Summary
Point this at a Dependabot PR or npm outdated output and get a ranked upgrade plan with breaking changes, CVE fixes, and migration links. The server exposes two tools: analyze_package_change for single packages and analyze_packages_bulk for up to 50 at once. It scrapes GitHub release notes, checks OSV.dev for security fixes, and returns a risk level (security, caution, review, likely-safe, safe) with semver classification. Handles npm and PyPI. Runs via npx with optional GitHub token for higher rate limits. Integrates with Claude Code, Cursor, and Claude Desktop. Good for turning lockfile diffs into actionable decisions without manually reading changelogs.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Tools
Public tool metadata for what this MCP can expose to an agent.
2 tools
analyze_package_changeGiven one package and two versions (from -> to), returns a structured upgrade analysis: semver classification, GitHub release notes summary, detected breaking changes, security advisories fixed in the range, migration guide links, and a clear recommendation. Use when the user...4 params
Given one package and two versions (from -> to), returns a structured upgrade analysis: semver classification, GitHub release notes summary, detected breaking changes, security advisories fixed in the range, migration guide links, and a clear recommendation. Use when the user...
Parameters* required
namestringPackage name (e.g. 'react', 'requests')
ecosystemstringPackage ecosystemone of
npm · pypitoVersionstringTarget version (e.g. '19.0.0')
fromVersionstringCurrent version (e.g. '18.2.0')
analyze_packages_bulkAnalyzes a list of package upgrades in parallel and returns a unified risk report with packages ranked by recommendation level (security > caution > review > likely-safe > safe). Use when the user provides many dependency changes from a Dependabot PR, npm outdated output, lock...1 params
Analyzes a list of package upgrades in parallel and returns a unified risk report with packages ranked by recommendation level (security > caution > review > likely-safe > safe). Use when the user provides many dependency changes from a Dependabot PR, npm outdated output, lock...
Parameters* required
changesarrayList of package changes to analyze
dep-diff-mcp
MCP server that translates a lockfile diff into a human-readable upgrade plan.
Point your AI assistant (Cursor, Claude Desktop, Claude Code) at a Dependabot PR, npm outdated output, or any pair of package versions, and get back a ranked upgrade plan: semver class, breaking changes pulled from GitHub release notes, CVEs fixed in the range, migration guide links, and a clear recommendation per package.
Install
Claude Code
One command, user scope (available in every project):
claude mcp add -s user dep-diff -- npx -y @digicatalyst/dep-diff-mcp
Project scope (writes .mcp.json at repo root, team-shared):
claude mcp add -s project dep-diff -- npx -y @digicatalyst/dep-diff-mcp
With an explicit token (skip this if you have the gh CLI authenticated — see GitHub token below):
claude mcp add -s user --env GITHUB_TOKEN=ghp_xxx dep-diff -- npx -y @digicatalyst/dep-diff-mcp
Verify:
claude mcp list
Restart the Claude Code session to pick up the server.
Cursor and Claude Desktop
Add to your MCP client config:
- Cursor:
~/.cursor/mcp.json - Claude Desktop:
~/Library/Application Support/Claude/claude_desktop_config.json(macOS) or%APPDATA%\Claude\claude_desktop_config.json(Windows)
{
"mcpServers": {
"dep-diff": {
"command": "npx",
"args": ["-y", "@digicatalyst/dep-diff-mcp"]
}
}
}
Restart your MCP client. Ask something like "what's risky in this Dependabot PR?" and the tools are invoked automatically.
GitHub token (optional but recommended)
The server hits the GitHub API to read release notes. Without a token you get 60 requests per hour (GitHub's anonymous limit) — enough for occasional single-package queries, not enough for bulk lockfile analysis.
The server resolves a token in this order:
GITHUB_TOKENenvironment variable, if set.gh auth token— if the GitHub CLI is installed and authenticated, the server uses that token automatically. No config change needed.- Anonymous (60 req/hr).
Recommended: use the gh CLI
If you already have gh installed (brew install gh && gh auth login), stop here — the server picks up your existing auth. No plaintext token anywhere.
Alternative: environment variable
Create a fine-grained token at https://github.com/settings/tokens:
- Token name:
dep-diff-mcp - Expiration: 90 days (rotate periodically)
- Repository access:
Public Repositories (read-only)— no private repo access - Permissions: none beyond the default public read — do not grant
repo,workflow,user, or any write scope
Then reference it in the MCP config:
{
"mcpServers": {
"dep-diff": {
"command": "npx",
"args": ["-y", "@digicatalyst/dep-diff-mcp"],
"env": { "GITHUB_TOKEN": "github_pat_xxx" }
}
}
}
Security notes
- This config file lives on your disk in plaintext. Keep perms tight (
chmod 600) and do not paste the token into AI chats, issues, or shared screens — transcripts are often retained. - The token in this config should be least-privilege (public repo read only). Even leaked, it can only read public data you could already read.
- Rotate tokens periodically. Revoke any token that may have been exposed at https://github.com/settings/tokens.
- The server never writes the token to stdout/stderr or the response payload.
Tools
analyze_package_change
Analyze one package upgrade. Inputs: ecosystem (npm or pypi), name, fromVersion, toVersion.
analyze_packages_bulk
Analyze up to 50 package upgrades in parallel. Returns packages ranked by risk (security > caution > review > likely-safe > safe), plus summary counts.
What you get back
- Semver classification — major / minor / patch / downgrade / unknown
- Breaking changes — extracted from GitHub release notes headers
- Security fixes — CVEs present at
fromVersionbut resolved attoVersion(via OSV.dev) - Migration links — upgrade guide URLs found in release notes
- Recommendation — single-line verdict + level
Supported ecosystems
- npm
- PyPI
Development
npm install
npm run build
GITHUB_TOKEN=ghp_xxx npm run inspect # MCP Inspector
License
MIT
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →