Skip to content

OWASP/cve-lite-cli

v1.13.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 28d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

security cve javascript nodejs owasp security-tools

Summary

AI summary

Fixed BFS path-expansion loop that caused CPU hangs on cyclic or fan‑in lockfiles.

Full changelog

Added

  • Yarn Berry (v2+) lockfile support. The parser now detects the __metadata: block and routes to a dedicated Berry parser that extracts packages from resolution: fields. Non-npm resolutions (workspace, patch, file) are skipped automatically. Yarn 1 behavior is unchanged.
  • Curated in-repo vulnerable example fixtures under examples/ for contributor testing, covering direct-fixable, transitive-path-high, transitive-only, direct-and-transitive, npm workspace, yarn-berry, and a documentation-site project. A readme documents each fixture's purpose, package manager, and scan command.
  • New CLI Reference documentation page listing every flag with defaults, descriptions, examples, and mutual-exclusion notes.

Fixed

  • BFS path-expansion loop in npm lockfile graph traversal no longer hangs on lockfiles with cyclic or fan-in dependency graphs. Added MAX_PATH_DEPTH = 10 to cap path length and replaced O(n) queue.shift() with an index-based O(1) dequeue, eliminating unbounded array allocation and GC pressure that caused 100% CPU hangs on moderately sized lockfiles.
  • npm transitive parent chain reconstruction now correctly resolves hoisted packages back to their logical parent using the lockfile dependency declarations.
  • Yarn Berry lockfiles no longer throw "Unknown token" on the __metadata: block.

Changed

  • Output summary now renders severity counts as a box-drawing table (Critical, High, Medium, Low, Unknown) instead of inline text, making severity distribution visible at a glance.
  • --all flag now appends the full findings table in compact (default) mode, not only in --verbose mode. The "Tip: use --all…" message is suppressed when --all is already active.
  • Coverage notes now appear after the findings table in verbose output.
  • Documentation sidebar restructured into four labeled groups (Get Running, Fix Issues, Integrate, Reference) with Get Running expanded by default.
  • Output guide renamed from "How to Read Verbose Output" to "Reading the Output" and rewritten to cover both compact and verbose output.

Validation

  • npm test
  • npm run build
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OWASP/cve-lite-cli

Get notified when new releases ship.

Sign up free

About OWASP/cve-lite-cli

All releases →

Related context

Beta — feedback welcome: [email protected]