Block vulnerable package installs for you and your AI
Refuse sits in front of npm, pip, cargo, gem, go + 13 more package managers and refuses known-vulnerable installs before they hit disk — the moment you (or your coding agent) run them. Also, Open-source, self-hostable, one Docker container.
Hey Product Hunt 👋 I'm the maker.
Most vulnerability scanners tell you a package is bad after it's already on your disk. I wanted something that refuses it at the moment of install — before the install ever runs.
So I built Refuse. A single binary puts itself in front of npm, pip, cargo and ~13 more package managers. You run npm install exactly like always — it checks the package against the live CVE databases first, then either installs it or blocks with the fix:
npm install [email protected]
→ refuse: blocked — CVE-2019-10744 (critical); safe: 4.17.21
The reason it exists: AI coding agents. Claude Code and Cursor run installs from inside a tool call and pin versions from their training data — old versions that have since picked up CVEs. Refuse installs as an agent hook so those installs go through the same gate, with no human-override flag for the agent.
It's open-source (Apache-2.0) and self-hostable — one Docker container, your own CVE backend, no telemetry. Or use the hosted tier if you'd rather not run it.
🔗 https://refuse.dev · https://github.com/RefuseHQ/refu...
Would love your feedback — easiest test is to run it against a lockfile from a project you already have and see what it catches. Happy to answer anything in the comments today.
About Refuse on Product Hunt
“Block vulnerable package installs for you and your AI”
Refuse launched on Product Hunt on June 18th, 2026 and earned 77 upvotes and 2 comments, placing #26 on the daily leaderboard. Refuse sits in front of npm, pip, cargo, gem, go + 13 more package managers and refuses known-vulnerable installs before they hit disk — the moment you (or your coding agent) run them. Also, Open-source, self-hostable, one Docker container.
On the analytics side, Refuse competes within SaaS, Developer Tools and Security — topics that collectively have 561.2k followers on Product Hunt. The dashboard above tracks how Refuse performed against the three products that launched closest to it on the same day.
Who hunted Refuse?
Refuse was hunted by Gokul. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
For a complete overview of Refuse including community comment highlights and product details, visit the product overview.