Forem: Vincenzo Rubino

The Hidden Cost of AI Coding Agents: Every Tool Is Fetching the Same Data

Vincenzo Rubino — Mon, 20 Apr 2026 10:00:02 +0000

Claude Code, Cursor, Copilot, Aider, Continue, Windsurf. Before any of them suggests npm install express, they hit the npm registry. Before they suggest pip install django, they hit PyPI. Before they warn about vulnerabilities, they hit OSV.

Millions of agents. The same queries. Over and over.

Something is wrong with this picture.

The Math of Waste

Let's do some napkin math. Claude Code alone has tens of thousands of daily active users. Cursor has a million. Copilot has 15 million paid seats. Add the long tail of smaller agents, CI pipelines, and automated dependency checkers.

Each of these agents, independently:

Queries npm/PyPI/Cargo/Maven/… to verify package existence
Fetches version metadata to avoid hallucinating wrong versions
Checks OSV for vulnerabilities before recommending an install
Re-downloads the same JSON responses, millions of times

The data doesn't change every millisecond. Express 5.2.1's health status is the same whether you ask at 09:00 or 09:05. But every agent asks independently.

This isn't just inefficient. It's:

Wasted bandwidth for public registries (npm serves ~150B downloads/month — a meaningful fraction is just duplicated metadata checks)
Wasted tokens — every LLM re-processes identical JSON responses it could have skipped entirely
Wasted energy — data centers running queries that return the exact same bytes
Rate limiting pressure on the public registries we all depend on

We ran into this ourselves while building an AI agent. We realized we were solving the wrong problem.

The Inversion

What if the answer isn't building another tool that calls the registries, but building shared infrastructure that calls them once?

That's DepScope. Not a product. Not a SaaS. Infrastructure.

The design is simple:

One service fetches package metadata from all major registries
It caches results in Redis (1h TTL for metadata, 6h for vulnerabilities)
It persists everything in PostgreSQL
Any AI agent — or any human — hits one endpoint and gets a structured answer

curl https://depscope.dev/api/check/npm/express

Returns health score, vulnerabilities, latest version, alternatives, and a recommendation — all in one call.

No auth. No API key. No signup. It's a public utility.

What We Actually Index

We indexed 14,744 packages across 17 ecosystems:

Ecosystem	Packages	% with health < 60
npm	8,632	55%
PyPI	3,282	56%
Cargo	1,219	73%
RubyGems	493	71%
Composer	484	25%
NuGet	301	37%
Maven	242	98%
Go	73	68%
Pub, Hex, Swift, CocoaPods, CPAN, Hackage, CRAN, Conda, Homebrew	on-demand

8,334 packages out of 14,744 have a health score below 60/100. That's the data your AI agent is recommending from, except it doesn't know.

143 indexed packages are deprecated but still being suggested by AI agents every day — request, mimic-fn, path-is-absolute, read-pkg-up, camel-case. Ring a bell?

The Real Numbers Behind "Free"

People ask why this is free. The honest answer: it's cheaper to run it once for everyone than to have millions of agents doing the same thing.

A single VM with 4GB of RAM serves the entire platform. Redis eats the repeat queries. PostgreSQL keeps the history. The actual cost scales with how many unique packages get queried, not with how many agents query them.

The marginal cost of serving the 1,000,000th request for express is zero.

So yes — free. No rate limit on cached data. No paywall on security info. No premium tier for "advanced features" that should be table stakes.

How to Use It (Seriously, It's One Line)

Whatever AI coding agent you're using, add this once. You never have to think about it again.

Claude Code — in CLAUDE.md:

## DEPSCOPE — Before any install: curl depscope.dev/api/check/{eco}/{pkg}

Cursor — in .cursorrules:

Before any install: curl depscope.dev/api/check/{eco}/{pkg} — no auth, free

Windsurf — in .windsurfrules:

Before any install: curl depscope.dev/api/check/{eco}/{pkg}

Copilot — in .github/copilot-instructions.md:

Before any install: curl depscope.dev/api/check/{eco}/{pkg} — free, no auth

ChatGPT — search "DepScope" in the GPT Store.

Any agent with HTTP access:

curl https://depscope.dev/api/check/npm/express

That's it. Your agent now verifies packages before suggesting installs. No hallucinated versions. No deprecated libraries. No surprise vulnerabilities.

What It Returns

{
  "package": "express",
  "ecosystem": "npm",
  "latest_version": "5.2.1",
  "health": {
    "score": 85,
    "risk": "low",
    "breakdown": {
      "maintenance": 25,
      "security": 25,
      "popularity": 20,
      "maturity": 15,
      "community": 10
    }
  },
  "vulnerabilities": { "count": 0 },
  "recommendation": {
    "action": "safe_to_use",
    "summary": "express@5.2.1 is safe to use (health: 85/100)"
  }
}

One request. Full picture. Cached in 50ms.

