OWASP/cve-lite-cli

v1.19.2 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 9h Vulnerability Scanning

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

security cve javascript nodejs owasp security-tools

Summary

AI summary

Updates Validation, transitive, and gray across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Show advisory version with gray `⊘` suffix for skipped findings in verbose terminal output. Show advisory version with gray `⊘` suffix for skipped findings in verbose terminal output. Source: llm_adapter@2026-06-05 Confidence: high	—
Feature	Low	Add `⊘ Skipped (N)` filter button to HTML report findings table. Add `⊘ Skipped (N)` filter button to HTML report findings table. Source: llm_adapter@2026-06-05 Confidence: high	—
Feature	Low	Display `⊘` icon with tooltip for skipped findings in Fixed column of HTML report. Display `⊘` icon with tooltip for skipped findings in Fixed column of HTML report. Source: llm_adapter@2026-06-05 Confidence: high	—
Feature	Low	Adjust top margin of findings section and move scan notes to bottom after important sections in HTML report. Adjust top margin of findings section and move scan notes to bottom after important sections in HTML report. Source: llm_adapter@2026-06-05 Confidence: high	—
Feature	Low	Add new "How Remediation Works" documentation page with Mermaid diagrams and tabbed package manager commands. Add new "How Remediation Works" documentation page with Mermaid diagrams and tabbed package manager commands. Source: llm_adapter@2026-06-05 Confidence: high	—
Feature	Low	Add usage examples to `--help` output. Add usage examples to `--help` output. Source: granite4.1:30b@2026-06-05-audit Confidence: low	—
Feature	Low	Add 7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n. Add 7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n. Source: granite4.1:30b@2026-06-05-audit Confidence: low	—
Feature	Low	Add Community contributors section to README. Add Community contributors section to README. Source: granite4.1:30b@2026-06-05-audit Confidence: low	—
Bugfix
Bugfix	Medium	Correctly classify transitive vulnerabilities as transitive when same package is also a direct dependency at different version. Correctly classify transitive vulnerabilities as transitive when same package is also a direct dependency at different version. Source: llm_adapter@2026-06-05 Confidence: high	—
Bugfix	Medium	Ensure skip reason version hint uses validated fix version consistently with findings table. Ensure skip reason version hint uses validated fix version consistently with findings table. Source: llm_adapter@2026-06-05 Confidence: high	—
Bugfix	Low	Prevent `--help` output from repeating tool name and version already shown in banner. Prevent `--help` output from repeating tool name and version already shown in banner. Source: llm_adapter@2026-06-05 Confidence: high	—
Refactor	Low	Remove outdated MVP language from scan notes documentation. Remove outdated MVP language from scan notes documentation. Source: llm_adapter@2026-06-05 Confidence: high	—
Refactor	Low	Move nested lockfile informational message from warnings (yellow) to notes (gray). Move nested lockfile informational message from warnings (yellow) to notes (gray). Source: llm_adapter@2026-06-05 Confidence: high	—
Other	Low	Add note below table pointing to `--report` for detailed skip reasons in verbose terminal output. Add note below table pointing to `--report` for detailed skip reasons in verbose terminal output. Source: granite4.1:30b@2026-06-05-audit Confidence: low	—

Full changelog

Fixed

Transitive vulnerability findings now correctly classified as transitive when the same package is also installed as a direct dependency at a different version. Previously [email protected] (transitive) was classified as direct because [email protected] was in package.json, generating a wrong npm install command instead of a parent upgrade suggestion.
Skip reason version hint now uses the validated fix version consistently with the findings table, eliminating version discrepancies between the two sections.
--help output no longer repeats the tool name and version already shown in the banner.

Changed

Skipped findings in verbose terminal output now show the advisory version with a gray ⊘ suffix, signalling it is an advisory hint only. A note below the table points to --report for detailed skip reasons.
HTML report: ⊘ Skipped (N) filter button added to findings table. Fixed column shows ⊘ icon with tooltip for skipped findings.
HTML report: findings section top margin fixed, scan notes moved to bottom after all important sections.
Scan notes: removed outdated MVP language.
Nested lockfile informational message moved from warnings (yellow) to notes (gray).

Added

New How Remediation Works documentation page with Mermaid dependency tree diagrams and tabbed package manager commands.
Usage examples added to --help output.
7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n.
Community contributors section added to README.

Validation

npm test
npm run build

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OWASP/cve-lite-cli

Get notified when new releases ship.

About OWASP/cve-lite-cli

All releases →