This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
Summary
AI summaryUnknown-severity findings are no longer silently dropped from terminal output.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
Adds `--debug` flag writing timestamped JSONL log file with network requests, cache hits, runtime events; stderr shows log path Adds `--debug` flag writing timestamped JSONL log file with network requests, cache hits, runtime events; stderr shows log path Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Feature | Low |
Shows all unknown-severity findings in compact mode regardless of critical/high finding count Shows all unknown-severity findings in compact mode regardless of critical/high finding count Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Feature | Low |
Adds case studies index page to resolve Docusaurus build break Adds case studies index page to resolve Docusaurus build break Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Bugfix | Medium |
Resolves pnpm v9 aliased dependency resolution, fixing five downstream issues (install commands, upgrade suggestions, context column, reason text) Resolves pnpm v9 aliased dependency resolution, fixing five downstream issues (install commands, upgrade suggestions, context column, reason text) Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Bugfix | Low |
Prevents spinner completion lines from printing to stdout in `--json` mode Prevents spinner completion lines from printing to stdout in `--json` mode Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Bugfix | Low |
Includes sync hint (`cve-lite advisories sync`) in offline advisory database error messages Includes sync hint (`cve-lite advisories sync`) in offline advisory database error messages Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Bugfix | Low |
Removes empty `artifactChanges` arrays from SARIF output, preventing GitHub Code Scanning rejection Removes empty `artifactChanges` arrays from SARIF output, preventing GitHub Code Scanning rejection Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Refactor | Low |
CI workflow now declares explicit `permissions: contents: read` for least‑privilege alignment CI workflow now declares explicit `permissions: contents: read` for least‑privilege alignment Source: llm_adapter@2026-06-01 Confidence: high |
— |
Full changelog
Added
--debugflag writes a timestamped JSONL log file alongside the scan with network requests, cache hits, and runtime events; a single stderr line identifies the log file path- Unknown-severity findings no longer silently dropped from compact and verbose terminal output; compact mode now shows all direct unknown findings regardless of how many critical/high findings are present
Fixed
- pnpm v9 aliased dependencies (where the lockfile dep name differs from the real package name, e.g.
'@remix-run/dev': '@vercel/[email protected]') now resolve correctly through the transitive graph; five downstream bugs fixed: wrong direct-install commands for unresolvable findings, missing parent upgrade suggestions for deep chains, blank context column for covered findings, and reason text being overwritten by lower-severity findings - Spinner completion lines (
✓ Loaded package matches from cache, etc.) no longer printed to stdout in--jsonmode - Offline advisory database errors now include a sync hint (
cve-lite advisories sync) to guide users to resolution - SARIF output no longer includes empty
artifactChangesarrays in fix objects, which caused GitHub Code Scanning to reject uploaded results - Case studies index page added to resolve a Docusaurus build break
Changed
- CI workflow now declares explicit
permissions: contents: read, matching the least-privilege stance already in place on all other workflows
Validation
- npm test
- npm run build
Contributors
Thank you to everyone who contributed to this release: @Ayush7614, @coder-Yash886, @MohammadYusif, @arpitjain099, @osfv, @MFA-G
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About OWASP/cve-lite-cli
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]