}
chmod 600) and do not paste the token into AI chats, issues, or shared screens — transcripts are often retained.analyze_package_changeAnalyze one package upgrade. Inputs: ecosystem (npm or pypi), name, fromVersion, toVersion.
analyze_packages_bulkAnalyze up to 50 package upgrades in parallel. Returns packages ranked by risk (security > caution > review > likely-safe > safe), plus summary counts.