OWASP/cve-lite-cli

Added

• --json output is now saved to a timestamped file (cve-lite-scan-YYYY-MM-DDTHH-MM-SS.json) in the current directory, keeping stdout free for human-readable messages. The banner and spinner are no longer suppressed in --json mode. Advisory source and offline mode lines no longer appear in --json stdout.
• New install-skill subcommand writes AI assistant skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot into the current project directory. Append-style files (AGENTS.md, GEMINI.md, .github/copilot-instructions.md) are created if missing, appended to if no CVE Lite section exists, or replaced in place if a section already exists — running the command twice is safe. Commit the generated files to share the context with your team.

Fixed

• Transitive parent-upgrade guidance now marks commands as path-specific when they only cover a subset of a vulnerable package's dependency paths. Covered and remaining paths are exposed in JSON; terminal output and HTML report show the same partial-path note.
• pnpm lockfile traversal now preserves multiple dependency paths for repeated package versions instead of stopping after the first matching key. Path count and depth caps bound the traversal to avoid runaway graph walks.

Changed

• Dedicated caching guide added covering the 30-minute TTL, false negative risk window, and --no-cache flag behavior.

Validation

• npm test
• npm run build