MCP server (Claude / Cursor)
Wire DevUpdate.io into Claude Desktop, Cursor, or any other MCP-compatible client.
The DevUpdate.io MCP server exposes your tracked sources, releases, and lockfile alerts as tools that any Model Context Protocol-compatible client can call. The most common use: ask Claude or Cursor "is this update safe?" and have the model check the actual diff analysis before answering.
What the server gives you #
A handful of read-only tools for the model to call:
list_sources— your tracked sources, with last release and risk band.get_release— full summary, risk score, and breaking-change list for a specific release.list_alerts— open lockfile alerts.search_releases— fuzzy search across release titles and descriptions.
Connecting from Claude Desktop #
Add the server to your claude_desktop_config.json:
{
"mcpServers": {
"devupdate": {
"command": "npx",
"args": ["-y", "@devupdate/mcp-server"],
"env": {
"DEVUPDATE_TOKEN": "<your-token>"
}
}
}
}Get a token from Settings → API tokens. Restart Claude Desktop to pick up the new server. The DevUpdate tools will appear in the tools menu.
Connecting from Cursor #
Cursor's MCP config lives at ~/.cursor/mcp.json with the same shape:
{
"mcpServers": {
"devupdate": {
"command": "npx",
"args": ["-y", "@devupdate/mcp-server"],
"env": {
"DEVUPDATE_TOKEN": "<your-token>"
}
}
}
}Security model #
- The token is read-only at the user level. The MCP server cannot upload lockfiles, add sources, or change billing — only read.
- Each tool call is logged on our side for audit. You can review activity by token from the API tokens page.
- Revoking the token from settings immediately disables the server's access; the client will fail until you provision a fresh token.
A common pattern: ask the model to "check DevUpdate before suggesting
package updates." Configure your AI assistant's system prompt to call
get_release before recommending an upgrade — it'll cite real risk data
instead of guessing.