The Package Search tool provides version checking and package information across multiple programming language ecosystems through a single unified interface.
Instead of manually checking different package managers, the Package Search tool lets you query NPM, PyPI, Go modules, Maven, Docker Hub, GitHub Actions, Anthropic Claude models, and more from one place. Perfect for dependency management, security audits, AI model selection, and keeping projects up-to-date.
The Package Search tool supports the following configuration options:
-
PACKAGES_RATE_LIMIT: Maximum HTTP requests per second to package registries- Default:
10 - Description: Controls the rate of HTTP requests to prevent overwhelming package registry APIs
- Example:
PACKAGES_RATE_LIMIT=20allows up to 20 requests per second
- Default:
-
PACKAGE_COOLDOWN_HOURS: Hours to wait before recommending newly published packages- Default:
72(3 days) - Description: Protects against supply chain attacks by avoiding very recently published package versions
- Example:
PACKAGE_COOLDOWN_HOURS=168for 7-day cooldown,PACKAGE_COOLDOWN_HOURS=0to disable
- Default:
-
PACKAGE_COOLDOWN_ECOSYSTEMS: Comma-separated list of ecosystems to apply cooldown to- Default:
npm - Description: Controls which ecosystems have cooldown protection applied
- Example:
PACKAGE_COOLDOWN_ECOSYSTEMS=npm,python,go,rust - Special values:
nonedisables cooldown for all ecosystems
- Default:
The Package Search tool includes an optional "dependency cooldown" feature that helps protect against supply chain attacks. Most supply chain attacks have a short exploitation window (hours to days) before being detected and removed. By waiting a configurable period before recommending newly published versions, you avoid being an early victim.
How it works:
- When a package's latest version was published within the cooldown window (default: 72 hours)
- The tool recommends the most recent version outside the cooldown window instead
- Before recommending that older version, it checks the OSV (Open Source Vulnerabilities) database
- If the cooldown version has known CVEs, the tool bypasses cooldown and recommends the latest version
Response format when cooldown applies:
{
"name": "lodash",
"latestVersion": "4.17.20",
"registry": "npm",
"cooldown": {
"applied": true,
"reason": "Version 4.17.21 published 2 days ago, cooldown requires 72 hours",
"newerVersion": "4.17.21",
"publishedAt": "2025-11-25T10:00:00Z",
"cooldownEndsAt": "2025-11-28T10:00:00Z"
}
}When cooldown is bypassed due to vulnerabilities:
{
"name": "lodash",
"latestVersion": "4.17.21",
"registry": "npm",
"cooldown": {
"applied": false,
"reason": "Cooldown version 4.17.20 has known vulnerabilities"
}
}- Rate Limiting: Configurable request rate limiting protects against overwhelming external package registries
- Input Validation: Comprehensive validation of package names and version constraints
- Error Handling: Graceful handling of network issues and API failures
- Trusted Sources: Only queries well-known, established package registries
| Ecosystem | Package Types | Features |
|---|---|---|
| Anthropic | Claude AI models | All platform IDs (Claude API, AWS Bedrock, GCP Vertex AI), pricing, performance metrics |
| AWS Bedrock | AI/ML models | Model availability and capabilities |
| Docker | Container images | Tag information and registries |
| GitHub Actions | Workflow actions | Action versions and metadata |
| Go | Go modules | Module versions and dependencies |
| Java | Maven & Gradle | Group/artifact resolution |
| NPM | Node.js packages | Version constraints, dependency trees |
| Python | PyPI packages | Requirements.txt and pyproject.toml formats |
