All notable changes to CVE Lite CLI will be documented in this file.
--sarifcan now be combined with--reportto write both a SARIF file and an HTML report in one scan; useful for CI pipelines that upload to GitHub Code Scanning and also attach an HTML artifact for human review (#681)
- Fix commands now include
-Dflag for dev dependencies (npm install -D,pnpm add -D,yarn add -D,bun add --dev); mixed dev/prod batches split into separate commands (#689, #690) - GitHub Action now installs cve-lite-cli via
npm install --prefixand appends the bin dir to$GITHUB_PATH, fixingcve-lite: not founderrors on npm 10.x runners where npx cannot resolve a binary name different from the package name (#691, #692)
- Upgrade jest to 30.4.1; add
.cve-lite/baseline.jsonto suppress unfixablejs-yaml@3.14.2transitive dev dep (GHSA-h67p-54hq-rp68) (#693, #694)
- Socket CLI comparison expanded with structured sections and concrete examples (#655)
- npm lockfile graph construction reduced from O(E*V) to O(E) using Set accumulators for edge lists (#652)
- npm lockfile graph nodes and arrays pre-frozen at construction time; redundant uniquePathArrays removed (#654)
- Remediation package lookup replaced with Map for O(1) access (#653)
- Four new case studies: Strapi (Yarn Berry, 2,887 packages), Twenty (Yarn Berry, 5,451 packages), Presenton (dual npm lockfiles), Payload CMS (pnpm, 2,602 packages) (#593, #594, #595, #638)
- OWASP Lab Project status reflected across all project docs: README, CONTRIBUTING, comparison page, case studies index, and press page (#673)
- SARIF, CycloneDX, and HTML reporter file-write cleanup refactored for clarity; test spy coverage refined (#637)
- Case study contribution scope clarified in CONTRIBUTING: contributors submit case-study files only, shared index files maintained by maintainer (#649)
- Graded output for MAL- advisories from git sources: terminal shows
⚠ Git source (SHA-pinned)or⚠ Git source (floating ref)with resolved URL; HTML report shows orange badge;isGitSource()andhasCommitShaPinning()detection functions (#618) multiple-versions-same-pkgandgit-source-malexample fixtures
- Error handling and cleanup for SARIF, CycloneDX, and HTML report file writes; pre-existing directories preserved on write failure (#628)
- Duplicate
db.close()call removed from osv-sync catch block that could mask original error (#629)
- CVE detail fetches now run concurrently via
runWithConcurrencyinstead of serially — 2.2x faster on cold cache for large lockfiles (#645) - Packument cache pre-warmed before transitive remediation loop to eliminate serial npm registry round-trips (#645)
- Dev dependency labelling: terminal output and HTML report now show
direct · dev/transitive · devfor findings from devDependencies; Yarn Classic and Berry parsers updated to detect dev status (#578) yarn-within-rangeanddev-only-findingexample fixtures for regression testing (#537, #613)
- Private registry detection (
⚠ Unverifiable (private source)) now works for pnpm (legacy and v9), Yarn Classic, and Bun lockfiles — previously only npm was supported (#616)
- Ratcheting mode:
--ratchetsaves current findings as.cve-lite/baseline.json; subsequent scans auto-suppress known findings and only report new ones above the baseline
- Dedicated ratcheting mode page at
/docs/ratcheting - MAL- advisory handling and unverifiable private source findings documented in how-remediation-works
--create-prflag: after--fix, commits lockfile changes and opens a GitHub PR viaghwith a descriptive title listing the upgraded packages and vulnerability count (#518)--base <branch>flag to set the base branch for--create-pr(default: main)bun-within-rangefixture: Bun parser updated to reconstruct transitive paths from package relationships; within-range remediation now works for Bun lockfiles (#562)pnpm-within-range,deep-chain-no-fix,pnpm-aliased-chainregression fixtures (#557, #558, #559)- CamoFox Browser case study demonstrating dual-remediation narrative (#556)
mal-private-registryexample fixture demonstrating unverifiable MAL- output for private registry packages (#588)
- Yarn Classic parser now reconstructs full transitive dependency paths using BFS graph walk; within-range resolver now correctly suggests
yarn upgrade <pkg>for deep chains (#576) - MAL- advisories for packages resolved from a private registry now surface as "Unverifiable (private source)" instead of a false-positive "Malicious" finding (#588)
- Transitive vulnerability findings now correctly classified as transitive when the same package is also installed as a direct dependency at a different version. Previously
uuid@8.3.2(transitive) was classified asdirectbecauseuuid@14.0.0was inpackage.json, generating a wrongnpm installcommand. - Skip reason version hint now uses the validated fix version consistently with the findings table, eliminating discrepancies between the two.
