Hey Product Hunt 👋 I'm the maker. Most vulnerability scanners tell you a package is bad after it's already on your disk. I wanted something that refuses it at the moment of install — before the install ever runs. So I built Refuse. A single binary puts itself in front of npm, pip, cargo and ~13 more package managers. You run npm install exactly like always — it checks the package against the live CVE databases first, then either installs it or blocks with the fix: npm install lodash@4.17.10 → refuse: blocked — CVE-2019-10744 (critical); safe: 4.17.21 The reason it exists: AI coding agents. Claude Code and Cursor run installs from inside a tool call and pin versions from their training data — old versions that have since picked up CVEs. Refuse installs as an agent hook so those installs go through the same gate, with no human-override flag for the agent. It's open-source (Apache-2.0) and self-hostable — one Docker container, your own CVE backend, no telemetry. Or use the hosted tier if you'd rather not run it. 🔗 https://refuse.dev · https://github.com/RefuseHQ/refu... Would love your feedback — easiest test is to run it against a lockfile from a project you already have and see what it catches. Happy to answer anything in the comments today.

Refuse

Block vulnerable package installs for you and your AI

Block vulnerable package installs for you and your AI