v1.25.0 - Override hygiene, SARIF enrichment, and validated transitive chain resolution

Added

• cve-lite overrides [path] subcommand audits override hygiene across npm, pnpm, yarn, and bun projects. Covers eight rules (OA001-OA008): orphaned target, floating tag, wrong section, surpassed pin, nested ineffective override, coupled platform binary, frozen latest (registry drift), and materialized vulnerable copy. Supports --fix, --rule <id>, --json, --fail-on <severity>, --audit-log <path>, and --check-network
• --fix applies override-hygiene fixes as RFC 6902 patches with a chokepoint guard that prevents inventing new override keys
• cve-lite [path] --fix now runs the override hygiene fix-and-verify hook after CVE fixes: applies fixable override findings, then re-audits the touched packages to confirm no vulnerable copy remains
• Exit code 2 for post---fix verify failure, distinct from exit 1 (findings) and exit 3 (tool error)
• --audit-log <path> (also via CVE_LITE_AUDIT_LOG) streams override detection and fix events as an NDJSON change-control log
• --check-overrides runs per-folder override audits in multi-folder workspace scans
• Override hygiene fixes participate in --create-pr
• Validated transitive chain resolution with chain proof line (resolves via X -> Y (safe))
• SARIF rule.shortDescription, rule.fullDescription, and rule.help populated from OSV advisory data: summary, details, CVSS, CWE, affected range, dependency path, and fix guidance

Fixed

• OA006 (coupled platform binary) no longer false-positives on flat overrides that are actually effective; consults materialized node_modules before firing
• Mistyped command or nonexistent path now exits with code 3 and prints "Did you mean 'X'?" using Levenshtein distance, rather than silently exiting 0
• Restore Yarn Berry transitive graph edges when a dep ref lacks the npm: prefix; fixes misclassification of transitive packages as direct
• Replace vague "lockfile refresh" message with a concrete package manager install instruction in within-range fix output
• Remove em dashes from user-facing action strings in fix guidance output
• --ratchet now gates on new findings when a baseline already exists instead of re-saving the baseline
• Add pull_request trigger to docs-site CI workflow

Changed

• "Copy And Run These Fix Commands" renamed to "Suggested Fix Commands" in terminal output

Validation

• npm test
• npm run build

Contributors

• @alamb-hex - override-hygiene subsystem (OA001-OA008, --audit-log, --fix RFC 6902 patches, SARIF integration, 827 tests) and CLI mistyped-command exit with "Did you mean" suggestion
• @Demiserular - "Suggested Fix Commands" rename and docs-site CI workflow pull_request trigger fix
• @coder-Yash886 - fix version publish date in terminal and HTML output

v1.24.0 - Dual SARIF and HTML output, dev dependency fix flags, and Action binary fix

Added

• --sarif can now be combined with --report to write both a SARIF file and an HTML report in one scan - useful for CI pipelines that upload to GitHub Code Scanning and also attach an HTML artifact for human review

Fixed

• Fix commands now include -D flag for dev dependencies (npm install -D, pnpm add -D, yarn add -D, bun add --dev); mixed dev/prod batches split into separate commands
• GitHub Action now installs cve-lite-cli via npm install --prefix and appends the bin dir to $GITHUB_PATH, fixing cve-lite: not found errors on npm 10.x runners where npx cannot resolve a binary name different from the package name

Changed

• Upgrade jest to 30.4.1; add .cve-lite/baseline.json to suppress unfixable js-yaml@3.14.2 transitive dev dep (GHSA-h67p-54hq-rp68)

Docs

• Socket CLI comparison expanded with structured sections and concrete examples

Validation

• npm test
• npm run build

Contributors

• @raj-krr

v1.23.1 - npm lockfile graph optimizations and four new case studies

Performance

• npm lockfile graph construction reduced from O(E*V) to O(E) using Set accumulators for edge lists
• npm lockfile graph nodes and arrays pre-frozen at construction time; redundant uniquePathArrays removed
• Remediation package lookup replaced with Map for O(1) access

Docs

• Four new case studies: Strapi (Yarn Berry, 2,887 packages), Twenty (Yarn Berry, 5,451 packages), Presenton (dual npm lockfiles), Payload CMS (pnpm, 2,602 packages)
• OWASP Lab Project status reflected across all project docs: README, CONTRIBUTING, comparison page, case studies index, and press page

Changed

• SARIF, CycloneDX, and HTML reporter file-write cleanup refactored for clarity; test spy coverage refined
• Case study contribution scope clarified in CONTRIBUTING: contributors submit case-study files only, shared index files maintained by maintainer

Validation

• npm test
• npm run build

Contributors

• @Ayush7614
• @raj-krr
• @luojiyin1987

v1.23.0 - Git source classification, error handling, and 2x faster cold scans

Added

• Graded output for MAL- advisories from git sources: terminal shows ⚠ Git source (SHA-pinned) or ⚠ Git source (floating ref) with resolved URL; HTML report shows orange badge variant

Fixed

• Error handling and cleanup for SARIF, CycloneDX, and HTML report file writes; pre-existing directories preserved on write failure
• Duplicate db.close() call removed from osv-sync catch block that could mask original error