--helpoutput no longer repeats the tool name and version already shown in the banner.
- Skipped findings in verbose terminal output now show the advisory version with a gray
⊘suffix instead of the full green version, signalling it is a hint only. A note below the table points to--reportfor detailed skip reasons. - HTML report findings table:
⊘ Skipped (N)filter button added (only shown when there are skipped findings). Fixed column shows⊘icon with tooltip for skipped findings. - HTML report: findings section top margin fixed, scan notes moved to bottom after all important sections.
- Scan notes: removed outdated MVP language.
- Nested lockfile informational message moved from warnings (yellow) to notes (gray).
- Added How Remediation Works page with Mermaid dependency tree diagrams and tabbed package manager commands.
- Added usage examples to
--helpoutput. - 7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n.
- Community contributors section added to README.
- Gatsby case study added with verified baseline scan of a Yarn Classic lockfile snapshot (
examples/gatsby/, 3,568 packages, 128 findings at revision1f38c85), including CVE Lite CLI vsyarn auditcomparison. - Examples readme, docs sidebar, case studies index, and README updated to reference the Gatsby fixture and case study.
- Vercel AI SDK case study added with verified baseline scan of a pnpm lockfile snapshot (
examples/vercel-ai-sdk/, 3,570 packages, 55 findings at revision3215032), including CVE Lite CLI vspnpm auditcomparison. - Mastra case study added with verified baseline scan of a pnpm lockfile snapshot (
examples/mastra/, 4,555 packages, 64 findings at revisione9d54b2), including CVE Lite CLI vspnpm auditcomparison. - Lit case study added with verified baseline scan of an npm workspaces lockfile snapshot (
examples/lit/, 2,059 packages, 99 findings at revision20afabd), including CVE Lite CLI vsnpm auditcomparison. - LangChain.js case study added with verified baseline scan of a pnpm lockfile snapshot (
examples/langchainjs/, 2,174 packages, 13 findings at revision1503c9b), including CVE Lite CLI vspnpm auditcomparison and lean-graph triage narrative. - OpenAI Agents SDK (JavaScript) case study added with verified baseline scan of a pnpm lockfile snapshot (
examples/openai-agents-js/, 1,683 packages, 31 findings at revisionf76fc19), including all-transitive parent-tracing narrative and CVE Lite CLI vspnpm auditcomparison. - n8n case study added with verified baseline scan of a pnpm lockfile snapshot (
examples/n8n/, 3,746 packages, 32 findings at revisione2e0394), including CVE Lite CLI vspnpm auditcomparison. - CamoFox Browser case study added with verified baseline scan of an npm lockfile snapshot (
examples/camofox-browser/, 435 packages, 2 findings at revisionce3a3b0), including within-range vs parent-upgradeqsremediation narrative and CVE Lite CLI vsnpm auditcomparison.
- Within-range transitive fix now detected for dependency chains deeper than 2 levels: when the immediate parent's declared range already covers a safe version of the vulnerable package, CVE Lite now suggests a lockfile refresh (
npm update <package>) instead of an incorrect best-effort parent upgrade. Addsexamples/wrong-parent/as a reproducible fixture for this class of bug.
- Multi-folder scan for monorepos without a root lockfile: when
cve-lite .is run from a directory with no lockfile but two or more lockfiles in subfolders, the scanner automatically switches to multi-folder mode. Each subfolder is scanned independently, findings and fix commands are grouped per subfolder in terminal output, a single HTML report is generated with collapsible per-folder sections, and--jsonoutput includes asubfolderfield on each finding.
isNewerupdate check now correctly parses pre-release version strings (e.g.1.19.0-alpha.1) by stripping the pre-release suffix before comparison, preventing alpha users from seeing a false "downgrade available" prompt.
