Releases: OWASP/cve-lite-cli
Releases · OWASP/cve-lite-cli
Release list
v1.15.1 - SARIF output and expanded GitHub Action inputs
Added
- GitHub Action now exposes
--usage,--only-used,--sarif, and--no-cacheinputs. Theno-cacheinput defaults totruein CI since runners are ephemeral. --sarifflag writes a SARIF 2.1.0 file to the current directory for upload to GitHub Code Scanning. One result per CVE, rules deduplicated, severity mapped to SARIF levels.
Validation
- npm test
- npm run build
v1.15.0 - AI assistant skills and JSON output improvements
Added
--jsonoutput is now saved to a timestamped file (cve-lite-scan-YYYY-MM-DDTHH-MM-SS.json) in the current directory, keeping stdout free for human-readable messages. The banner and spinner are no longer suppressed in--jsonmode. Advisory source and offline mode lines no longer appear in--jsonstdout.- New
install-skillsubcommand writes AI assistant skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot into the current project directory. Append-style files (AGENTS.md,GEMINI.md,.github/copilot-instructions.md) are created if missing, appended to if no CVE Lite section exists, or replaced in place if a section already exists — running the command twice is safe. Commit the generated files to share the context with your team.
Fixed
- Transitive parent-upgrade guidance now marks commands as path-specific when they only cover a subset of a vulnerable package's dependency paths. Covered and remaining paths are exposed in JSON; terminal output and HTML report show the same partial-path note.
- pnpm lockfile traversal now preserves multiple dependency paths for repeated package versions instead of stopping after the first matching key. Path count and depth caps bound the traversal to avoid runaway graph walks.
Changed
- Dedicated caching guide added covering the 30-minute TTL, false negative risk window, and
--no-cacheflag behavior.
Validation
- npm test
- npm run build
v1.14.0 - 30-min cache TTL, parallel OSV queries, and --no-cache flag
Added
--no-cacheflag forces a fresh OSV query for all packages in a single scan, bypassing thequeryEntriescache while still writing results back so subsequent runs benefit from caching as normal. Mutually exclusive with--offlineand--offline-db.- Transitive context column added to the HTML report findings table, showing the dependency path from each vulnerable transitive package back to a direct dependency.
- Transitive findings in terminal output now show a ⚠ no-fix indicator when no safe upgrade is available, distinguishing unfixable transitive issues from ones that can be resolved.
Fixed
queryEntriescache now expires after 30 minutes. Previously, a clean result (no vulnerabilities) was cached indefinitely, meaning a package that acquired a new CVE after the initial scan would be silently missed on all subsequent scans until the cache was manually deleted. All entries — both clean and non-empty — are now re-queried after 30 minutes. Existing v2 cache files are migrated automatically and treated as stale on first run. Thank you @fabioemoutinho for reporting this.
Changed
- OSV batch queries now run in parallel with a concurrency cap of 5, reducing cold scan time from ~14s to ~7.5s on large lockfiles (~1700 packages).
- Cache file format bumped from v2 to v3.
queryEntriesvalues now store{ vulnIds, cachedAt }instead of a barestring[]. v2 files are migrated transparently on load.
Validation
- npm test
- npm run build
v1.13.0 - Yarn Berry support, example fixtures, and output improvements
Added
- Yarn Berry (v2+) lockfile support. The parser now detects the
__metadata:block and routes to a dedicated Berry parser that extracts packages fromresolution:fields. Non-npm resolutions (workspace, patch, file) are skipped automatically. Yarn 1 behavior is unchanged. - Curated in-repo vulnerable example fixtures under
examples/for contributor testing, covering direct-fixable, transitive-path-high, transitive-only, direct-and-transitive, npm workspace, yarn-berry, and a documentation-site project. A readme documents each fixture's purpose, package manager, and scan command. - New CLI Reference documentation page listing every flag with defaults, descriptions, examples, and mutual-exclusion notes.
Fixed
- BFS path-expansion loop in npm lockfile graph traversal no longer hangs on lockfiles with cyclic or fan-in dependency graphs. Added
MAX_PATH_DEPTH = 10to cap path length and replaced O(n)queue.shift()with an index-based O(1) dequeue, eliminating unbounded array allocation and GC pressure that caused 100% CPU hangs on moderately sized lockfiles. - npm transitive parent chain reconstruction now correctly resolves hoisted packages back to their logical parent using the lockfile dependency declarations.
- Yarn Berry lockfiles no longer throw "Unknown token" on the
__metadata:block.
Changed
- Output summary now renders severity counts as a box-drawing table (
Critical,High,Medium,Low,Unknown) instead of inline text, making severity distribution visible at a glance. --allflag now appends the full findings table in compact (default) mode, not only in--verbosemode. The "Tip: use --all…" message is suppressed when--allis already active.- Coverage notes now appear after the findings table in verbose output.
- Documentation sidebar restructured into four labeled groups (Get Running, Fix Issues, Integrate, Reference) with Get Running expanded by default.
- Output guide renamed from "How to Read Verbose Output" to "Reading the Output" and rewritten to cover both compact and verbose output.
Validation
- npm test
- npm run build
v1.12.1 - Supply-chain attestation and OWASP community docs
Added
- Release tarballs attached to each GitHub release are now cryptographically signed using GitHub's Sigstore-backed Artifact Attestations. The signing keys are ephemeral OIDC-issued keys generated per build, so no long-lived private signing key exists on either GitHub or the npm registry. Verification is documented in the README under "Security and verification" using
gh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli. - New Governance section in the README documenting the project's governance model, key roles, decision-making process, and dispute-resolution path.
