Choose a path.

Use MCP mode for always-on gating before installs, or run CLI audits for one-off dependency checks. Both paths use binaries from the same release build.

MCP integration CLI audit mode Windows + macOS/Linux

Subscription and API keys

No subscription is required to run built-in checks.
No API key is required for default data providers.
safe-pkgs queries public package/advisory endpoints (npm, crates.io, pypi, OSV), so outbound network access is required unless results are already cached.

MCP Integration (Recommended)CLI Audit Only

Use this when an editor or agent should call safe-pkgs before installs.

1. Build release binary

cargo build --release

2. Run MCP server

macOS / LinuxWindows PowerShell

./target/release/safe-pkgs serve

.\target\release\safe-pkgs-mcp.exe

3. Add MCP client config

{
  "servers": {
    "safe-pkgs": {
      "type": "stdio",
      "command": "/path/to/safe-pkgs",
      "args": ["serve"]
    }
  },
  "inputs": []
}

Windows MCP config (no console window):

{
  "servers": {
    "safe-pkgs": {
      "type": "stdio",
      "command": "safe-pkgs-mcp.exe"
    }
  },
  "inputs": []
}

Use this when you only want local dependency checks without running MCP transport.

1. Build release binary

macOS / LinuxWindows PowerShell

cargo build --release

cargo build --release

2. Run audit

macOS / LinuxWindows PowerShell

./target/release/safe-pkgs audit /path/to/project-or-lockfile
./target/release/safe-pkgs audit /path/to/requirements.txt --registry pypi

.\target\release\safe-pkgs.exe audit C:\path\to\project-or-lockfile
.\target\release\safe-pkgs.exe audit C:\path\to\requirements.txt --registry pypi

Install once (recommended)

Use a stable install path instead of target/...:

cargo install --path . --locked

Installed binaries:

safe-pkgs for CLI usage and serve
safe-pkgs-mcp for Windows MCP hosts (no console window)

Default install directory:

macOS/Linux: ~/.cargo/bin
Windows: %USERPROFILE%\.cargo\bin