Performance

• CVE detail fetches now run concurrently — 2.2x faster on cold cache for large lockfiles (28.4s → 12.7s on a 170-CVE scan)
• Packument cache pre-warmed before transitive remediation loop to eliminate serial npm registry round-trips

Validation

• npm test
• npm run build

v1.22.0 - Dev dependency labelling and private registry detection for all parsers

Added

• Dev dependency labelling: terminal output and HTML report now show direct · dev / transitive · dev for findings from devDependencies; Yarn Classic and Berry parsers updated to detect dev status
• yarn-within-range and dev-only-finding example fixtures for regression testing

Fixed

• Private registry detection (⚠ Unverifiable (private source)) now works for pnpm (legacy and v9), Yarn Classic, and Bun lockfiles — previously only npm was supported

Validation

• npm test
• npm run build

v1.21.0 - Ratcheting mode for CI adoption with existing vulnerability debt

Added

• Ratcheting mode: run cve-lite . --ratchet once to snapshot current findings into .cve-lite/baseline.json. All subsequent scans automatically suppress known findings and only report new ones introduced above the baseline. No CI flag changes needed - the baseline file's presence activates suppression.

Docs

• New dedicated Ratcheting Mode page
• MAL- advisory handling and unverifiable private source findings documented in how-remediation-works

Validation

• npm test
• npm run build

v1.20.0 - Private registry MAL- detection, Yarn path reconstruction, and --create-pr

Added

• --create-pr flag: after --fix, commits lockfile changes and opens a GitHub PR via gh with a descriptive title listing upgraded packages and vulnerability count
• --base <branch> flag to set the base branch for --create-pr (default: main)
• Bun parser updated to reconstruct transitive paths from package relationships; within-range remediation now works for Bun lockfiles
• pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain regression fixtures
• CamoFox Browser case study
• mal-private-registry example fixture demonstrating unverifiable MAL- output for private registry packages

Fixed

• Yarn Classic parser now reconstructs full transitive dependency paths using BFS graph walk; within-range resolver correctly suggests yarn upgrade <pkg> for deep chains
• MAL- advisories for packages resolved from a private registry now surface as "Unverifiable (private source)" instead of a false-positive "Malicious" finding

Validation

• npm test
• npm run build

Contributors

• @coder-Yash886 - Yarn parser path reconstruction fix, bun-within-range fixture
• @Ayush7614 - pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain fixtures, CamoFox Browser case study
• @nkgotcode - fixture remediation scan tests

v1.19.2 - Fix transitive/direct classification and skipped findings UX

Fixed

• Transitive vulnerability findings now correctly classified as transitive when the same package is also installed as a direct dependency at a different version. Previously uuid@8.3.2 (transitive) was classified as direct because uuid@14.0.0 was in package.json, generating a wrong npm install command instead of a parent upgrade suggestion.
• Skip reason version hint now uses the validated fix version consistently with the findings table, eliminating version discrepancies between the two sections.
• --help output no longer repeats the tool name and version already shown in the banner.

Changed

• Skipped findings in verbose terminal output now show the advisory version with a gray ⊘ suffix, signalling it is an advisory hint only. A note below the table points to --report for detailed skip reasons.
• HTML report: ⊘ Skipped (N) filter button added to findings table. Fixed column shows ⊘ icon with tooltip for skipped findings.
• HTML report: findings section top margin fixed, scan notes moved to bottom after all important sections.
• Scan notes: removed outdated MVP language.
• Nested lockfile informational message moved from warnings (yellow) to notes (gray).

Added

• New How Remediation Works documentation page with Mermaid dependency tree diagrams and tabbed package manager commands.
• Usage examples added to --help output.
• 7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n.
• Community contributors section added to README.

Validation

• npm test
• npm run build

v1.19.1 - Within-range transitive fix for deep dependency chains

Fixed

• Within-range transitive fix now detected for dependency chains deeper than 2 levels. When the immediate parent's declared range already covers a safe version of the vulnerable package, CVE Lite now suggests a lockfile refresh (npm update <package>) instead of an incorrect best-effort parent upgrade.

Example: project → aws-amplify → @aws-amplify/core → js-cookie@3.0.6

• Before: npm install aws-amplify@6.16.4 (wrong)
• After: npm update js-cookie (correct — @aws-amplify/core's ^3.0.5 range already covers the fix)

Validation

• npm test
• npm run build

v1.19.0 - Multi-folder scan for monorepos without a root lockfile

Added

• Multi-folder scan for monorepos without a root lockfile: when cve-lite . is run from a directory with no lockfile but two or more lockfiles in subfolders, the scanner automatically switches to multi-folder mode. Each subfolder is scanned independently, findings and fix commands are grouped per subfolder in terminal output, a single HTML report is generated with collapsible per-folder sections, and --json output includes a subfolder field on each finding.

Fixed

• isNewer update check now correctly parses pre-release version strings (e.g. 1.19.0-alpha.1) so alpha users do not see a false downgrade prompt.

Validation

• npm test
• npm run build

Contributors

Thank you to everyone who contributed to this release: @ModalityZ