@cyanheads/osv-advisory-mcp-server

v0.1.2 pre-1.0

Query OSV.dev for package vulnerabilities, batch-audit dependency lists, and fetch full advisory records via MCP. STDIO or Streamable HTTP.

public 4 tools protocol 2025-11-25 github cyanheads/osv-advisory-mcp-server
@cyanheads/osv-advisory-mcp-server 
claude mcp add --transport http osv-advisory-mcp-server https://osv-advisory.caseyjhand.com/mcp
codex mcp add osv-advisory-mcp-server --url https://osv-advisory.caseyjhand.com/mcp
{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "url": "https://osv-advisory.caseyjhand.com/mcp"
    }
  }
}
gemini mcp add --transport http osv-advisory-mcp-server https://osv-advisory.caseyjhand.com/mcp
{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "command": "bunx",
      "args": [
        "@cyanheads/osv-advisory-mcp-server@latest"
      ]
    }
  }
}
{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "type": "http",
      "url": "https://osv-advisory.caseyjhand.com/mcp"
    }
  }
}
curl -X POST https://osv-advisory.caseyjhand.com/mcp \
  -H "Content-Type: application/json" \
  -H "MCP-Protocol-Version: 2025-11-25" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-11-25","capabilities":{},"clientInfo":{"name":"curl","version":"1.0.0"}}}'
Built on@cyanheads/mcp-ts-core v0.9.16

Tools

4

osv_list_ecosystems

Return the list of supported ecosystem identifier strings for use with osv_query and osv_query_batch. Ecosystem strings are case-sensitive exact matches — passing "pypi" instead of "PyPI" returns an error from the API. Use this tool to discover valid ecosystem strings before querying, or to verify an ecosystem identifier from a lockfile format. The list is static (maintained from the OSV schema spec) and may occasionally lag newly added ecosystems.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "osv_list_ecosystems",
    "arguments": {}
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {},
  "additionalProperties": false
}
view source ↗

osv_query

Query known vulnerabilities for a single package version across any supported ecosystem. Returns all matching OSV advisories with severity (CVSS vectors), CVE aliases, affected version ranges, and first safe version. Use osv_list_ecosystems to validate the ecosystem string before querying — ecosystem strings are case-sensitive exact matches and an invalid value returns an error, not empty results.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "osv_query",
    "arguments": {
      "name": "<name>",
      "ecosystem": "<ecosystem>",
      "version": "<version>"
    }
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "description": "Package name as it appears in the ecosystem (e.g. \"express\", \"requests\", \"serde\"). Case-sensitive."
    },
    "ecosystem": {
      "type": "string",
      "description": "Ecosystem identifier. Must be an exact match (case-sensitive). Use osv_list_ecosystems to see valid values. Examples: \"npm\", \"PyPI\", \"crates.io\", \"Go\", \"Maven\", \"NuGet\"."
    },
    "version": {
      "type": "string",
      "description": "Package version to check (e.g. \"4.17.1\", \"3.1.4\", \"1.0.0\"). Must be an exact version string, not a range."
    }
  },
  "required": [
    "name",
    "ecosystem",
    "version"
  ],
  "additionalProperties": false
}
view source ↗

osv_get_vulnerability

Fetch the full advisory record for an OSV vulnerability ID. Returns the complete record: summary, full details text, CVE aliases, all affected packages and version ranges, fix versions, CVSS severity vectors, CWE weakness IDs, and references. Use when osv_query or osv_query_batch returns a vuln ID and you need the full advisory context — eligibility criteria, scope of affected packages, or remediation guidance.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "osv_get_vulnerability",
    "arguments": {
      "id": "<id>"
    }
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "OSV vulnerability ID. Accepts any prefix: \"GHSA-\" (GitHub), \"PYSEC-\" (Python), \"RUSTSEC-\" (Rust), \"GO-\" (Go), \"DSA-\"/\"DLA-\" (Debian), \"CVE-\" (fallback direct lookups). Example: \"GHSA-29mw-wpgm-hmr9\"."
    }
  },
  "required": [
    "id"
  ],
  "additionalProperties": false
}
view source ↗

osv_query_batch

Query vulnerabilities for multiple packages in one call — the primary tool for dependency audits, SBOM scanning, and lockfile triage. Pass an array of {name, ecosystem, version} tuples (up to 1000). Each entry in the response corresponds positionally to the input. Each finding includes CVE aliases for chaining to nist-nvd-mcp-server for CVSS scoring. Invalid ecosystem strings are rejected before querying — call osv_list_ecosystems to validate.

read
invocation 
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "osv_query_batch",
    "arguments": {
      "packages": "<packages>"
    }
  }
}
schema 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "packages": {
      "minItems": 1,
      "maxItems": 1000,
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Package name as it appears in the ecosystem."
          },
          "ecosystem": {
            "type": "string",
            "description": "Ecosystem identifier. Case-sensitive exact match. Use osv_list_ecosystems to validate."
          },
          "version": {
            "type": "string",
            "description": "Exact version string to check."
          }
        },
        "required": [
          "name",
          "ecosystem",
          "version"
        ],
        "additionalProperties": false,
        "description": "One package to audit."
      },
      "description": "Packages to audit. One entry per dependency. Positional: result[i] corresponds to packages[i]."
    }
  },
  "required": [
    "packages"
  ],
  "additionalProperties": false
}
view source ↗