July 2, 2026

Bot vs Bug: Dependency Drama

Show HN: CLI that helps AI agents avoid vulnerable dependencies

A new app tries to stop AI from grabbing sketchy software, and commenters want it wired in now

TLDR: deptrust is a new tool that checks whether software packages chosen by AI have known security problems before they get installed. Commenters were broadly into the idea, but the big demand was clear: make it plug directly into AI tools and monitor projects automatically, or people may treat it as one more extra step.

The pitch is simple: AI helpers keep grabbing old, risky software, so deptrust wants to play bouncer before that happens. The tool checks public warning lists for known security problems across a huge range of software sources, then spits out a plain-English verdict like allow, review, or block. It also side-eyes brand-new releases, flagging anything published in the last 72 hours so bots do not go charging into fresh chaos. In other words, it is less “trust me, bro” and more “maybe don’t let your robot intern pick the locks for the office.”

But the real energy is in the community reaction, and it is giving “nice idea, now make it fit my life immediately”. The standout hot take came from scottcodie, who basically said this only becomes irresistible if it plugs straight into Claude and watches dependency files automatically. That reaction says a lot: people are not debating whether unsafe AI-generated installs are a problem, they are acting like the problem is already painfully real. The mini-drama is not over the mission, but over the format. A command-line tool is cool; a seamless plugin is the fantasy.

That makes the vibe less hostile and more impatient. The joke lurking underneath? Developers seem ready to trust a tool named deptrust as long as it saves them from trusting the AI. The crowd is not throwing tomatoes here—they are shouting from the back row: “Great, now bolt it directly onto the robot before it downloads something cursed.”

Key Points

  • deptrust is a local CLI and MCP server that checks package versions for known vulnerabilities across many package ecosystems.
  • The tool queries public package registries plus OSV and the GitHub Advisory Database, with no hosted deptrust service required.
  • deptrust maps the highest known vulnerability severity to recommendations such as block, review, or allow, and warns that allow does not guarantee safety.
  • It also emits non-CVE risk signals, including flagging versions published within the last 72 hours for review.
  • The article includes ecosystem-specific coverage details and command examples, including special handling for GitHub Actions tags, branches, and commit SHAs.

Hottest takes

"If this was a claude plugin" — scottcodie
"with a hook on my dep files" — scottcodie
"I'd be in" — scottcodie
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.