OWASP/cve-lite-cli

Added

• --no-cache flag forces a fresh OSV query for all packages in a single scan, bypassing the queryEntries cache while still writing results back so subsequent runs benefit from caching as normal. Mutually exclusive with --offline and --offline-db.
• Transitive context column added to the HTML report findings table, showing the dependency path from each vulnerable transitive package back to a direct dependency.
• Transitive findings in terminal output now show a ⚠ no-fix indicator when no safe upgrade is available, distinguishing unfixable transitive issues from ones that can be resolved.

Fixed

• queryEntries cache now expires after 30 minutes. Previously, a clean result (no vulnerabilities) was cached indefinitely, meaning a package that acquired a new CVE after the initial scan would be silently missed on all subsequent scans until the cache was manually deleted. All entries — both clean and non-empty — are now re-queried after 30 minutes. Existing v2 cache files are migrated automatically and treated as stale on first run. Thank you @fabioemoutinho for reporting this.

Changed

• OSV batch queries now run in parallel with a concurrency cap of 5, reducing cold scan time from ~14s to ~7.5s on large lockfiles (~1700 packages).
• Cache file format bumped from v2 to v3. queryEntries values now store { vulnIds, cachedAt } instead of a bare string[]. v2 files are migrated transparently on load.

Validation

• npm test
• npm run build