Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.githits.com/llms.txt

Use this file to discover all available pages before exploring further.

The package inspection tools give your agent immediate access to structured metadata about any dependency without leaving the coding session. Instead of switching to a browser or running registry lookups manually, your agent can call these tools directly to triage a package, check documentation context, review vulnerabilities, understand dependencies, and inspect upgrade changes. All four tools are available as MCP tools and as subcommands under npx githits@latest pkg.
Package inspection supports 11 registries: npm, PyPI, Hex, Crates, vcpkg, Zig, NuGet, Maven, Packagist, RubyGems, and Go. Vulnerability data is unavailable for vcpkg and Zig. Dependency data supports npm, PyPI, Hex, Crates, Zig, vcpkg, RubyGems, and Go.
pkg_info returns a quick triage summary for any package: the latest version, license, repository popularity, download volume, publish age, and vulnerability status. Pass verbose: true to add GitHub language breakdown, topics, last-pushed date, recent advisories, and recent changes.CLI usage
npx githits@latest pkg info npm:express
npx githits@latest pkg info pypi:requests --verbose
npx githits@latest pkg info crates:serde
Parameters
registry
string
required
The package registry. One of: npm, pypi, hex, crates, vcpkg, zig, nuget, maven, packagist, rubygems, go.
package_name
string
required
The package name. Scoped names are supported (e.g., @types/node).
verbose
boolean
When true, adds GitHub language/topics/last-pushed, recent advisories, and recent changes to the text output. Has no effect when format: "json" is set.
Example
npx githits@latest pkg info npm:express
Returns: version, license (MIT), description, GitHub stars/forks/open issues, weekly downloads, publish age, and a compact vulnerability status line.
pkg_vulns fetches CVE and OSV security advisories for a package or a specific pinned version. It returns a count summary, each advisory with its OSV ID, severity, affected version ranges, and fix versions. Malicious-package advisories appear in a separate bucket.CLI usage
npx githits@latest pkg vulns npm:lodash
npx githits@latest pkg vulns npm:lodash@4.17.20 --severity high
npx githits@latest pkg vulns pypi:pillow --verbose
Parameters
registry
string
required
Package registry. Vulnerability data is unavailable for vcpkg and Zig.
package_name
string
required
Package name (scoped names supported).
version
string
Specific version to check. Defaults to latest when omitted.
min_severity
string
Filter to advisories at or above this level: low, medium, high, or critical. Omit to include all advisories, including those with no assigned severity.
include_withdrawn
boolean
When true, includes retracted advisories. Defaults to false.
advisory_scope
string
Which advisories to return: affected (default, only advisories that affect the inspected version), non_affecting (historical advisories that do not affect this version), or all (both affected and historical). Counts always include affected/non-affecting/all totals.
verbose
boolean
When true, shows every advisory with full detail rows in text output. format: "json" always returns the complete structured envelope regardless of this setting.
Example
npx githits@latest pkg vulns npm:lodash@4.17.20 --severity high
Returns: a severity-filtered advisory list with OSV IDs, affected ranges, and recommended fix versions or upgrade paths when available.
Default text output caps advisory rows for readability. Use --verbose to see every advisory or --format json for the complete structured envelope.
pkg_deps lists a package’s direct runtime dependencies with resolved versions. Use the lifecycle parameter to include non-runtime groups (development, peer, optional, build), or pass lifecycle: "all" to see every available group. Enable include_transitive to get the full install footprint, conflict detection, and circular-dependency flags.CLI usage
npx githits@latest pkg deps npm:express
npx githits@latest pkg deps npm:react --lifecycle all
npx githits@latest pkg deps npm:webpack --include-transitive
Parameters
registry
string
required
Package registry. Dependency data is available on npm, PyPI, Hex, Crates, Zig, vcpkg, RubyGems, and Go.
package_name
string
required
Package name (scoped names supported).
version
string
Specific version to inspect. Defaults to latest. Tag-style inputs with a leading v (e.g., v4.18.0) are rejected — pass the canonical version number (4.18.0).
lifecycle
string
Dependency group breadth. Omit for runtime-only. Use runtime for explicit runtime-only, a concrete non-runtime lifecycle (development, build, peer, optional) to add matching groups, or all for every available group. Accepts a single value, a comma-separated string, or an array. all cannot be combined with other values.
include_transitive
boolean
When true, adds a transitive block with aggregate edge/package counts, the complete install footprint (packages[]), detected conflicts, and circular dependencies. Off by default.
include_importers
boolean
Requires include_transitive: true. When true, each entry in transitive.packages[] also carries an importers array showing every upstream package that pulls it in. Off by default — enabling it roughly quadruples envelope size on heavy graphs.
max_depth
number
Cap the transitive traversal at this depth (1–10). Requires include_transitive: true. Omit to get the full graph.
Example
npx githits@latest pkg deps npm:express --lifecycle all
Returns: runtime, development, and peer dependency groups with resolved versions for each direct dependency.
pkg_changelog retrieves release notes for a package or GitHub repository, newest-first. By default it returns the ten most recent entries. Use from_version and to_version to fetch every entry in a version range without a count cap.You can address by registry + package name, or directly by a GitHub repository URL when you have the URL but no registry mapping.CLI usage
npx githits@latest pkg changelog npm:express
npx githits@latest pkg changelog npm:express --limit 5
npx githits@latest pkg changelog npm:express --from 4.18.0 --to 4.19.0
npx githits@latest pkg changelog --repo-url https://github.com/expressjs/express
Parameters
registry
string
Package registry (used with package_name). Mutually exclusive with repo_url.
package_name
string
Package name (used with registry). Mutually exclusive with repo_url.
repo_url
string
GitHub repository URL (e.g., https://github.com/expressjs/express). Mutually exclusive with registry + package_name. Use when you have a repo URL without a registry mapping.
limit
number
Maximum number of entries to return in latest mode (1–50, default 10). Cannot be combined with from_version.
from_version
string
Start of a version range. When set, returns every entry between from_version and to_version (or latest) with no count cap. Tag-style v-prefixed inputs are rejected.
to_version
string
End of the version range or latest-mode cap. Defaults to latest.
include_bodies
boolean
When false, omits body content from each entry — useful when you only need the version / date / URL timeline. Defaults to true.
verbose
boolean
Text output only. Shows full body content for every entry. Mutually exclusive with body_lines.
body_lines
number
Text output only. Number of body lines to preview per entry (1–50, default 10). Mutually exclusive with verbose: true.
Example
npx githits@latest pkg changelog npm:express --limit 3
Returns: the three most recent release entries with version, date, source URL, and a 10-line body preview.

MCP tool reference

MCP toolCLI commandPurpose
pkg_infonpx githits@latest pkg info <registry>:<package>Version, license, popularity, downloads, vulnerability status
pkg_vulnsnpx githits@latest pkg vulns <registry>:<package>CVE/OSV advisories with severity filtering and upgrade paths
pkg_depsnpx githits@latest pkg deps <registry>:<package>Direct and transitive dependency graph
pkg_changelognpx githits@latest pkg changelog <registry>:<package>Release notes, newest-first, with range queries for upgrade review