NewAgent-ready security audits over MCP

The dependency intelligence layerfor you and your AI agents

DevUpdate.io tracks the releases, breaking changes, and security advisories of the libraries your project actually uses: one verified feed for you, one audit-grade MCP server for your coding agent. Every claim ships with its receipts. Your code never leaves your machine.

Free forever tier. No credit card required.

  • Issues no upgrade can fix, surfaced
  • One feed across npm, PyPI, Cargo, Go & more
  • Ready for Claude, Cursor & any MCP client

See what changed, at a glance

Every release you track gets a summary like this. Breaking changes, new features, and security notes, so you stay current in seconds instead of scrolling changelogs.

v4.0.0Major Release
Breaking

Breaking Changes

-Removed deprecated `getData()` method
-Changed return type of `fetchUser()` to Promise

New Features

+Added streaming support with `streamData()`
+New TypeScript-first API surface

Actionable signal. Zero noise.

Your dependencies ship updates constantly. DevUpdate.io filters that firehose down to the releases, security advisories, and breaking changes that actually touch the libraries you use—and links each one back to the repos in your stack that depend on it. A to-do, not just a notification.

One feed for every release

Track the libraries and tools your project depends on and get each new release summarized in one place: what's new, what changed, what you can skip. Scoped to your lockfile—and every source links back to the repos that depend on it, so you know exactly where to act.

Security issues, even when no fix exists

OSV/GHSA advisories are checked against the exact versions you pin, including the cases upgrade tools drop: vulnerable at latest, fix unreleased, fix blocked by a parent constraint. Each issue carries its advisory ids, fix status, and the maintainer's own workaround when one is documented.

Know before you upgrade

When it's time to bump a version, GitHub releases come with a code-diff analysis, undocumented-breaking-change detection, and a 0-100 risk score, so the upgrade is an informed call, not a gamble.

Built for the agent era

Your coding agent has your codebase. DevUpdate.io has the world's dependency knowledge. Connect the two over MCP and the agent audits, upgrades, and mitigates with verified data instead of re-deriving it, while your code stays exactly where it is.

  • 1Claims with receipts. Security flags carry OSV/GHSA advisory ids checked against your exact pins, the same database npm audit reads. Offered versions are validated against the package's own registry. Agents that fact-check their tools find that ours agrees with the source.
  • 2Playbooks, not just data. Three downloadable skills (audit, safe upgrades, security triage) encode the judgment: security first, blocked fixes via overrides, workarounds verbatim from the advisory, accepted risks recorded.
  • 3Your code never leaves your machine. We parse lockfiles into package + version pairs and discard the rest. The agent does the looking locally; we never clone, store, or read your source.
get_security_issues()

2 open security issues: 1 fix_available, 1 fix_unreleased.

[CRITICAL] lodash@4.17.20

GHSA-35jh-r3h4-6jhm (CVE-2021-23337)

fix_status: fix_available, fixed in 4.17.21

verify: osv.dev/GHSA-35jh-r3h4-6jhm

[HIGH] parse-server@8.2.3

fix_status: fix_unreleased, no fix published

workaround (advisory, verbatim): "Disable direct access…"

→ security first, then upgrades; record accepted risks.

Where DevUpdate.io fits

Scanners score packages, bots open PRs, and a capable agent can look anything up once. None of them tell you (or your agent) what living through an upgrade involves, what to do when no fix exists, or what happened across your dependencies while no one was looking.

CapabilityDevUpdate.ioYour agent, DIY (one-shot)Dependabot / RenovateSnyk / Socket (SCA)Context7
Tracks GitHub repos, VS Code extensions, Google Ads & any release page
Matches OSV/GHSA advisories to your exact pinned versions
Surfaces security issues no upgrade fixes (vulnerable at latest, fix unreleased or blocked)
Reads the GitHub diff to flag undocumented breaking changes
Risk score + release-by-release migration intelligence for the upgrade
Workaround & triage playbook when no fixed version exists
Lockfile-aware monitoring across npm, PyPI, Cargo, Go & Composer
Opens upgrade / fix PRs for you
Downloadable agent skills: audit, safe upgrades, security triage
MCP server for coding agents
Live library API docs for coding agents

Dependabot, Snyk/Socket, and Context7 each solve a real problem: automated PRs, vulnerability scanning, and live docs for AI agents. DevUpdate.io is the intelligence layer across them: the verified knowledge of what changed, what's vulnerable, what no upgrade can fix, and what to do about it, served to you as a feed and to your agent over MCP. Diff inspection, undocumented-change detection, and risk scoring cover GitHub repository sources; VS Code extensions, Google Ads, and generic pages get AI release summaries.

And yes, a capable agent with a skill file can re-derive a one-off audit in a single session. That's the DIY column, and our skills are free. What a one-shot run can't be is continuous or cheap: it re-queries every registry and re-reads every changelog at full token cost, then forgets when the session ends. DevUpdate.io computes that intelligence once per release, caches it for everyone, recomputes it daily against your exact pins, and hands your agent the receipts instead of the homework. The honest version of this argument →

Keep up with your stack, without trying

Stop scattering your attention across changelogs, release feeds, and CVE trackers. DevUpdate.io watches your dependencies, tells you what matters, and when it's time to act, your agent already has the audit, the upgrade plan, and the receipts.