--debugflag writes a timestamped JSONL log file alongside the scan with network requests, cache hits, and runtime events; a single stderr line identifies the log file path.- Unknown-severity findings no longer silently dropped from compact and verbose terminal output; compact mode now shows all direct unknown findings regardless of how many critical/high findings are present.
- pnpm v9 aliased dependencies (where the lockfile dep name differs from the real package name, e.g.
'@remix-run/dev': '@vercel/remix-run-dev@1.16.1') now resolve correctly through the transitive graph. Five downstream bugs fixed: wrong direct-install commands for unresolvable findings, missing parent upgrade suggestions for deep chains, blank context column for covered findings, and reason text being overwritten by lower-severity findings. - Spinner completion lines (
✓ Loaded package matches from cache, etc.) no longer printed to stdout in--jsonmode. - Offline advisory database errors now include a sync hint (
cve-lite advisories sync) to guide users to resolution. - SARIF output no longer includes empty
artifactChangesarrays in fix objects, which caused GitHub Code Scanning to reject uploaded results. - Case studies index page added to resolve a Docusaurus build break.
- CI workflow now declares explicit
permissions: contents: read, matching the least-privilege stance already in place on all other workflows.
- Unit tests added for
src/cli/validate.tscovering all flag-conflict validation branches.
- Visual Studio Code case study with verified baseline scan of a root npm lockfile snapshot (
examples/vscode/, 1,374 packages, 9 findings at revisionbc678ca), including CVE Lite CLI vsnpm auditcomparison. - Storybook case study with verified baseline scan of a Yarn Berry monorepo lockfile snapshot (
examples/storybook/, 3,008 packages, 92 findings at revisioncc19ae1), including CVE Lite CLI vsyarn npm auditcomparison. - Help Net Security monthly roundup (May 2026) added to press coverage.
- Case studies navbar link added to website.
- Corporate SSL proxy support:
--ca-cert <path>flag passes a PEM CA certificate for a single scan or advisory sync;cve-lite config set ca-cert <path>saves the path persistently in~/.cve-lite-cli/config.jsonso every future invocation uses it automatically;cve-lite config showandcve-lite config unset ca-certmanage the saved value. Cert is validated as a readable PEM file before saving. GitHub Action gains a matchingca-certinput. - Workspace-scoped direct fix commands for monorepos: when scanning an npm, pnpm, yarn, or bun workspace project, direct dependency upgrade commands now include the appropriate workspace flag (
npm install -w <workspace>,pnpm add --filter ./path,yarn workspace <name> add,bun add --filter <name>) so the install targets the correct workspace scope rather than the project root.
- Extracted all fix execution logic from
src/index.tsintosrc/utils/fix-runner.ts:applyFixesIfRequested,FixExecutionResult,printFixModeSummaryjoin the previously extractedbuildFixCommandParts,runInstallCommand, andcommandLabelForPackageManager. - Extracted
pluralizeutility tosrc/utils/string.ts, eliminating repeated count ternaries across 9 files.
- New Corporate SSL Proxy guide covering one-time config setup, per-invocation flag, cert export from IT/keychain/browser, and air-gapped advisory sync fallback.
- CLI reference updated with Network/SSL section and
configsubcommand docs. - Troubleshooting page updated with SSL certificate errors entry.
- Expanded CONTRIBUTING.md with code quality standards and file-size guidelines.
- Astro pnpm monorepo case study with verified baseline scan and CVE Lite vs pnpm audit comparison.
- Added Medium dedicated review and Hexaxia Labs integration post to press page, README, and homepage.
- Refreshed homepage press bar with new outlets and "View all press coverage" link.
- Turborepo case study added with verified baseline scan of a pnpm lockfile snapshot (
examples/turborepo/, 1,776 packages, 13 findings at revisionc85d410), including CVE Lite CLI vspnpm auditcomparison. - Examples readme, docs sidebar, and README updated to reference the Turborepo fixture and case study.
- Show targeted retry and offline hints for OSV 429 rate-limit and 5xx server error responses.
- Emit lockfile-refresh fix commands for pnpm (
pnpm update), yarn (yarn upgrade), and bun (bun update) when the parent's declared range already covers the fixed transitive dependency version.