Side Effects That Matter

The security angle is real — 402 vulnerabilities tracked, with filtering to show only those affecting the latest version (Django went from 272 historical "vulnerabilities" to the 1 that actually matters today).

But the real story is systemic: when one cache serves every agent, we stop hammering the public registries we all depend on. Fewer calls to npm. Fewer calls to PyPI. Less wasted data center compute. Less energy. Fewer tokens burned by agents processing duplicate JSON.

It's the most boring optimization possible. It's also the one nobody was doing.

Other Endpoints Worth Knowing

LLM-optimized plain text — save ~74% tokens vs JSON when an agent reads the result:

curl https://depscope.dev/api/prompt/npm/express

Public trending — what the ecosystem is actually installing right now:

curl https://depscope.dev/api/trending

Compare packages — rank them side by side:

curl https://depscope.dev/api/compare/npm/express,fastify,hono

Find alternatives when something's deprecated:

curl https://depscope.dev/api/alternatives/npm/request
# Returns: axios, got, node-fetch

Scan a project — POST your package.json deps:

curl -X POST https://depscope.dev/api/scan \
  -H "Content-Type: application/json" \
  -d '{"ecosystem":"npm","packages":{"express":"*","lodash":"*"}}'

Just the health score (fast):

curl https://depscope.dev/api/health/npm/react

Beyond package health

In the last few days DepScope expanded from pure package health into adjacent verticals, still on the same free API and the same shared-infrastructure philosophy:

Error → Fix Database — POST a stack trace or error snippet to /api/error/resolve and get verified solutions with package+version context. No more agents re-searching the same ERR_PACKAGE_PATH_NOT_EXPORTED for the millionth time.
Compatibility Matrix — /api/compat returns whether Next 16 + React 19 + Prisma 6 is a verified combo before you attempt the upgrade. Every agent that suggests a bump should hit this first.
Known Bugs per version — /api/bugs/{ecosystem}/{package} returns non-CVE known issues affecting specific versions (regressions, production incidents, edge cases). The stuff that never reaches an advisory but still breaks your build.

All three share the same infrastructure principle: cache the answer once, serve every agent. Same endpoint convention, same free tier, same 200 req/min, no auth.

Three verticals, one API. That's 12 MCP tools now covering package health, error resolution, and stack compatibility — so your AI agent has the full picture before it types install.

What you can do now

If you use an AI coding agent: copy one line into your config. Done.

If you build an AI agent or an IDE with AI features: integrate DepScope instead of hitting registries directly. Your users get faster responses, you save infrastructure cost, and you stop contributing to the problem.

If you run a public registry: we'd love to hear from you. Fewer redundant calls = less load for you.

It's not complicated. It's shared infrastructure. The oldest idea on the internet.

Try It

Website: depscope.dev
API Docs: depscope.dev/api-docs
OpenAPI: depscope.dev/openapi.json
MCP Server (12 tools): npm install -g depscope-mcp
RapidAPI: available on the hub

# Try it right now
curl https://depscope.dev/api/check/npm/express

Open Source

DepScope is MIT-licensed. Source, issues, and contributions welcome:

Repo: github.com/cuttalo/depscope
GitHub Action (audit deps on push/PR):

- uses: cuttalo/depscope@main
  with:
    ecosystem: npm

Security disclosure: depscope.dev/security/disclosure

Built with FastAPI + PostgreSQL + Redis by Cuttalo srl. Feedback at depscope@cuttalo.com.

The State of Package Health: Weekly Report #002

Vincenzo Rubino — Mon, 20 Apr 2026 08:00:02 +0000

The State of Package Health — Weekly Report #002

Snapshot date: 2026-04-20. Index: 22,588 packages, 632 vulnerabilities tracked.

Health distribution

Bucket	Count
Critical (< 40)	3,564
Poor (40–59)	9,388
Fair (60–79)	7,229
Good (80+)	2,389
Unknown/unscored	18

Popular packages with open vulnerabilities

82 packages with >1M weekly downloads have at least one tracked advisory.

