Added
--debugflag writes a timestamped JSONL log file alongside the scan with network requests, cache hits, and runtime events; a single stderr line identifies the log file path- Unknown-severity findings no longer silently dropped from compact and verbose terminal output; compact mode now shows all direct unknown findings regardless of how many critical/high findings are present
Fixed
- pnpm v9 aliased dependencies (where the lockfile dep name differs from the real package name, e.g.
'@remix-run/dev': '@vercel/remix-run-dev@1.16.1') now resolve correctly through the transitive graph; five downstream bugs fixed: wrong direct-install commands for unresolvable findings, missing parent upgrade suggestions for deep chains, blank context column for covered findings, and reason text being overwritten by lower-severity findings - Spinner completion lines (
✓ Loaded package matches from cache, etc.) no longer printed to stdout in--jsonmode - Offline advisory database errors now include a sync hint (
cve-lite advisories sync) to guide users to resolution - SARIF output no longer includes empty
artifactChangesarrays in fix objects, which caused GitHub Code Scanning to reject uploaded results - Case studies index page added to resolve a Docusaurus build break
Changed
- CI workflow now declares explicit
permissions: contents: read, matching the least-privilege stance already in place on all other workflows
Validation
- npm test
- npm run build
Contributors
Thank you to everyone who contributed to this release: @Ayush7614, @coder-Yash886, @MohammadYusif, @arpitjain099, @osfv, @MFA-G