CVE Lite CLI

Version updated for https://github.com/sonukapoor/cve-lite-cli to version v1.5.4.

• This action is used across all versions by ? repositories.

Action Type

This is a Composite action.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

CVE Lite CLI is a local-first GitHub Action designed to scan JavaScript and TypeScript projects for known dependency vulnerabilities. It automates the identification and prioritization of security risks by analyzing project lockfiles, querying vulnerability databases, and generating actionable remediation plans with package-manager-specific fix commands. Key features include offline advisory database support, clear visibility of direct vs transitive dependencies, and fast, account-free operation without relying on external cloud services.

What’s Changed

Fixed

• OSV `MODERATE` severity label now correctly maps to `medium` — packages like `got` and `micromatch` were previously classified as `unknown` and excluded from the default medium+ findings table
• Validation table (Package / Current / Recommended target / Versions scanned / Still known vulnerable) now renders for urgent (high/critical) direct fix sections; it was missing after packages were reclassified from low to high by the CVSS vector fix in v1.5.3
• Transitive findings without a parent upgrade path no longer appear in the no-auto-fix section; they are already covered by fix plan step 2, so the duplication was confusing

Changed

• Renamed “Not included automatically” to “No auto-fix command available for these direct dependencies” to accurately describe what is shown

Validation

• npm test
• npm run build

• Sonukapoor
• GitHub Actions