Skip to content

OWASP/cve-lite-cli

v1.22.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

security cve javascript nodejs owasp security-tools

Summary

AI summary

Private registry detection now works for pnpm, Yarn Classic, and Bun lockfiles.

Changes in this release

Feature Low

Dev dependency labeling added for terminal output and HTML report

Dev dependency labeling added for terminal output and HTML report

Source: llm_adapter@2026-06-11

Confidence: high
Bugfix Medium

Private registry detection now works for pnpm, Yarn Classic, and Bun lockfiles

Private registry detection now works for pnpm, Yarn Classic, and Bun lockfiles

Source: llm_adapter@2026-06-11

Confidence: high
Full changelog

Added

  • Dev dependency labelling: terminal output and HTML report now show direct · dev / transitive · dev for findings from devDependencies; Yarn Classic and Berry parsers updated to detect dev status
  • yarn-within-range and dev-only-finding example fixtures for regression testing

Fixed

  • Private registry detection (⚠ Unverifiable (private source)) now works for pnpm (legacy and v9), Yarn Classic, and Bun lockfiles — previously only npm was supported

Validation

  • npm test
  • npm run build
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OWASP/cve-lite-cli

Get notified when new releases ship.

Sign up free

About OWASP/cve-lite-cli

All releases →

Related context

Beta — feedback welcome: [email protected]