Added
- GitHub Action:
fix: trueandcreate-pr: trueinputs enable scheduled security fix PRs - a direct Dependabot alternative for npm/pnpm/yarn/bun repos. A single batched PR is opened (or updated in place) with advisory IDs, before/after finding counts, and OSV-validated fix versions - GitHub Action:
base-branch,labels, andtokeninputs for the fix PR workflow - Override hygiene hint shown when
overrides/resolutions/patchedDependenciesare detected but--check-overrideswas not passed - single tip line at end of terminal output, suppressed in--json/--sarif/--cdx/--ratchetmodes
Fixed
--fixexit code suppressed when fix mode is active so remaining transitive findings do not block the Action PR creation stepbun.lockbadded toDEPENDENCY_FILES_TO_STAGEincreate-pr.tscve-lite-fix-result.jsonadded to.gitignore- Circular ESM import between
override-findings-terminal.tsandformatters.tscausing 35 test failures - ReversingLabs logo on homepage press bar: red square had no fill, LABS text had wrong fill color, REVERSING text was black on dark background
- HTML override report: severity group rows now carry the severity CSS class; location cell shows
file > jsonPathseparator; fix commands render with inline block and copy button - e2e test fixture fragility when new CVEs appear in the live OSV DB
- pnpm dual-document lockfile (bootstrap + project sections) fails to parse
- Exact-pinned transitive dependency misclassified as within-range refresh
- JSON parse errors in local-db.ts now caught and handled gracefully
Performance
- Compact JSON serialization in advisory cache reduces file size and I/O overhead
- Parallelized
validateDirectFixTargetswithrunWithConcurrencyand promise-based packument cache deduplication publishedAtincluded in fix version resolutions to eliminate redundant registry call- Parsed version tuples cached in
compareVersionsto avoid redundant string splits - Cache timestamp hoisted before write loop; three
findings.filter()passes collapsed into a single counted loop - Inline base64 logo constants in HTML reporter replaced with runtime PNG loader and module-level Map cache
Changed
- Override hygiene terminal output: verbose mode uses cyan header without separators; compact mode wraps section in separator lines
.npmrcadded withallow-git=noneto block git-sourced dependencies- Third-party GitHub Actions pinned to immutable commit SHA digests across all workflows
- GitHub Action:
--reportflag exposed as input with--no-openapplied automatically in CI context
Docs
- GitHub Action inputs reference page covering all inputs grouped by purpose
- 5 new case studies: Cline, CopilotKit, Dyad, Builder.io, Mitosis
- Usage-aware triage sections added to Analog, NestJS, and Juice Shop case studies
- Override hygiene auditing documentation with per-rule pages and real-world fixtures
- The Register coverage added to press page, README, and homepage bar
- Comparison page expanded with DependencyCheck and dep-scan sections
- Override hygiene docs updated to use
--check-overridesflag throughout
Validation
- npm test
- npm run build