- Added package manager hint to
--fixcommand failure errors.
- Workspace-scoped lockfile-refresh commands now generated for pnpm, yarn, and bun when the parent's declared range already covers the safe transitive version; lockfile-refresh targets appear in their own fix-plan sections rather than mixed with direct-fix targets; fix coverage count ("Running these commands should fix X of Y findings") added to both terminal and HTML output; "within current range" label renamed to "lockfile refresh" with context strings rewritten to plainly state the parent already permits the safe child version.
- Unified excluded directory list for
--usagesource scanning with the sharedEXCLUDED_DIRSconstant. - Extracted
formatAdvisoryDbFreshnessandrelativeAgefromsrc/index.tsintosrc/utils/time.ts. - Extracted CLI flag validation from
src/index.tsintosrc/cli/validate.ts. - Extracted
formatAdvisorySourceLinetosrc/output/formatters.tsandcountBySeveritytosrc/utils/severity.ts. - Extracted package.json / workspace reading helpers from
src/index.tsintosrc/utils/package-json.ts. - Extracted
DEFAULT_BATCH_SIZEandDEFAULT_SEARCH_DEPTHmagic numbers to named constants insrc/constants.ts.
- SSL certificate errors from corporate proxy inspection now reliably show actionable
NODE_EXTRA_CA_CERTSandNODE_TLS_REJECT_UNAUTHORIZED=0guidance by checking Node.js error codes and walking the error cause chain, rather than string matching on the top-level message.
- SSL certificate errors from corporate proxy inspection now show a clear, actionable message with
NODE_EXTRA_CA_CERTSandNODE_TLS_REJECT_UNAUTHORIZED=0workarounds instead of a raw Node.js TLS error.
- Validated fix version now shown in the finding line and verbose table instead of the raw OSV hint, preventing confusing downgrade suggestions.
- Malicious advisory findings (
MAL-*) now surface a clear removal message across all output modes: inline hint in compact,⚠ Maliciousbadge and removal legend in verbose, and⚠ Maliciousbadge with tooltip in the HTML report.
- CVE count now shown alongside package count in all output modes: terminal summary reads
✗ Found 26 packages (35 CVEs), compact output reads26 packages · 35 CVEs, verbose quick-take reads35 CVEs matched overall, and the HTML report gains a dedicated CVEs severity card alongside the Packages card. - npm-shrinkwrap.json support: the scanner now detects and parses
npm-shrinkwrap.jsonwith correct precedence overpackage-lock.jsonwhen both are present.
security-events: writepermission added to the self-scan CI job so SARIF uploads succeed.
- Getting Started page title shortened and added to top nav.
- Ghost CMS case study added with full Before/After fix journey.
- Socket CLI comparison expanded with structured sections.
- README: strengthened hero differentiators, unique combination claim, and OWASP threading; added package manager logos section; added Press section with Help Net Security and Development Curated coverage.
- Website homepage: added "As seen in" press bar with Help Net Security and Development Curated logos.
- How It Works: added Vulnerability Data Sources section; removed redundant network-privacy doc.
--cdxflag writes a CycloneDX 1.4 JSON SBOM (cve-lite-scan-<timestamp>.cdx.json) to the current directory. The SBOM includes all lockfile packages as components — not just vulnerable ones — making it suitable as a compliance artifact even on a clean scan. Vulnerability data is attached for any CVE findings, deduplicated by CVE ID with multipleaffectsreferences when the same CVE affects more than one package. Runnable fix commands are included as recommendations when available.- GitHub Action gains a
cdxinput (default"false") to enable CycloneDX SBOM output from the Action. - Self-scan CI workflow now generates a SARIF file and uploads findings to GitHub Code Scanning via
github/codeql-action/upload-sarif.
--sarifand--cdxnow suppress terminal table output, matching the behaviour of--json. Running any export flag shows only the spinner progress and the saved file path. Use--verbosealongside an export flag to restore full terminal output.
- Output file writing (JSON, SARIF, CycloneDX) extracted from
index.tsinto a dedicatedwrite-outputs.tsdispatcher module, keepingindex.tslean as new export formats are added.
