This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
Summary
AI summaryAdded lockfile-refresh fix commands for pnpm, yarn, and bun when the parent range already permits the fixed transitive dependency version.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Adds targeted retry and offline hints for OSV 429 rate-limit and 5xx errors Adds targeted retry and offline hints for OSV 429 rate-limit and 5xx errors Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Adds lockfile-refresh fix commands for pnpm, yarn, and bun when parent range already covers fixed transitive dependency version Adds lockfile-refresh fix commands for pnpm, yarn, and bun when parent range already covers fixed transitive dependency version Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Changes workspace-scoped lockfile-refresh commands; separates fix-plan sections for refresh targets from direct-fix targets; adds coverage count display in terminal and HTML output; renames "within current range" label to "lockfile refresh" with clearer context strings Changes workspace-scoped lockfile-refresh commands; separates fix-plan sections for refresh targets from direct-fix targets; adds coverage count display in terminal and HTML output; renames "within current range" label to "lockfile refresh" with clearer context strings Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Bugfix | Medium |
Adds package manager hint to `--fix` command failure errors Adds package manager hint to `--fix` command failure errors Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Refactor | Low |
Unifies `EXCLUDED_DIRS` constant for `--usage` source scanning Unifies `EXCLUDED_DIRS` constant for `--usage` source scanning Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Refactor | Low |
Extracts several utilities into dedicated modules (formatAdvisoryDbFreshness, relativeAge, CLI flag validation, formatAdvisorySourceLine, countBySeverity, package.json helpers, magic number constants) Extracts several utilities into dedicated modules (formatAdvisoryDbFreshness, relativeAge, CLI flag validation, formatAdvisorySourceLine, countBySeverity, package.json helpers, magic number constants) Source: llm_adapter@2026-05-28 Confidence: high |
— |
Full changelog
Added
- Targeted retry and offline hints for OSV 429 rate-limit and 5xx server error responses
- Lockfile-refresh fix commands for pnpm (
pnpm update), yarn (yarn upgrade), and bun (bun update) when the parent's declared range already covers the fixed transitive dependency version
Fixed
- Package manager hint added to
--fixcommand failure errors
Changed
- Workspace-scoped lockfile-refresh commands for pnpm, yarn, and bun; fix-plan sections for lockfile-refresh targets now appear separately from direct-fix targets; fix coverage count ("Running these commands should fix X of Y findings") added to terminal and HTML output; "within current range" label renamed to "lockfile refresh" with rewritten context strings that plainly state the parent already permits the safe child version
- Unified
EXCLUDED_DIRSconstant for--usagesource scanning - Extracted
formatAdvisoryDbFreshness,relativeAge, CLI flag validation,formatAdvisorySourceLine,countBySeverity, package.json helpers, and magic number constants into dedicated modules
Validation
- npm test
- npm run build
Contributors
Thanks to everyone who contributed to this release: @macayu17, @coder-Yash886, @luojiyin1987, @nanookclaw, @barton87, @Kushaal-k
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About OWASP/cve-lite-cli
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]