zheludov.com:/$ blog nuget-mcp
// 2025-10-05
The open source landscape is changing. More projects are transitioning to commercial models—many rightfully so, as maintainers deserve to profit from their hard work. But keeping track of license changes across dozens of dependencies? That's becoming increasingly difficult. Add to that the need to monitor security vulnerabilities and available updates, and suddenly package management feels like a part-time job.
I recently started tinkering with the Model Context Protocol (MCP) and realized it would be a perfect way to streamline my workflow for NuGet package updates. The built-in NuGet explorer interfaces in most IDEs are frustratingly slow, especially when dealing with multiple packages or private feeds. Why not let an AI agent handle the grunt work?
Managing NuGet packages typically involves:
It's tedious, time-consuming, and easy to procrastinate on—especially the security and licensing checks.
I built a simple MCP server that exposes NuGet package analysis capabilities to AI assistants. Now I can just ask Claude: "Check this solution for package updates and vulnerabilities" and get a comprehensive analysis in seconds.
The server provides two main tools:
analyze_packages
Performs comprehensive package analysis including:
nuget.config
(Azure Artifacts, GitHub Packages, etc.)list_package_sources
Lists all configured NuGet sources from your machine, showing which feeds are enabled and authenticated.
The core functionality is working well. I can analyze packages, check for updates, and get basic vulnerability information. However, the vulnerability scanning still needs work. License change detection also needs refinement. These are features I plan to implement properly in future iterations.
One of the pleasant surprises was discovering how straightforward it is to build MCP servers using the ModelContextProtocol NuGet package. Here's essentially all the code needed to wire up the MCP server:
using Microsoft.Extensions.Hosting;
using ModelContextProtocol.Server;
var builder = Host.CreateApplicationBuilder(args);
// Configure logging to stderr (MCP requirement)
builder.Logging.AddConsole(options =>
{
options.LogToStandardErrorThreshold = LogLevel.Trace;
});
// Register your domain services
builder.Services.AddNuGetExplorerServices();
// Add MCP server with stdio transport and auto-discover tools
builder.Services
.AddMcpServer()
.WithStdioServerTransport()
.WithToolsFromAssembly();
await builder.Build().RunAsync();
Defining tools is equally simple—just attribute your methods:
[McpServerToolType]
public static class NuGetTools
{
[McpServerTool(Name = "analyze_packages")]
[Description("Comprehensive analysis of NuGet packages...")]
public static async Task<string> AnalyzePackages(
IPackageAnalyzer packageAnalyzer,
[Description("Array of packages to analyze")] PackageInput[] packages,
[Description("Target framework (e.g., net8.0)")] string? targetFramework = null,
[Description("Include prerelease versions")] bool includePrerelease = false,
// ... other parameters
CancellationToken cancellationToken = default)
{
var result = await packageAnalyzer.AnalyzePackagesAsync(/* ... */);
return JsonSerializer.Serialize(result);
}
}
The framework handles:
You just write normal C# methods and let the library handle the MCP plumbing.
I installed it in Claude Code using this command (on Windows):
claude mcp add-json nuget-explorer '{"type":"stdio","command":"cmd","args":["/c","dotnet run --project [PATH TO REPOS]/Nuget.Mcp/src/NugetExplorer.Mcp/NugetExplorer.Mcp.csproj --no-build -c Release"],"env":{}}' --scope user
After building the project (dotnet build -c Release
), I can simply ask Claude to check for package updates in any solution, and it uses the MCP tools to analyze the packages, check for vulnerabilities, and report findings—all without leaving my conversation with the AI.
Want to give it a shot? Clone the repository:
https://github.com/alex-zheludov/NugetExplorer.Mcp
Build it, configure it with your AI assistant (Claude Desktop, Claude Code, or GitHub Copilot—see the README for specific instructions), and start delegating your package management tasks to AI.
I'm planning to publish this to the new NuGet MCP feed once it's more mature. That'll make installation even simpler—just a dotnet tool install
away.
I realize this project likely won't gain much traction and official NuGet MCP server will eventually provide all this functionality and more. But that's not really the point.
This has been an excellent learning opportunity. MCP is a genuinely useful protocol for extending AI capabilities with domain-specific tools. The developer experience is solid, the abstractions make sense, and the integration with .NET feels natural.
I'm looking forward to building more MCP servers for other pain points in my development workflow. Sometimes the best way to learn something new is to solve a problem you actually have — even if it's a small one.
Type 'blog' + Enter -- to get a list of my blog posts.