Product Thumbnail

Refuse

Block vulnerable package installs for you and your AI

SaaS
Developer Tools
Security
Visit WebsiteSee on Product Hunt

Hunted byGokulGokul

Refuse sits in front of npm, pip, cargo, gem, go + 13 more package managers and refuses known-vulnerable installs before they hit disk — the moment you (or your coding agent) run them. Also, Open-source, self-hostable, one Docker container.

Top comment

Hey Product Hunt 👋 I'm the maker. Most vulnerability scanners tell you a package is bad after it's already on your disk. I wanted something that refuses it at the moment of install — before the install ever runs. So I built Refuse. A single binary puts itself in front of npm, pip, cargo and ~13 more package managers. You run npm install exactly like always — it checks the package against the live CVE databases first, then either installs it or blocks with the fix: npm install [email protected] → refuse: blocked — CVE-2019-10744 (critical); safe: 4.17.21 The reason it exists: AI coding agents. Claude Code and Cursor run installs from inside a tool call and pin versions from their training data — old versions that have since picked up CVEs. Refuse installs as an agent hook so those installs go through the same gate, with no human-override flag for the agent. It's open-source (Apache-2.0) and self-hostable — one Docker container, your own CVE backend, no telemetry. Or use the hosted tier if you'd rather not run it. 🔗 https://refuse.dev · https://github.com/RefuseHQ/refu... Would love your feedback — easiest test is to run it against a lockfile from a project you already have and see what it catches. Happy to answer anything in the comments today.

Comment highlights

Nice launch. The no agent override bit is the right instinct.

I’d want a small receipt when something is blocked or a human overrides it: package, version, CVE/source, who approved, and what changed next. Are overrides repo policy, or an explicit approval event?

About Refuse on Product Hunt

Block vulnerable package installs for you and your AI

Refuse launched on Product Hunt on June 18th, 2026 and earned 77 upvotes and 2 comments, placing #26 on the daily leaderboard. Refuse sits in front of npm, pip, cargo, gem, go + 13 more package managers and refuses known-vulnerable installs before they hit disk — the moment you (or your coding agent) run them. Also, Open-source, self-hostable, one Docker container.

Refuse was featured in SaaS (43k followers), Developer Tools (515.4k followers) and Security (2.7k followers) on Product Hunt. Together, these topics include over 129.1k products, making this a competitive space to launch in.

Who hunted Refuse?

Refuse was hunted by Gokul. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.

Want to see how Refuse stacked up against nearby launches in real time? Check out the live launch dashboard for upvote speed charts, proximity comparisons, and more analytics.