github OWASP/cve-lite-cli v1.20.0
v1.20.0 - Private registry MAL- detection, Yarn path reconstruction, and --create-pr
on GitHub

latest releases: v1, v1.21.0
23 hours ago

Added

  • --create-pr flag: after --fix, commits lockfile changes and opens a GitHub PR via gh with a descriptive title listing upgraded packages and vulnerability count
  • --base <branch> flag to set the base branch for --create-pr (default: main)
  • Bun parser updated to reconstruct transitive paths from package relationships; within-range remediation now works for Bun lockfiles
  • pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain regression fixtures
  • CamoFox Browser case study
  • mal-private-registry example fixture demonstrating unverifiable MAL- output for private registry packages

Fixed

  • Yarn Classic parser now reconstructs full transitive dependency paths using BFS graph walk; within-range resolver correctly suggests yarn upgrade <pkg> for deep chains
  • MAL- advisories for packages resolved from a private registry now surface as "Unverifiable (private source)" instead of a false-positive "Malicious" finding

Validation

  • npm test
  • npm run build

Contributors

  • @coder-Yash886 - Yarn parser path reconstruction fix, bun-within-range fixture
  • @Ayush7614 - pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain fixtures, CamoFox Browser case study
  • @nkgotcode - fixture remediation scan tests
Check out latest releases or
releases around OWASP/cve-lite-cli v1.20.0

Don't miss a new cve-lite-cli release

NewReleases is sending notifications on new releases.

Get notifications