Impact-Site-Verification: 41b53a0c-6d04-458b-a457-fe9e29acde1a

Developer ToolsSaaSDeveloper ToolsSecurity·

Refuse

Block vulnerable package installs for you and your AI

Refuse

What it does

Refuse is an open-source shim that sits in front of 21 package managers (npm, pip, cargo, gem, go, and more) and blocks known-vulnerable package installs before they hit disk. It intercepts install commands at the shell level, checks the package version against a database of 362,000+ advisories, and refuses the install if a vulnerability is found — suggesting a safe version instead. It works whether you type the command, your coding agent runs it, or your CI pipeline executes it.

Refuse can be used as a hosted SaaS (free up to 100k scans per 30 days) or self-hosted via a single Docker container (Apache-2.0, no key required). The CLI installs shims that wrap each package manager, and a refuse fix command prints the suggested safe version for easy substitution.

Who it is for

Refuse is designed for developers, DevOps engineers, and security teams who want to prevent vulnerable dependencies from entering their projects. It is especially relevant for teams using AI coding agents (like Claude Code, Cursor, Codex) that may automatically install packages, as well as for CI/CD pipelines where manual review is impractical. The tool supports individual developers (via shell shims) and organizations (via self-hosted backend).

Why it matters

Supply-chain attacks and known vulnerabilities in dependencies are a leading cause of security breaches. Traditional vulnerability scanning happens after install — during a build or audit — by which time the vulnerable code is already on disk and may have executed. Refuse shifts left by blocking the install at the moment it is attempted, preventing the vulnerability from ever entering the environment. This is especially critical for AI agents that may pin vulnerable versions (as shown in Refuse's live comparison of model outputs). The tool also provides a live advisories feed and a playground to test packages without installing.

Launch signal

Refuse launched on Product Hunt on the day of this profile. The website is live at refuse.dev with a working SaaS backend, self-host option, CLI install scripts, and documentation. The founder is listed as Gokul. The project is open-source under Apache-2.0 and available on GitHub under RefuseHQ.

Brand and naming

The name "Refuse" is a double entendre: it literally refuses vulnerable packages, and it evokes the idea of rejecting waste (vulnerable code). The tagline "Block vulnerable package installs for you and your AI" clearly communicates the value proposition. The branding is developer-focused, with a clean, technical aesthetic and a strong emphasis on open-source and self-hosting. The logo and website use a simple, modern design that conveys security and reliability.

Founder

Gokul

Get more like this in our weekly newsletter.