OWASP/cve-lite-cli

v1.10.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1mo Vulnerability Scanning

✓ No known CVEs patched

✓ No known CVEs patched in this version

Topics

security cve javascript nodejs owasp security-tools

Summary

AI summary

Transitive vulnerability findings now show tier‑aware guidance, explicit parent packages, or missing data.

Full changelog

HTML report now includes breaking change indicators, validation statistics, scan notes, and a search/filter control in the findings table.

Transitive vulnerability findings now display tier-aware, actionable guidance instead of the generic "Upgrade the parent dependency chain" message. When a primary parent package is identified, it is named explicitly. When no dependency path data is available, the output honestly says so and directs developers to inspect their lockfile.
Fix plan skip reasons now distinguish between findings where a parent is known but no safe upgrade version was identified (Tier 2) and findings with no dependency path data at all (Tier 3).
Urgent fix plan table now renders parent-upgrade targets in their own table with a Context column showing which vulnerable package each parent upgrade resolves.

CI integration docs updated to reference the OWASP/cve-lite-cli GitHub Action and include the --all flag in example commands.
Comparison docs expanded with a dedicated GitHub Dependabot section covering advisory database differences, methodology, and where CVE Lite CLI provides more actionable output.

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track OWASP/cve-lite-cli

Get notified when new releases ship.

About OWASP/cve-lite-cli