| Rust | Rust crates | Module versions, detailed package metadata |
| Swift | Swift Package Manager | Package dependencies |
ecosystem(required): Target ecosystem to searchquery(optional): Package name or search termdata(optional): Structured package data for batch operationsconstraints(optional): Version constraints and filterslimit(optional): Maximum results to returnincludeDetails(optional): Include additional metadata
action: Operation type (list,search,get)query: Model family name (sonnet,haiku,opus), alias (claude-sonnet), or platform-specific ID
data: Object with package names as keys, version constraints as valuesconstraints: Version requirements per package
data: Array of requirement strings or dependency object (pyproject.toml)
registry: Target registry (dockerhub,ghcr,custom)action: Operation type (tags,info)
action: Operation type (list,search,get)
Check all dependencies in a project for outdated versions:
{
"name": "search_packages",
"arguments": {
"ecosystem": "npm",
"data": {
"express": "^4.18.0",
"mongoose": "^6.5.0",
"jsonwebtoken": "^8.5.1"
}
}
}Find latest secure versions for specific packages:
{
"name": "search_packages",
"arguments": {
"ecosystem": "python",
"data": ["requests>=2.28.0", "django>=4.0.0"],
"includeDetails": true
}
}Check availability before major version upgrades:
{
"name": "search_packages",
"arguments": {
"ecosystem": "java-maven",
"query": "org.springframework.boot:spring-boot-starter-web",
"constraints": {
"majorVersion": 3
}
}
}Find latest stable tags for deployment:
{
"name": "search_packages",
"arguments": {
"ecosystem": "docker",
"query": "postgres",
"action": "tags",
"limit": 10
}
}Find the right Claude model for your use case with all platform identifiers:
{
"name": "search_packages",
"arguments": {
"ecosystem": "anthropic",
"query": "haiku"
}
}Response includes Claude API, AWS Bedrock, and GCP Vertex AI identifiers, making it easy to deploy across platforms.
For efficiency, prefer batch operations over individual queries:
Instead of multiple single queries:
// Avoid this approach
{"ecosystem": "npm", "query": "react"}
{"ecosystem": "npm", "query": "lodash"}
{"ecosystem": "npm", "query": "express"}Use batch operations:
{
"name": "search_packages",
"arguments": {
"ecosystem": "npm",
"data": {
"react": "latest",
"lodash": "^4.0.0",
"express": "^4.0.0"
}
}
}{
"package": "lodash",
"latest_version": "4.17.21",
"description": "Lodash modular utilities",
"homepage": "https://lodash.com/",
"license": "MIT",
"published": "2021-02-20T00:00:00Z"
}{
"packages": {
"react": {
"latest_version": "18.2.0",
"requested_version": "^17.0.2",
"status": "outdated"
},
"lodash": {
"latest_version": "4.17.21",
"requested_version": "4.17.21",
"status": "up_to_date"
}
}
}Single Package Query:
{
"name": "search_packages",
"arguments": {
"ecosystem": "npm",
"query": "lodash"
}
}Multiple Packages with Constraints:
{
"name": "search_packages",
"arguments": {
"ecosystem": "npm",
"data": {
"react": "^17.0.2",
"react-dom": "^17.0.2",
"lodash": "4.17.21"
},
"constraints": {
"react": {
"majorVersion": 17
}
}
}
}Single Package:
{
"name": "search_packages",
"arguments": {
"ecosystem": "python",
"query": "requests"
}
}Requirements.txt Format:
{
"name": "search_packages",
"arguments": {
"ecosystem": "python",
"data": [
"requests==2.28.1",
"flask>=2.0.0",
"numpy"
]
}
}pyproject.toml Format:
{
"name": "search_packages",
"arguments": {
"ecosystem": "python-pyproject",
"data": {
"dependencies": {
"requests": "^2.28.1",
"flask": ">=2.0.0"
}
}
}
}{
"name": "search_packages",
"arguments": {
"ecosystem": "go",
"query": "github.com/gin-gonic/gin"
}
}Maven:
{
"name": "search_packages",
"arguments": {
"ecosystem": "java-maven",
