npx githits@latest pkg.
Package inspection supports 11 registries: npm, PyPI, Hex, Crates, vcpkg, Zig, NuGet, Maven, Packagist, RubyGems, and Go. Vulnerability data is unavailable for vcpkg and Zig. Dependency data supports npm, PyPI, Hex, Crates, Zig, vcpkg, RubyGems, and Go.
pkg_info — package overview
pkg_info — package overview
pkg_info returns a quick triage summary for any package: the latest version, license, repository popularity, download volume, publish age, and vulnerability status. Pass verbose: true to add GitHub language breakdown, topics, last-pushed date, recent advisories, and recent changes.CLI usageThe package registry. One of:
npm, pypi, hex, crates, vcpkg, zig, nuget, maven, packagist, rubygems, go.The package name. Scoped names are supported (e.g.,
@types/node).When
true, adds GitHub language/topics/last-pushed, recent advisories, and recent changes to the text output. Has no effect when format: "json" is set.pkg_vulns — vulnerability advisories
pkg_vulns — vulnerability advisories
pkg_vulns fetches CVE and OSV security advisories for a package or a specific pinned version. It returns a count summary, each advisory with its OSV ID, severity, affected version ranges, and fix versions. Malicious-package advisories appear in a separate bucket.CLI usagePackage registry. Vulnerability data is unavailable for vcpkg and Zig.
Package name (scoped names supported).
Specific version to check. Defaults to latest when omitted.
Filter to advisories at or above this level:
low, medium, high, or critical. Omit to include all advisories, including those with no assigned severity.When
true, includes retracted advisories. Defaults to false.Which advisories to return:
affected (default, only advisories that affect the inspected version), non_affecting (historical advisories that do not affect this version), or all (both affected and historical). Counts always include affected/non-affecting/all totals.When
true, shows every advisory with full detail rows in text output. format: "json" always returns the complete structured envelope regardless of this setting.pkg_deps — dependency graph
pkg_deps — dependency graph
pkg_deps lists a package’s direct runtime dependencies with resolved versions. Use the lifecycle parameter to include non-runtime groups (development, peer, optional, build), or pass lifecycle: "all" to see every available group. Enable include_transitive to get the full install footprint, conflict detection, and circular-dependency flags.CLI usagePackage registry. Dependency data is available on npm, PyPI, Hex, Crates, Zig, vcpkg, RubyGems, and Go.
Package name (scoped names supported).
Specific version to inspect. Defaults to latest. Tag-style inputs with a leading
v (e.g., v4.18.0) are rejected — pass the canonical version number (4.18.0).Dependency group breadth. Omit for runtime-only. Use
runtime for explicit runtime-only, a concrete non-runtime lifecycle (development, build, peer, optional) to add matching groups, or all for every available group. Accepts a single value, a comma-separated string, or an array. all cannot be combined with other values.When
true, adds a transitive block with aggregate edge/package counts, the complete install footprint (packages[]), detected conflicts, and circular dependencies. Off by default.Requires
include_transitive: true. When true, each entry in transitive.packages[] also carries an importers array showing every upstream package that pulls it in. Off by default — enabling it roughly quadruples envelope size on heavy graphs.Cap the transitive traversal at this depth (1–10). Requires
include_transitive: true. Omit to get the full graph.pkg_changelog — release notes
pkg_changelog — release notes
pkg_changelog retrieves release notes for a package or GitHub repository, newest-first. By default it returns the ten most recent entries. Use from_version and to_version to fetch every entry in a version range without a count cap.You can address by registry + package name, or directly by a GitHub repository URL when you have the URL but no registry mapping.CLI usagePackage registry (used with
package_name). Mutually exclusive with repo_url.Package name (used with
registry). Mutually exclusive with repo_url.GitHub repository URL (e.g.,
https://github.com/expressjs/express). Mutually exclusive with registry + package_name. Use when you have a repo URL without a registry mapping.Maximum number of entries to return in latest mode (1–50, default 10). Cannot be combined with
from_version.Start of a version range. When set, returns every entry between
from_version and to_version (or latest) with no count cap. Tag-style v-prefixed inputs are rejected.End of the version range or latest-mode cap. Defaults to latest.
When
false, omits body content from each entry — useful when you only need the version / date / URL timeline. Defaults to true.Text output only. Shows full body content for every entry. Mutually exclusive with
body_lines.Text output only. Number of body lines to preview per entry (1–50, default 10). Mutually exclusive with
verbose: true.pkg_upgrade_review — upgrade evidence
pkg_upgrade_review — upgrade evidence
pkg_upgrade_review compares the version you use today with a target version. It checks direct vulnerability changes, changelog range evidence, target deprecation metadata, peer dependency changes, dependency changes, and optional transitive evidence.Use it when your agent needs upgrade facts instead of guessing from semver. The tool reports evidence only; it does not decide whether an upgrade is safe.CLI usagePackage registry for single-package mode. Supported registries:
npm, pypi, hex, crates, nuget, maven, zig, vcpkg, packagist, rubygems, and go.Package name for single-package mode. Scoped names are supported.
The version you currently use. Tag-style inputs with a leading
v are rejected.The version you want to review. Tag-style inputs with a leading
v are rejected.Batch mode. Each entry includes
registry, package_name, current_version, and target_version. Mutually exclusive with the single-package fields.When
true, diffs current vs target transitive vulnerability summaries. Defaults to true; pass false to skip.When
true, diffs current vs target transitive deprecated, outdated, duplicate, and conflict summaries. Defaults to false.Minimum direct-advisory severity:
low, medium, high, or critical.Text output only. Includes dependency change examples, including transitive version changes.
MCP tool reference
| MCP tool | CLI command | Purpose |
|---|---|---|
pkg_info | npx githits@latest pkg info <registry>:<package> | Version, license, popularity, downloads, vulnerability status |
pkg_vulns | npx githits@latest pkg vulns <registry>:<package> | CVE/OSV advisories with severity filtering and upgrade paths |
pkg_deps | npx githits@latest pkg deps <registry>:<package> | Direct and transitive dependency graph |
pkg_changelog | npx githits@latest pkg changelog <registry>:<package> | Release notes, newest-first, with range queries for upgrade review |
pkg_upgrade_review | npx githits@latest pkg upgrade-review <registry>:<package>@<current> --to <target> | Current-vs-target upgrade evidence without assigning risk |