Ecosystem	Package	Vulns	Weekly downloads
npm	`next`	42	34,757,357
npm	`angular`	9	524,838
conda	`numpy`	8	425,437
pypi	`lmdb`	5	893,100
pypi	`paddlepaddle`	5	370,918
pypi	`vllm`	4	3,139,157
pypi	`composio-core`	4	102,346
pypi	`Pillow`	3	108,511,966
pypi	`pillow`	3	108,511,966
conda	`pillow`	3	235,364
cargo	`rust-crypto`	3	216,521
pypi	`pip`	2	128,105,971
npm	`react`	2	125,187,902
npm	`eslint-plugin-prettier`	2	27,258,312
pypi	`ujson`	2	21,698,954

Zombie packages (deprecated, still installed)

82 deprecated packages with >1M weekly downloads — combined downloads: 941,010,272/week.

Package	Weekly downloads	Why it's deprecated
`mimic-fn`	104,431,747	Renamed to mimic-function
`pkg-dir`	78,705,523	Renamed to `package-directory`.
`path-is-absolute`	76,082,652	This package is no longer relevant as Node.js 0.12 is unmaintained.
`find-cache-dir`	42,672,386	Renamed to `find-cache-directory`.
`@types/uuid`	37,184,147	This is a stub types definition. uuid provides its own type definitions, so you do not need this installed.
`read-pkg-up`	36,291,504	Renamed to read-package-up
`node-domexception`	35,298,273	Use your platform's native DOMException instead
`no-case`	34,918,820	Use `change-case`
`p-finally`	29,798,243	Deprecated
`camel-case`	28,182,607	Use `change-case`
`param-case`	27,221,685	Use `change-case`
`pascal-case`	24,504,886	Use `change-case`
`os-tmpdir`	24,464,495	This is not needed anymore. `require('os').tmpdir()` in Node.js 4 and up is good.
`snake-case`	20,292,295	Use `change-case`
`lodash.isequal`	19,136,778	This package is deprecated. Use require('node:util').isDeepStrictEqual instead.

Worst health scores among popular packages

Package	Health	Weekly downloads
`angular` (npm)	8	524,838
`level-concat-iterator` (npm)	16	571,283
`user-home` (npm)	17	2,683,639
`trim-right` (npm)	17	3,089,154
`crypto` (npm)	17	1,537,680
`bin-version-check` (npm)	20	4,092,095
`path-is-absolute` (npm)	20	76,082,652
`scmp` (npm)	20	3,755,528
`yaeti` (npm)	20	1,263,002
`p-finally` (npm)	20	29,798,243

Ecosystem comparison (avg health)

Ecosystem	Packages	Avg health	Deprecated
conda	127	69.3	0
pub	169	68.0	2
composer	912	64.2	25
npm	11,831	60.5	203
pypi	3,482	57.8	5
nuget	715	56.1	23
rubygems	1,263	54.7	0
cargo	1,272	49.6	41
hex	302	48.5	69
go	422	46.5	1
maven	502	42.3	0
cran	309	42.0	0
cpan	477	41.0	0
cocoapods	139	40.7	0
hackage	300	39.7	0
swift	58	33.7	2
homebrew	290	31.1	2

Breaking changes in popular packages

ansi-styles (npm) 3.0.0 → 4.0.0 breaking — Add bright black color (#49) fb5b656
ansi-styles (npm) 3.0.0 → 4.0.0 breaking — Require Node.js 8 aa974fb
ansi-styles (npm) unknown → 3.0.0 breaking — ansiStyles.colors
ansi-styles (npm) unknown → 3.0.0 breaking — ansiStyles.modifiers
ansi-styles (npm) unknown → 3.0.0 breaking — ansiStyles.bgColors
debug (npm) 4.0.0 → 3.2.3 removed — > 3.2.3 is DEPRECATED. See https://github.com/visionmedia/debug/issues/603#issuecomment-420237335 for details.

This release mitigated the breaking changes introduced in `3.2

ms (npm) 0.7.3 → 1.0.0 breaking — More suitable name for file containing tests: ee91f307a8dc3581ebdad614ec0533ddb3d8bf56
ms (npm) 0.7.3 → 1.0.0 breaking — Test on LTS version of Node: c9b1fd319f0f9198d85ecf4ba83e46cc1216be04
ms (npm) 0.7.3 → 1.0.0 removed — Removed browser testing: e818c3581aca3119c00d81901bfe8fe653bcfda4
ms (npm) 0.7.3 → 1.0.0 breaking — Use prettier and eslint: 57b3ef8e3423cae6254f94c5564a11b4492cff43

Try it yourself

bash curl -s https://depscope.dev/api/check/npm/next | jq '.health_score' curl -s https://depscope.dev/api/check/pypi/pydantic | jq '.deprecated'

Your AI coding agent is suggesting packages from 2024 — the fix is a shared API

Vincenzo Rubino — Thu, 16 Apr 2026 00:23:30 +0000

AI coding agents — Claude, Cursor, ChatGPT, Copilot, Aider — recommend npm / PyPI / Cargo packages to millions of developers every day.