- GitHub Action now exposes
--usage,--only-used,--sarif, and--no-cacheinputs. Theno-cacheinput defaults totruein CI since runners are ephemeral. --sarifflag writes a SARIF 2.1.0 file to the current directory for upload to GitHub Code Scanning. One result per CVE, rules deduplicated, severity mapped to SARIF levels.
--jsonoutput is now saved to a timestamped file (cve-lite-scan-YYYY-MM-DDTHH-MM-SS.json) in the current directory, keeping stdout free for human-readable messages. The banner and spinner are no longer suppressed in--jsonmode. Advisory source and offline mode lines no longer appear in--jsonstdout.- New
install-skillsubcommand writes AI assistant skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot into the current project directory. Append-style files (AGENTS.md,GEMINI.md,.github/copilot-instructions.md) are created if missing, appended to if no CVE Lite section exists, or replaced in place if a section already exists — running the command twice is safe. Commit the generated files to share the context with your team.
- Transitive parent-upgrade guidance now marks commands as path-specific when they only cover a subset of a vulnerable package's dependency paths. Covered and remaining paths are exposed in JSON; terminal output and HTML report show the same partial-path note.
- pnpm lockfile traversal now preserves multiple dependency paths for repeated package versions instead of stopping after the first matching key. Path count and depth caps bound the traversal to avoid runaway graph walks.
- Dedicated caching guide added covering the 30-minute TTL, false negative risk window, and
--no-cacheflag behavior.
--no-cacheflag forces a fresh OSV query for all packages in a single scan, bypassing thequeryEntriescache while still writing results back so subsequent runs benefit from caching as normal. Mutually exclusive with--offlineand--offline-db.- Transitive context column added to the HTML report findings table, showing the dependency path from each vulnerable transitive package back to a direct dependency.
- Transitive findings in terminal output now show a ⚠ no-fix indicator when no safe upgrade is available, distinguishing unfixable transitive issues from ones that can be resolved.
queryEntriescache now expires after 30 minutes. Previously, a clean result (no vulnerabilities) was cached indefinitely, meaning a package that acquired a new CVE after the initial scan would be silently missed on all subsequent scans until the cache was manually deleted. All entries — both clean and non-empty — are now re-queried after 30 minutes. Existing v2 cache files are migrated automatically and treated as stale on first run.
- OSV batch queries now run in parallel with a concurrency cap of 5, reducing cold scan time from ~14s to ~7.5s on large lockfiles (~1700 packages).
- Cache file format bumped from v2 to v3.
queryEntriesvalues now store{ vulnIds, cachedAt }instead of a barestring[]. v2 files are migrated transparently on load.
- Yarn Berry (v2+) lockfile support. The parser now detects the
__metadata:block and routes to a dedicated Berry parser that extracts packages fromresolution:fields. Non-npm resolutions (workspace, patch, file) are skipped automatically. Yarn 1 behavior is unchanged. - Curated in-repo vulnerable example fixtures under
examples/for contributor testing, covering direct-fixable, transitive-path-high, transitive-only, direct-and-transitive, npm workspace, yarn-berry, and a documentation-site project. A readme documents each fixture's purpose, package manager, and scan command. - New CLI Reference documentation page listing every flag with defaults, descriptions, examples, and mutual-exclusion notes.
- BFS path-expansion loop in npm lockfile graph traversal no longer hangs on lockfiles with cyclic or fan-in dependency graphs. Added
MAX_PATH_DEPTH = 10to cap path length and replacedO(n)queue.shift()with an index-basedO(1)dequeue, eliminating unbounded array allocation and GC pressure that caused 100% CPU hangs on moderately sized lockfiles. - npm transitive parent chain reconstruction now correctly resolves hoisted packages back to their logical parent using the lockfile dependency declarations.
- Yarn Berry lockfiles no longer throw "Unknown token" on the
__metadata:block.
- Output summary now renders severity counts as a box-drawing table (
Critical,High,Medium,Low,Unknown) instead of inline text, making severity distribution visible at a glance. --allflag now appends the full findings table in compact (default) mode, not only in--verbosemode. The "Tip: use --all…" message is suppressed when--allis already active.- Coverage notes now appear after the findings table in verbose output.
- Documentation sidebar restructured into four labeled groups (Get Running, Fix Issues, Integrate, Reference) with Get Running expanded by default.
