★ Open-source shim for package installers

refuse.dev

We refuse vulnerable packages so your SHELL doesn't install them — and neither does your agent or your CI.

01 / Pick a backend

refuse needs a server to check packages against. Pick where it lives — you can switch later.

02 / Install the CLI

Same binary on every platform. Wraps npm, pip, cargo, gem, go and 13 other managers.

$ shellmacOS / Linux
curl -fsSL https://raw.githubusercontent.com/RefuseHQ/refuse-cli/main/scripts/install.sh | sh

Wiring it into Claude Code, Cursor, Codex, or any MCP client? Full install docs →

03 / Point it at your backend

One prompt. Paste your key (or your self-host URL). Saves to ~/.refuse/config.yaml.

$ shellrefuse init
$ refuse init
  Server URL [https://mcp.refuse.dev]: ↵
  API key (paste rfs_…, or leave blank for localhost): rfs_••••••••
  ✓ wrote ~/.refuse/config.yaml

Self-host on localhost? Skip init and run refuse config set server_url http://localhost:8080 directly.

04 / Drop the shim into your shell

Every install — typed by you, your agent, or your CI — now routes through refuse before it touches the registry.

$ shellrefuse install
$ refuse install
  installed 18 shims to ~/.refuse/bin
    npm pnpm yarn bun npx pip pip3 uv poetry pipenv
    pdm pipx cargo gem bundle go composer dotnet
  added managed block to ~/.zshrc
  ✓ open a new shell to pick up PATH
  ──────────────────────────────────
$ npm install [email protected]
  ✗ refused [email protected][email protected]

$ npm install next@$(refuse fix npm [email protected])
  ✓ added 1 package — [email protected]

refuse fix prints the suggested safe version to stdout, so the bash substitution $(refuse fix …) pipes it back into the install. The same loop works for pip, cargo, gem, and the rest.

02 / How it works

Three steps. Thirty
seconds.

01

Install the CLI

One command on macOS, Linux, or Windows. The shim wraps npm, pip, cargo, gem, go — every manager you use.

02

Every install is intercepted

Type it, prompt your agent, run CI — every install routes through refuse before it touches the registry.

03

Vulnerable gets refused

CVE-tagged versions blocked with a safe-version suggestion. Clean ones pass through untouched.

01 / Live

Live advisories.

What your agent would have refused today.

11h ago
acme-widget-layout-utilsMAL-2026-5545
Malicious code in acme-widget-layout-utils (PyPI)
Recently found
12h ago
mermaid-v11MAL-2026-5539
Malicious code in mermaid-v11 (npm)
Recently found
12h ago
@entos-ems/xerxes-client-jsMAL-2026-5537
Malicious code in @entos-ems/xerxes-client-js (npm)
Recently found
12h ago
hex-typeMAL-2026-5538
Malicious code in hex-type (npm)
Recently found
14h ago
github.com/juev/nebula-meshCVE-2026-47768
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
Disclosed
16h ago
pdmCVE-2026-47764
PDM wheel installation leads to Path Traversal via overridden write_to_fs
Disclosed
17h ago
@whiskeysockets/baileysCVE-2026-48063
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
New CVE
17h ago
litestarCVE-2026-48060
Litestar has HTML Injection Through its CSRF Token
New CVE
19h ago
github.com/open-telemetry/opentelemetry-operatorCVE-2026-47701
OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth
New CVE
3d ago
CVE-2026-11645
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote...
Active threat
02 / Supported

Every ecosystem
you install from.

Whatever runs the install — you, your agent, or your CI — we check it against 362,000+ known vulnerabilities.

01.A / Languages

Every package manager.

If the package manager pulls it, we know the rules for whether the version is safe.

PyPInpmRubyGemsCargoGoComposerMavenNuGetHexPub
01.B / Containers

Dockerfile dependencies.

apt, apk, and dnf installs inside a Dockerfile get scanned along with any pip/npm/etc. lines.

Docker
01.C / CI

GitHub Actions workflows.

Every action your workflow uses is checked against advisories for that exact ref before it lands.

GitHub Actions
01.D / OS

Linux distros.

Distro-specific advisories, not generic CVE lookup — the comparison rules differ per family.

DebianUbuntuAlpineRed Hat
03 / Most refused

Top packages your agent tries to install.

What each frontier model pinned when asked for “the latest stable secure version”.

model output: 2026-04-30
OSV: live
urllib3safe @ 2.7.0
  • Opus 4.72.5.05
    decompression bomb
  • Sonnet 4.62.2.37
    redirect SSRF
  • GPT-5.52.5.05
    decompression bomb
  • GPT-5.5 Pro2.5.05
    decompression bomb
  • Gemini 3.12.2.27
    redirect SSRF
requestssafe @ 2.34.2
  • Opus 4.72.32.41
    temp-file reuse
  • Sonnet 4.6declined
  • GPT-5.52.32.51
    temp-file reuse
  • GPT-5.5 Pro2.32.51
    temp-file reuse
  • Gemini 3.12.32.32
    .netrc leak
lodashsafe @ 4.18.1
  • Opus 4.74.17.213
    _.template RCE
  • Sonnet 4.64.17.213
    _.template RCE
  • GPT-5.54.17.213
    _.template RCE
  • GPT-5.5 Pro4.17.213
    _.template RCE
  • Gemini 3.14.17.213
    _.template RCE
axiossafe @ 1.17.0
  • Opus 4.71.7.726
    NO_PROXY SSRF
  • Sonnet 4.61.7.926
    NO_PROXY SSRF
  • GPT-5.51.13.224
    NO_PROXY SSRF
  • GPT-5.5 Pro1.13.224
    NO_PROXY SSRF
  • Gemini 3.11.7.926
    NO_PROXY SSRF
nextsafe @ 16.2.9
  • Opus 4.715.5.421
    image-cache DoS
  • Sonnet 4.614.2.2920
    cache poisoning
  • GPT-5.515.3.124
    middleware SSRF
  • GPT-5.5 Pro15.2.324
    middleware SSRF
  • Gemini 3.115.1.624
    KEV-listed RCE
04 / Try it

Run a check without installing.

Type a package, version, ecosystem. Same answer your local shim gets at install time.