Added
- HTML report now includes breaking change indicators, validation statistics, scan notes, and a search/filter control in the findings table.
Fixed
- Transitive vulnerability findings now display tier-aware, actionable guidance instead of the generic "Upgrade the parent dependency chain" message. When a primary parent package is identified, it is named explicitly. When no dependency path data is available, the output honestly says so and directs developers to inspect their lockfile.
- Fix plan skip reasons now distinguish between findings where a parent is known but no safe upgrade version was identified (Tier 2) and findings with no dependency path data at all (Tier 3).
- Urgent fix plan table now renders parent-upgrade targets in their own table with a Context column showing which vulnerable package each parent upgrade resolves.
Changed
- CI integration docs updated to reference the
OWASP/cve-lite-cliGitHub Action and include the--allflag in example commands. - Comparison docs expanded with a dedicated GitHub Dependabot section covering advisory database differences, methodology, and where CVE Lite CLI provides more actionable output.
Validation
- npm test
- npm run build