- Output guide renamed from "How to Read Verbose Output" to "Reading the Output" and rewritten to cover both compact and verbose output.
- Release tarballs attached to each GitHub release are now cryptographically signed using GitHub's Sigstore-backed Artifact Attestations. The signing keys are ephemeral OIDC-issued keys generated per build, so no long-lived private signing key exists on either GitHub or the npm registry. Verification is documented in the README under "Security and verification" using
gh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli. - New
## Governancesection in the README documenting the project's governance model, key roles, decision-making process, and dispute-resolution path. - New
## Security and verificationsection in the README explaining how to verify a downloaded release tarball and how to verify the npm-installed copy vianpm audit signatures. - New
## Coding standardssection in the contributor guide describing the TypeScript style baseline, naming conventions, comment policy, and the categories of change that get pushed back during review.
- The Code of Conduct has moved from
src/docs/CODE_OF_CONDUCT.mdtoCODE_OF_CONDUCT.mdat the repository root so GitHub auto-detects it on the Community Standards page. The CoC text itself is unchanged, and a link was added to the Community section of the README. - The contributor guide's testing expectations are now an explicit policy rather than a soft suggestion: any new feature, behavior change, or bug fix that affects scan logic, parsing, output, or remediation must be covered by automated unit tests in the same pull request, with practical exceptions called out for documentation-only and genuinely untestable changes.
- HTML report findings now show the actual fix command (e.g.
npm install <package>@<version>) with a Copy button when one is available, instead of always showing a descriptive prose recommendation. Findings without a runnable command show the recommendation as plain text without a misleading Copy button. - Serialized findings now expose a
runnableFixCommand: string | nullfield for programmatic consumers of the JSON output. - New "Offline vs Online Results" documentation page explaining the two advisory sources, what stays the same across modes, the intentional behavior differences (registry-validated fix versions, parent-version upgrades), and freshness considerations on both sides.
- Offline scans now produce a Suggested Fix Plan that matches online scans for direct upgrades and in-range parent updates. Previously the fix plan was empty in offline mode because the validation gate treated an unset
validatedFirstFixedVersionas "validation failed" rather than "validation did not run". - Offline transitive remediation is now resolved against the lockfile graph, with safe-child candidates synthesized from the advisory's
firstFixedVersionwhen the npm registry is not available. The "update parent within current range" path now works offline; the "upgrade parent to a newer version" path remains online-only because it requires the parent's published manifests. - Withdrawn OSV advisories are now skipped during local advisory database sync, mirroring OSV's
/v1/querybatchbehavior. Offline scans no longer surface findings from advisories that have been retracted.
- The repository's user-facing documentation now lives exclusively under
website/docs, which backs the published site athttps://owasp.org/cve-lite-cli/. Documentation links in the README point at the published guides rather than at Markdown source files. The previous/docsdirectory has been removed. - GitHub Actions workflows updated to current versions.
- Public site homepage layout polished for better readability across viewport sizes.
- npm transitive remediation now builds a logical dependency graph from
package-lock.jsonso hoisted packages can be mapped back to their actual parent chain. - npm transitive findings can now recommend
npm update <parent>when a safe child version is reachable within the current parent dependency range. - The CLI now shows progress while analyzing vulnerability findings after advisory details are loaded, avoiding a silent pause during fix-target validation and transitive remediation analysis.
- npm workspace scans now preserve workspace-local package path context for dependency paths and remediation resolution.
- npm transitive parent upgrade recommendations now respect parent dependency ranges before suggesting a target.
- npm alias nodes in package locks now keep their alias identity when building the remediation graph.
- HTML report now includes breaking change indicators, validation statistics, scan notes, and a search/filter control in the findings table.
- Transitive vulnerability findings now display tier-aware, actionable guidance instead of the generic "Upgrade the parent dependency chain" message. When a primary parent package is identified, it is named explicitly. When no dependency path data is available, the output honestly says so and directs developers to inspect their lockfile.
- Fix plan skip reasons now distinguish between findings where a parent is known but no safe upgrade version was identified (Tier 2) and findings with no dependency path data at all (Tier 3).
- Urgent fix plan table now renders parent-upgrade targets in their own table with a Context column showing which vulnerable package each parent upgrade resolves.
