refuse.dev
We refuse vulnerable packages so your SHELL doesn't install them — and neither does your agent or your CI.
refuse needs a server to check packages against. Pick where it lives — you can switch later.
Free up to 100k scans /
30 days.
- — Zero infra. Always-up MCP endpoint.
- — Grab a key at app.refuse.dev/sign-up.
- — Upgradeable to higher quota when needed.
One docker run.
$0 forever.
- — ghcr.io/refusehq/refuse:latest
- — SQLite by default, same advisory feed.
- — No data leaves your network.
Same binary on every platform. Wraps npm, pip, cargo, gem, go and 13 other managers.
curl -fsSL https://raw.githubusercontent.com/RefuseHQ/refuse-cli/main/scripts/install.sh | shWiring it into Claude Code, Cursor, Codex, or any MCP client? Full install docs →
One prompt. Paste your key (or your self-host URL). Saves to ~/.refuse/config.yaml.
$ refuse init
Server URL [https://mcp.refuse.dev]: ↵
API key (paste rfs_…, or leave blank for localhost): rfs_••••••••
✓ wrote ~/.refuse/config.yamlSelf-host on localhost? Skip init and run refuse config set server_url http://localhost:8080 directly.
Every install — typed by you, your agent, or your CI — now routes through refuse before it touches the registry.
$ refuse install
installed 18 shims to ~/.refuse/bin
npm pnpm yarn bun npx pip pip3 uv poetry pipenv
pdm pipx cargo gem bundle go composer dotnet
added managed block to ~/.zshrc
✓ open a new shell to pick up PATH
──────────────────────────────────
$ npm install [email protected]
✗ refused [email protected] → [email protected]
$ npm install next@$(refuse fix npm [email protected])
✓ added 1 package — [email protected]refuse fix prints the suggested safe version to stdout, so the bash substitution $(refuse fix …) pipes it back into the install. The same loop works for pip, cargo, gem, and the rest.
Three steps. Thirty
seconds.
Install the CLI
One command on macOS, Linux, or Windows. The shim wraps npm, pip, cargo, gem, go — every manager you use.
Every install is intercepted
Type it, prompt your agent, run CI — every install routes through refuse before it touches the registry.
Vulnerable gets refused
CVE-tagged versions blocked with a safe-version suggestion. Clean ones pass through untouched.
Live advisories.
What your agent would have refused today.
Every ecosystem
you install from.
Whatever runs the install — you, your agent, or your CI — we check it against 362,000+ known vulnerabilities.
Every package manager.
If the package manager pulls it, we know the rules for whether the version is safe.
Dockerfile dependencies.
apt, apk, and dnf installs inside a Dockerfile get scanned along with any pip/npm/etc. lines.
GitHub Actions workflows.
Every action your workflow uses is checked against advisories for that exact ref before it lands.
Linux distros.
Distro-specific advisories, not generic CVE lookup — the comparison rules differ per family.
Top packages your agent tries to install.
What each frontier model pinned when asked for “the latest stable secure version”.
- Opus 4.72.5.05decompression bomb
- Sonnet 4.62.2.37redirect SSRF
- GPT-5.52.5.05decompression bomb
- GPT-5.5 Pro2.5.05decompression bomb
- Gemini 3.12.2.27redirect SSRF
- Opus 4.72.32.41temp-file reuse
- Sonnet 4.6declined
- GPT-5.52.32.51temp-file reuse
- GPT-5.5 Pro2.32.51temp-file reuse
- Gemini 3.12.32.32.netrc leak
- Opus 4.74.17.213_.template RCE
- Sonnet 4.64.17.213_.template RCE
- GPT-5.54.17.213_.template RCE
- GPT-5.5 Pro4.17.213_.template RCE
- Gemini 3.14.17.213_.template RCE
- Opus 4.71.7.726NO_PROXY SSRF
- Sonnet 4.61.7.926NO_PROXY SSRF
- GPT-5.51.13.224NO_PROXY SSRF
- GPT-5.5 Pro1.13.224NO_PROXY SSRF
- Gemini 3.11.7.926NO_PROXY SSRF
- Opus 4.715.5.421image-cache DoS
- Sonnet 4.614.2.2920cache poisoning
- GPT-5.515.3.124middleware SSRF
- GPT-5.5 Pro15.2.324middleware SSRF
- Gemini 3.115.1.624KEV-listed RCE
Run a check without installing.
Type a package, version, ecosystem. Same answer your local shim gets at install time.