Fixed
- OSV `MODERATE` severity label now correctly maps to `medium` — packages like `got` and `micromatch` were previously classified as `unknown` and excluded from the default medium+ findings table
- Validation table (Package / Current / Recommended target / Versions scanned / Still known vulnerable) now renders for urgent (high/critical) direct fix sections; it was missing after packages were reclassified from low to high by the CVSS vector fix in v1.5.3
- Transitive findings without a parent upgrade path no longer appear in the no-auto-fix section; they are already covered by fix plan step 2, so the duplication was confusing
Changed
- Renamed "Not included automatically" to "No auto-fix command available for these direct dependencies" to accurately describe what is shown
Validation
- npm test
- npm run build