- CI integration docs updated to reference the
OWASP/cve-lite-cliGitHub Action and include the--allflag in example commands. - Comparison docs expanded with a dedicated GitHub Dependabot section covering advisory database differences, methodology, and where CVE Lite CLI provides more actionable output.
--report [dir]flag generates a self-contained HTML vulnerability dashboard written to a local directory (default:./cve-report/). The report opens automatically in the browser on completion.--no-openflag suppresses the automatic browser launch when used with--report.- HTML report includes severity summary cards, an interactive findings table with filter controls, copy-ready fix commands, expandable dependency paths, and CVE/GHSA links to osv.dev and GitHub Security Advisories.
- Report output includes
index.html(self-contained, no CDN required) andreport.json(machine-readable scan data). - CVE Lite CLI is now an OWASP Incubator Project. OWASP Foundation affiliation reflected in the report header and README.
- Usage-aware dependency analysis phase 1: The CLI now statically analyzes project source code to detect if vulnerable dependencies are actually imported and reachable.
- Added
--usageand--only-usedflags.Usedfindings bubble to the top, and--only-usedaggressively filters out unreachable/unused dependencies to eliminate noise. - CLI tables now feature a dedicated
Usagecolumn indicating import counts orunusedstatus, color-coded red and green. - Migrated the breaking change annotation into its own dedicated
Breaking?column with a⚠symbol in the fix plan tables.
- Pre-release versions (e.g.
-next.*,-beta.*,-alpha.*,-rc.*) are now suppressed as fix targets across all three resolution paths: OSV advisory data, parent upgrade resolution, and direct fix validation. When the only available fixed version is a pre-release, the fix hint shows—and no fix command is generated.
- pnpm lockfile v9 support — the v9 format (default in current pnpm installations) uses
name@versionkeys and asnapshotssection instead of the legacy/name/versionandpackageslayout; the parser now branches onlockfileVersionand routes v9+ lockfiles through a dedicated path, eliminating false negatives on modern pnpm projects - Analog case study — full scan-fix workflow on a real pnpm v9 Angular monorepo (3,367 packages), including a comparison table against
pnpm audit, fix journey, and baseline findings table - Baseline findings tables backported to NestJS and Juice Shop case studies for structural consistency across all studies
- BFS path-tracking in the pnpm parser replaced path-fingerprint
seenPathswith a visited-keyseenKeysset, eliminating exponential queue growth through circular dependency chains in large lockfiles (e.g. Analog's 15 circular deps)
bun.lockparser — resolves package names and versions from Bun's JSONC lockfile format (v1.1.38+), with dev-only detection via workspace dependency manifests and--prod-onlysupportbun addfix commands — fix command output now detects Bun projects and emitsbun add <package>@<version>alongside the existing npm/pnpm/yarn equivalents- Breaking change labels — fix command tables now flag major-version upgrade targets (e.g.
8.5.1 → 9.0.0) with a(breaking change)annotation so developers know before running the command
- OSV
MODERATEseverity label now correctly maps tomedium— packages likegotandmicromatchwere previously classified asunknownand excluded from the default medium+ findings table - Validation table (Package / Current / Recommended target / Versions scanned / Still known vulnerable) now renders for urgent (high/critical) direct fix sections; it was missing after packages were reclassified from low to high by the CVSS vector fix in v1.5.3
- Transitive findings without a parent upgrade path no longer appear in the no-auto-fix section; they are already covered by fix plan step 2, so the duplication was confusing
- Renamed "Not included automatically" to "No auto-fix command available for these direct dependencies" to accurately describe what is shown
- CVSS vector strings (e.g.
CVSS:3.1/AV:N/...) were misclassified as low severity because the version number in the prefix (3.1) was extracted by the score parser and treated as a base score. All CVSS_V3-backed advisories now fall through todatabase_specific.severityand report the correct label. Packages likecrypto-js(critical) andbraces(high) were previously silently under-reported.