Three things are broken at the same time.

1. Tokens burned at scale

Every time your agent decides which package to install, it fetches raw registry JSON. For express@5.2.1 that's about 3 KB of keys the model mostly ignores: file hashes, nested maintainer metadata, deprecated publish configs, download counts from 2019, the schema versions of fields nobody uses.

Your LLM pays for every one of those tokens as input, on every install decision, across every parallel session. Multiply by millions of AI-assisted developers and the model waste is enormous — plus the downstream energy cost on the compute side.

2. The model is suggesting packages from months ago

Training cutoff was 6-12 months before the answer.

Recent CVEs are invisible (XZ backdoor, Log4Shell-class issues post-cutoff).
Deprecated libraries still get recommended with enthusiasm (request, left-pad@0.x, ...).
Sometimes the model hallucinates a package name that never existed in a registry.

Every npm install based on a stale AI suggestion is a blind supply-chain bet.

3. There's no shared layer

Claude, Cursor, ChatGPT and Copilot each fetch the same metadata from the same public registries independently. Billions of redundant calls a day, hammering registry.npmjs.org, pypi.org, crates.io with the same questions over and over.

No shared cache. No shared source of truth. Each agent re-invents the lookup every time.

DepScope: the shared layer

DepScope is a single API that AI coding agents query before suggesting a package install. Open infrastructure, MIT, EU-hosted.

Three things it does:

A compact, token-efficient response

curl https://depscope.dev/api/prompt/npm/express

Returns a short natural-language string:

express@5.2.1 is safe_to_use. Health 85/100 (risk: low).
0 known vulnerabilities on the latest version.
11.2M weekly downloads. Published 2 weeks ago by a maintainer
with 47 other npm packages. Alternatives: fastify, hono, koa.

Roughly 74% smaller payload than raw registry JSON for the same install decision. Fewer tokens burned per query, no pre-processing the model has to do to extract the signal.

Live OSV + GitHub Advisory Database

CVEs are looked up in real time against OSV.dev and the GitHub Advisory Database, then filtered to show only vulnerabilities affecting the current release. Django has 272 historical vulnerability records on OSV; DepScope shows the one that actually applies to 5.2.4.

No stale training data, no false positives from long-patched CVEs.

17 ecosystems in one endpoint

npm, pypi, cargo, go, maven, nuget, rubygems, composer, pub, hex, swift, cocoapods, cpan, hackage, cran, conda, homebrew.

One API, one MCP server, one GitHub Action — covers the ecosystems your agent will realistically encounter.

Add it to your agent

Claude Code

Drop in CLAUDE.md:

## DEPSCOPE — before suggesting any package install
Before recommending any package, call:
  curl https://depscope.dev/api/prompt/{ecosystem}/{package}

Use the returned health/CVE/deprecation info to decide.
No auth, 200 req/min, 17 ecosystems.

Cursor / Windsurf

In .cursorrules or .windsurfrules:

Before recommending or installing any package, call:
curl https://depscope.dev/api/prompt/{ecosystem}/{package}
Use the returned data to validate the suggestion.

MCP (Claude Desktop, Cursor, Windsurf)

npm install -g depscope-mcp

{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["depscope-mcp"]
    }
  }
}

14 tools auto-registered. Your agent will call check_package, get_vulnerabilities, find_alternatives, resolve_error and others automatically when making install decisions.

CI (GitHub Actions)

- uses: cuttalo/depscope@main
  with:
    ecosystem: npm

Audits your project's dependencies on every push / PR.

Any agent via HTTP

curl https://depscope.dev/api/prompt/pypi/django
curl https://depscope.dev/api/vulns/cargo/tokio
curl https://depscope.dev/api/alternatives/npm/request
curl -X POST https://depscope.dev/api/scan -d '{"ecosystem":"npm","packages":{"express":"*","lodash":"*"}}'

Open infrastructure

Package intelligence is infrastructure, not a premium product. It should exist once, for everyone, not be reinvented by every single AI coding agent session.

Website: depscope.dev
Agent setup: depscope.dev/agent-setup — copy-paste snippets for every major agent
API docs: depscope.dev/api-docs
OpenAPI: depscope.dev/openapi.json
MCP server: npm install -g depscope-mcp
Source: github.com/cuttalo/depscope — MIT

Built with FastAPI + PostgreSQL 17 + Redis. Hosted in the EU by Cuttalo srl. Feedback at depscope@cuttalo.com.