"data": [
{
"groupId": "org.springframework.boot",
"artifactId": "spring-boot-starter-web",
"version": "2.7.0"
}
]
}
}Gradle:
{
"name": "search_packages",
"arguments": {
"ecosystem": "java-gradle",
"data": [
{
"configuration": "implementation",
"group": "org.springframework.boot",
"name": "spring-boot-starter-web",
"version": "2.7.0"
}
]
}
}{
"name": "search_packages",
"arguments": {
"ecosystem": "swift",
"data": [
{
"url": "https://github.com/apple/swift-argument-parser",
"version": "1.1.4"
}
],
"constraints": {
"swift-argument-parser": {
"majorVersion": 1
}
}
}
}{
"name": "search_packages",
"arguments": {
"ecosystem": "docker",
"query": "nginx",
"registry": "dockerhub",
"limit": 5,
"includeDetails": true
}
}{
"name": "search_packages",
"arguments": {
"ecosystem": "github-actions",
"query": "actions/checkout@v3",
"includeDetails": true
}
}List All Models:
{
"name": "search_packages",
"arguments": {
"ecosystem": "anthropic",
"action": "list"
}
}Search by Model Family:
{
"name": "search_packages",
"arguments": {
"ecosystem": "anthropic",
"query": "sonnet"
}
}Search with Alias:
{
"name": "search_packages",
"arguments": {
"ecosystem": "anthropic",
"query": "claude-haiku"
}
}Get Specific Model:
{
"name": "search_packages",
"arguments": {
"ecosystem": "anthropic",
"query": "anthropic.claude-sonnet-4-5-20250929-v1:0"
}
}Response includes all platform IDs:
{
"modelName": "Claude Sonnet 4.5",
"claudeApiId": "claude-sonnet-4-5-20250929",
"claudeApiAlias": "claude-sonnet-4-5",
"awsBedrockId": "anthropic.claude-sonnet-4-5-20250929-v1:0",
"gcpVertexAiId": "claude-sonnet-4-5@20250929",
"pricing": "$3 / input MTok $15 / output MTok",
"comparativeLatency": "Fast",
"contextWindow": "200K tokens",
"maxOutput": "64K tokens",
"knowledgeCutoff": "Jan 2025",
"trainingDataCutoff": "Jul 2025",
"modelFamily": "sonnet",
"modelVersion": "4.5"
}List All Models:
{
"name": "search_packages",
"arguments": {
"ecosystem": "bedrock",
"action": "list"
}
}Search for Specific Models:
{
"name": "search_packages",
"arguments": {
"ecosystem": "bedrock",
"action": "search",
"query": "claude"
}
}Basic Query:
{
"name": "search_packages",
"arguments": {
"ecosystem": "rust",
"query": "pps-time"
}
}With Detailed Information:
{
"name": "search_packages",
"arguments": {
"ecosystem": "rust",
"query": "pps-time",
"includeDetails": true
}
}- Use batch operations - More efficient than individual queries
- Specify version constraints - Reduces processing time
- Use appropriate limits - Avoid retrieving unnecessary data
- Cache results - Package versions change infrequently
Common error scenarios and responses:
- Package not found: Clear message with suggested alternatives
- Invalid version format: Validation error with correct format examples
- Network timeouts: Retry suggestions and alternative approaches
- Rate limiting: Information about limits and retry timing
While intended to be activated via a prompt to an agent, below are some example JSON tool calls that can also be used directly or in scripts such as CI/CD pipelines.
Use for automated dependency checking:
# Check for outdated packages
echo '{"ecosystem": "npm", "data": {...}}' | mcp-devtools search_packagesIdentify packages with known vulnerabilities:
{
"name": "search_packages",
"arguments": {
"ecosystem": "python",
"data": ["django==3.1.0", "requests==2.25.0"],
"includeDetails": true
}
}Plan upgrades across multiple ecosystems:
{
"name": "search_packages",
"arguments": {
"ecosystem": "java-maven",
"data": [
{"groupId": "org.springframework", "artifactId": "spring-core"},
{"groupId": "junit", "artifactId": "junit"}
]
}
}For technical implementation details, see the Package Search source documentation.