Skip to content

OWASP/cve-lite-cli

v1.7.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

security cve javascript nodejs owasp security-tools

Summary

AI summary

Added pnpm v9 lockfile support and expanded case study documentation.

Full changelog

Added

  • pnpm lockfile v9 support — the v9 format (default in current pnpm installations) uses name@version keys and a snapshots section instead of the legacy /name/version and packages layout; the parser now branches on lockfileVersion and routes v9+ lockfiles through a dedicated path, eliminating false negatives on modern pnpm projects
  • Analog case study — full scan-fix workflow on a real pnpm v9 Angular monorepo (3,367 packages), including a comparison table against pnpm audit, fix journey, and baseline findings table
  • Baseline findings tables backported to NestJS and Juice Shop case studies for structural consistency across all studies

Fixed

  • BFS path-tracking in the pnpm parser replaced path-fingerprint seenPaths with a visited-key seenKeys set, eliminating exponential queue growth through circular dependency chains in large lockfiles (e.g. Analog's 15 circular deps)

Validation

  • npm test
  • npm run build
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OWASP/cve-lite-cli

Get notified when new releases ship.

Sign up free

About OWASP/cve-lite-cli

All releases →

Related context

Beta — feedback welcome: [email protected]