Osv Advisory Mcp Server

Name: Osv Advisory Mcp Server
Author: cyanheads

cyanheads/osv-advisory-mcp-server

Let your agent query OSV.dev and batch-audit dependency lists before you ship or cut a release candidate.

Overview

io.github.cyanheads/osv-advisory-mcp-server is a MCP server for the Ship phase that queries OSV.dev and batch-audits dependency lists for known vulnerabilities.

What is this MCP server?

Query OSV.dev for package-version vulnerability advisories through MCP tools
Batch-audit dependency lists in one agent pass instead of manual CVE tab hopping
Configurable OSV_REQUEST_TIMEOUT_MS default 10000 ms for API calls
stdio and streamable-http transports including hosted osv-advisory.caseyjhand.com
npm @cyanheads/osv-advisory-mcp-server v0.1.4 with Bun-oriented stdio startup
Catalog version 0.1.4
npm identifier @cyanheads/osv-advisory-mcp-server
Default OSV_REQUEST_TIMEOUT_MS 10000

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Community signal: 1 GitHub stars.

What problem does it solve?

Shipping with a stale dependency list is easy when CVE hunting is manual and your agent cannot reach a structured advisory API.

Who is it for?

Pre-release agent reviews of package.json, requirements.txt, go.mod, or other manifests against OSV records.

Skip if: Runtime intrusion detection, secrets scanning, or compliance attestations that need enterprise GRC tooling alone.

What do I get? / Deliverables

You get OSV.dev-aligned vulnerability findings on packages and versions so you can patch or pin before release.

Per-package OSV vulnerability matches with affected and fixed version guidance
Batch audit summary across a dependency list
Actionable patch or upgrade notes the agent can turn into PR tasks

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Ship is the canonical phase because vulnerability checks belong on the path to production, not on day-one ideation. Security subphase covers dependency advisory lookups and batch audits tied to OSV.dev records.

How it compares

OSV.dev advisory MCP bridge, not a full container image scanner or WAF.

Common Questions / FAQ

Who is io.github.cyanheads/osv-advisory-mcp-server for?

Indie developers and agent users who want OSV.dev vulnerability checks embedded in Ship-phase security reviews.

When should I use io.github.cyanheads/osv-advisory-mcp-server?

Use it before tagging releases or deploying when you need to audit dependencies individually or in batch against OSV advisories.

How do I add io.github.cyanheads/osv-advisory-mcp-server to my agent?

Install @cyanheads/osv-advisory-mcp-server from npm, run stdio with bun start:stdio, set OSV_REQUEST_TIMEOUT_MS if needed, register MCP in your client, or use the streamable-http remote endpoint.

Osv Advisory Mcp Server

cyanheads/osv-advisory-mcp-server

Let your agent query OSV.dev and batch-audit dependency lists before you ship or cut a release candidate.

Overview

io.github.cyanheads/osv-advisory-mcp-server is a MCP server for the Ship phase that queries OSV.dev and batch-audits dependency lists for known vulnerabilities.

What is this MCP server?

Query OSV.dev for package-version vulnerability advisories through MCP tools
Batch-audit dependency lists in one agent pass instead of manual CVE tab hopping
Configurable OSV_REQUEST_TIMEOUT_MS default 10000 ms for API calls
stdio and streamable-http transports including hosted osv-advisory.caseyjhand.com
npm @cyanheads/osv-advisory-mcp-server v0.1.4 with Bun-oriented stdio startup
Catalog version 0.1.4
npm identifier @cyanheads/osv-advisory-mcp-server
Default OSV_REQUEST_TIMEOUT_MS 10000

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Community signal: 1 GitHub stars.

What problem does it solve?

Shipping with a stale dependency list is easy when CVE hunting is manual and your agent cannot reach a structured advisory API.

Who is it for?

Pre-release agent reviews of package.json, requirements.txt, go.mod, or other manifests against OSV records.

Skip if: Runtime intrusion detection, secrets scanning, or compliance attestations that need enterprise GRC tooling alone.

What do I get? / Deliverables

You get OSV.dev-aligned vulnerability findings on packages and versions so you can patch or pin before release.

Per-package OSV vulnerability matches with affected and fixed version guidance
Batch audit summary across a dependency list
Actionable patch or upgrade notes the agent can turn into PR tasks

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

OSV.dev advisory MCP bridge, not a full container image scanner or WAF.

Common Questions / FAQ

Who is io.github.cyanheads/osv-advisory-mcp-server for?

Indie developers and agent users who want OSV.dev vulnerability checks embedded in Ship-phase security reviews.

When should I use io.github.cyanheads/osv-advisory-mcp-server?

Use it before tagging releases or deploying when you need to audit dependencies individually or in batch against OSV advisories.

How do I add io.github.cyanheads/osv-advisory-mcp-server to my agent?

Install @cyanheads/osv-advisory-mcp-server from npm, run stdio with bun start:stdio, set OSV_REQUEST_TIMEOUT_MS if needed, register MCP in your client, or use the streamable-http remote endpoint.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is io.github.cyanheads/osv-advisory-mcp-server for?

When should I use io.github.cyanheads/osv-advisory-mcp-server?

How do I add io.github.cyanheads/osv-advisory-mcp-server to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is io.github.cyanheads/osv-advisory-mcp-server for?

When should I use io.github.cyanheads/osv-advisory-mcp-server?

How do I add io.github.cyanheads/osv-advisory-mcp-server to my agent?