- New Security and verification section in the README explaining how to verify a downloaded release tarball and how to verify the npm-installed copy via
npm audit signatures. - New Coding standards section in CONTRIBUTING.md describing the TypeScript style baseline, naming conventions, comment policy, and the categories of change that get pushed back during review.
Changed
- The Code of Conduct moved from
src/docs/CODE_OF_CONDUCT.mdtoCODE_OF_CONDUCT.mdat the repository root so GitHub auto-detects it on the Community Standards page. The CoC text itself is unchanged. - The contributor guide's testing expectations are now an explicit policy: any new feature, behavior change, or bug fix that affects scan logic, parsing, output, or remediation must be covered by automated unit tests in the same pull request, with practical exceptions called out for documentation-only and genuinely untestable changes.
Validation
- npm test
- npm run build
v1.12.0 - Offline parity and runnable fix commands
Added
- HTML report findings now show the actual fix command (e.g.
npm install <package>@<version>) with a Copy button when one is available, instead of always showing a descriptive prose recommendation. Findings without a runnable command show the recommendation as plain text without a misleading Copy button. - Serialized findings expose a new
runnableFixCommand: string | nullfield for programmatic consumers of the JSON output. - New "Offline vs Online Results" docs page explaining the two advisory sources, what stays the same across modes, the intentional behavior differences, and freshness considerations on both sides.
Fixed
- Offline scans now produce a Suggested Fix Plan that matches online scans for direct upgrades and in-range parent updates. The validation gate previously dropped the entire plan in offline mode.
- Offline transitive remediation now resolves against the lockfile graph, with safe-child candidates synthesized from the advisory's
firstFixedVersionwhen the npm registry is not available. The "update parent within current range" path now works offline. - Withdrawn OSV advisories are now skipped during local advisory database sync, mirroring OSV's
/v1/querybatchbehavior. Offline scans no longer surface findings from advisories that have been retracted.
Changed
- The repository's user-facing documentation now lives exclusively under
website/docs, which backs the published site athttps://owasp.org/cve-lite-cli/. Documentation links in the README point at the published guides. The previous/docsdirectory has been removed. - GitHub Actions workflows updated to current versions.
- Public site homepage layout polished.
Validation
- npm test
- npm run build
v1.11.0 - npm transitive remediation for workspaces
Added
- npm transitive remediation now builds a logical dependency graph from
package-lock.jsonso hoisted packages can be mapped back to their actual parent chain. - npm transitive findings can now recommend
npm update <parent>when a safe child version is reachable within the current parent dependency range. - The CLI now shows progress while analyzing vulnerability findings after advisory details are loaded.
Fixed
- npm workspace scans now preserve workspace-local package path context for dependency paths and remediation resolution.
- npm transitive parent upgrade recommendations now respect parent dependency ranges before suggesting a target.
- npm alias nodes in package locks now keep their alias identity when building the remediation graph.
Changed
- Release metadata and website references updated for v1.11.0.
Validation
- npm test
- npm run build
v1.10.0 - Actionable transitive fix guidance and HTML report improvements
Added
- HTML report now includes breaking change indicators, validation statistics, scan notes, and a search/filter control in the findings table.
Fixed
- Transitive vulnerability findings now display tier-aware, actionable guidance instead of the generic "Upgrade the parent dependency chain" message. When a primary parent package is identified, it is named explicitly. When no dependency path data is available, the output honestly says so and directs developers to inspect their lockfile.
- Fix plan skip reasons now distinguish between findings where a parent is known but no safe upgrade version was identified (Tier 2) and findings with no dependency path data at all (Tier 3).
- Urgent fix plan table now renders parent-upgrade targets in their own table with a Context column showing which vulnerable package each parent upgrade resolves.
Changed
- CI integration docs updated to reference the
OWASP/cve-lite-cliGitHub Action and include the--allflag in example commands. - Comparison docs expanded with a dedicated GitHub Dependabot section covering advisory database differences, methodology, and where CVE Lite CLI provides more actionable output.
Validation
- npm test
- npm run build
v1.9.0 - OWASP logo branding, HTML report showcase, and screenshot tabs
Added
- Combined CVE Lite + OWASP logo pair in README hero, website hero, and HTML report header
- Terminal / HTML Report / Verbose tab switcher in website hero — HTML Report shown by default; click any image to open full-size in a new tab
- New
docs/html-report.mdguide covering all--reportoptions and output details
Changed
- All GitHub links updated to
OWASP/cve-lite-cli - README section renamed to "Recognized by OWASP" for clearer discoverability
- Site version badge updated to v1.9.0
Validation
- npm test
- npm run build
v.1.8.0 - Pre-OWASP Transfer Milestone
This is a non-functional milestone release created to mark the project state prior to its transition into OWASP.
CVE Lite CLI has been accepted as an OWASP Incubator Project and will continue development under the OWASP GitHub organization:
https://github.com/OWASP/CVE-Lite-CLI
This release captures the original independent development history of the project before transfer, including:
- local-first JavaScript/TypeScript lockfile scanning
- OSV-based vulnerability matching
- npm, pnpm, and Yarn lockfile support
- direct vs transitive vulnerability classification
- fixed-version hints where available
- top-priority fixes and suggested remediation planning
- JSON and SARIF output
- CI-friendly fail-on severity support
- local advisory caching
- small runtime dependency footprint
This release is intended as a historical checkpoint before the OWASP transition. Future development, issues, pull requests, and releases are expected to continue under the OWASP repository.