OWASP/cve-lite-cli

Added

• HTML report findings now show the actual fix command (e.g. npm install <package>@<version>) with a Copy button when one is available, instead of always showing a descriptive prose recommendation. Findings without a runnable command show the recommendation as plain text without a misleading Copy button.
• Serialized findings expose a new runnableFixCommand: string | null field for programmatic consumers of the JSON output.
• New "Offline vs Online Results" docs page explaining the two advisory sources, what stays the same across modes, the intentional behavior differences, and freshness considerations on both sides.

Fixed

• Offline scans now produce a Suggested Fix Plan that matches online scans for direct upgrades and in-range parent updates. The validation gate previously dropped the entire plan in offline mode.
• Offline transitive remediation now resolves against the lockfile graph, with safe-child candidates synthesized from the advisory's firstFixedVersion when the npm registry is not available. The "update parent within current range" path now works offline.
• Withdrawn OSV advisories are now skipped during local advisory database sync, mirroring OSV's /v1/querybatch behavior. Offline scans no longer surface findings from advisories that have been retracted.

Changed

• The repository's user-facing documentation now lives exclusively under website/docs, which backs the published site at https://owasp.org/cve-lite-cli/. Documentation links in the README point at the published guides. The previous /docs directory has been removed.
• GitHub Actions workflows updated to current versions.
• Public site homepage layout polished.

Validation

• npm test
• npm run build