Fixed
- Transitive vulnerability findings now correctly classified as transitive when the same package is also installed as a direct dependency at a different version. Previously
uuid@8.3.2(transitive) was classified asdirectbecauseuuid@14.0.0was inpackage.json, generating a wrongnpm installcommand instead of a parent upgrade suggestion. - Skip reason version hint now uses the validated fix version consistently with the findings table, eliminating version discrepancies between the two sections.
--helpoutput no longer repeats the tool name and version already shown in the banner.
Changed
- Skipped findings in verbose terminal output now show the advisory version with a gray
⊘suffix, signalling it is an advisory hint only. A note below the table points to--reportfor detailed skip reasons. - HTML report:
⊘ Skipped (N)filter button added to findings table. Fixed column shows⊘icon with tooltip for skipped findings. - HTML report: findings section top margin fixed, scan notes moved to bottom after all important sections.
- Scan notes: removed outdated MVP language.
- Nested lockfile informational message moved from warnings (yellow) to notes (gray).
Added
- New How Remediation Works documentation page with Mermaid dependency tree diagrams and tabbed package manager commands.
- Usage examples added to
--helpoutput. - 7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n.
- Community contributors section added to README.
Validation
- npm test
- npm run build