github OWASP/cve-lite-cli v1.27.0
v1.27.0 - Light/dark mode, phantom dependency detection, and SARIF 2.1.0

latest release: v1
5 hours ago

Added

  • Light/dark mode toggle in HTML report: one-click switch between themes, persisted to localStorage
  • SARIF 2.1.0 output now includes ruleIndex, kind: "open", and partialFingerprints for full GitHub Code Scanning compatibility; shared sarifFingerprintHash utility extracted to src/utils/sarif.ts
  • OA009 stale floor detector: fires when a >= or ^ override floor is already met by every parent declaration, making the override redundant
  • Empty container pruning: after --fix removes the last override entry, the now-empty overrides/pnpm.overrides object is also removed
  • Path-first argument ordering: cve-lite <path> overrides [flags] now works alongside cve-lite overrides <path> [flags]
  • reachesFailOn shared helper extracted to src/utils/severity.ts; fixes missing unknown severity rank and closes --fail-on asymmetry between scan and overrides paths
  • PD001 (Override-only phantom, high): fires when source code imports a package only present via an override pin - declare it as a dependency
  • PD002 (Transitive-only phantom, medium): fires when source code imports a package only present as a transitive dependency - declare it explicitly
  • OA009 safety guard: suppresses stale-floor removal suggestion when the override anchors a phantom import
  • overrides --json now writes to a timestamped file consistent with the main scan path
  • examples/all-scenarios/ fixture triggering all nine auto-detectable override hygiene rules in one scan
  • Fix-all tip: when 2+ rules are auto-fixable, hint block leads with cve-lite overrides --fix to apply all at once

Fixed

  • overrides --fix output table no longer shows findings that were just fixed
  • Hint commands after the findings table now include the scanned path when it is not .
  • Double blank line before Override Hygiene section in standalone overrides command removed
  • handleMultiFolderScan now returns ExitCode instead of calling process.exit(), fixing audit-log fd leak

Changed

  • DebugSession type gains a close(): void method for explicit session lifecycle signalling; both enabled and disabled paths implement it as a no-op
  • GitHub Action: fix mode suppresses exit 1, propagates exit 2/3, warns on fail-on + fix combination
  • GitHub Action runners updated to Node 24

Validation

  • npm test
  • npm run build

Contributors

  • coder-Yash886 - GitHub Action fix mode support (#828)

Don't miss a new cve-lite-cli release

NewReleases is sending notifications on new releases.