Added
- Yarn Berry (v2+) lockfile support. The parser now detects the
__metadata:block and routes to a dedicated Berry parser that extracts packages fromresolution:fields. Non-npm resolutions (workspace, patch, file) are skipped automatically. Yarn 1 behavior is unchanged. - Curated in-repo vulnerable example fixtures under
examples/for contributor testing, covering direct-fixable, transitive-path-high, transitive-only, direct-and-transitive, npm workspace, yarn-berry, and a documentation-site project. A readme documents each fixture's purpose, package manager, and scan command. - New CLI Reference documentation page listing every flag with defaults, descriptions, examples, and mutual-exclusion notes.
Fixed
- BFS path-expansion loop in npm lockfile graph traversal no longer hangs on lockfiles with cyclic or fan-in dependency graphs. Added
MAX_PATH_DEPTH = 10to cap path length and replaced O(n)queue.shift()with an index-based O(1) dequeue, eliminating unbounded array allocation and GC pressure that caused 100% CPU hangs on moderately sized lockfiles. - npm transitive parent chain reconstruction now correctly resolves hoisted packages back to their logical parent using the lockfile dependency declarations.
- Yarn Berry lockfiles no longer throw "Unknown token" on the
__metadata:block.
Changed
- Output summary now renders severity counts as a box-drawing table (
Critical,High,Medium,Low,Unknown) instead of inline text, making severity distribution visible at a glance. --allflag now appends the full findings table in compact (default) mode, not only in--verbosemode. The "Tip: use --all…" message is suppressed when--allis already active.- Coverage notes now appear after the findings table in verbose output.
- Documentation sidebar restructured into four labeled groups (Get Running, Fix Issues, Integrate, Reference) with Get Running expanded by default.
- Output guide renamed from "How to Read Verbose Output" to "Reading the Output" and rewritten to cover both compact and verbose output.
Validation
- npm test
- npm run build