Added
- Graded output for MAL- advisories from git sources: terminal shows
⚠ Git source (SHA-pinned)or⚠ Git source (floating ref)with resolved URL; HTML report shows orange badge variant
Fixed
- Error handling and cleanup for SARIF, CycloneDX, and HTML report file writes; pre-existing directories preserved on write failure
- Duplicate
db.close()call removed from osv-sync catch block that could mask original error
Performance
- CVE detail fetches now run concurrently — 2.2x faster on cold cache for large lockfiles (28.4s → 12.7s on a 170-CVE scan)
- Packument cache pre-warmed before transitive remediation loop to eliminate serial npm registry round-trips
Validation
- npm test
- npm run build