- condensed README and extracted detailed content into standalone docs: offline advisory DB guide, CI integration guide, architecture overview, comparison guide, roadmap, troubleshooting, and parser coverage matrix
- docs site updated with SEO meta tags, Open Graph, Twitter Card, JSON-LD structured data, Free/Local/Fast hero pillars, badge section, and GitHub icon nav link
- screenshots shown side-by-side with click-to-enlarge
- removed unimplemented SARIF claims from all docs and comparison tables
- scoped
--fixmode for validated direct dependency remediation with package-manager-native apply behavior - automatic rescan after successful
--fixapply and concise fix summary output (applied fixes, skipped findings, remaining severity mix) - dedicated
--fixdocumentation guide and refreshed website/README guidance - Juice Shop case-study evidence for
--fixworkflow output
- CLI now includes explicit
--fixhelp output and improved fix-phase progress messaging - README comparison table now includes an explicit auto-fix support column with caveated tool-by-tool notes
- direct vs transitive relationship classification now treats only root manifest-declared dependencies as direct, reducing misleading root-level remediation commands in monorepo/tooling-heavy scans
- verbose fix-command output now renders parent-upgrade sections in a structured table with package, current version, recommended target, and context columns
- README, website copy, and NestJS case study wording now align with direct/transitive remediation actionability expectations and refreshed screenshot evidence
- lowest known non-vulnerable direct remediation target selection based on advisory-range validation across published versions
- version-scan metrics for validated remediation targeting (scanned versions and still-vulnerable exclusions)
- new automated tests for multi-step upgrade chains, overlapping advisories, and fallback behavior when advisory coverage is incomplete
- richer NestJS case-study evidence with remediation table metrics and screenshot-backed command snapshots
- direct remediation output now uses structured table rendering with package, current version, recommended target, scanned versions, and still known vulnerable columns
- direct remediation tables now include a total row for consistent section-level summary in verbose output
- compact output now includes validation-summary context when scanned-version metrics are available
- README guidance now explains the lowest-known-non-vulnerable targeting flow and references the NestJS remediation evidence
- npm registry validation for direct fixed-version hints before surfacing copy-and-run commands
- nearest-published fallback handling for unpublished npm fixed-version hints, with a dedicated registry-adjusted command section
- explicit warning output for unpublishable fixed-version hints that cannot be turned into runnable commands
- new NestJS case study documenting the local scan-fix-rescan workflow on a mainstream framework repository
- Suggested fix commands now cover more than the urgent path, including additional direct fixes when confident targets are available
- Verbose and compact output now highlight copy-and-run remediation commands more prominently and explain when the top-priority issue has no confident automatic command yet
- README now positions the local remediation loop more clearly against slower pipeline-only scanning workflows
- Case study and README content now emphasize how local caching keeps consecutive rescans fast during iterative remediation
- Reusable first-party GitHub Action via
action.ymlfor simple GitHub Actions adoption - Official workflow integration guidance for package scripts, opt-in
postinstall, git hooks, CI, and scheduled advisory DB refreshes - Multi-column README table of contents for easier navigation
- Simplified the reusable GitHub Action by removing built-in npm cache setup, improving reliability in external repositories
- README now includes GitHub Action usage examples and clearer top-level navigation
- Network and privacy documentation now reflects the current offline workflow and advisory DB operational model
- Advisory DB freshness reporting during offline scans, including warnings when the local DB appears stale or is missing sync metadata
- Advisory sync ingestion is now significantly faster through bulk SQLite transactions and prepared statement reuse
- README now documents the measured advisory sync benchmark and keeps the offline freshness guidance aligned with the shipped behavior
- Local SQLite advisory database foundation for offline advisory lookups
cve-lite advisories synccommand to download the official OSV npm dump and build the local advisory DB- Offline scanning with
--offlineusing the default local advisory DB - Explicit local DB selection with
--offline-db <path> - Progress reporting during advisory DB sync, including download and ingest progress
- CLI output now reports when offline mode is enabled and when the local advisory DB is being used as the advisory source
- README now highlights offline advisory DB support, offline workflows, and scheduled DB refresh guidance more prominently
- Coverage notes now clarify that offline scans do not make outbound advisory API calls
- Best-effort parent upgrade guidance for transitive vulnerabilities
- Verbose output now shows recommended parent upgrades when available while preserving full dependency paths
- Compact output now surfaces more actionable remediation guidance for transitive issues
- README updated to reflect the new remediation behavior
- Configurable OSV endpoint support
- README updates and documentation fixes