CVE Lite CLI

Version updated for https://github.com/sonukapoor/cve-lite-cli to version v1.7.0.

• This action is used across all versions by ? repositories.

Action Type

This is a Composite action.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

CVE Lite CLI is a fast, local-first GitHub Action that scans JavaScript and TypeScript projects for dependency vulnerabilities, providing actionable remediation guidance, including direct fix commands for package managers. It automates the identification of risks in both direct and transitive dependencies without requiring accounts, cloud uploads, or external API calls, making it suitable for secure, offline environments. Key features include lockfile-based scanning, practical fix recommendations, and offline advisory database support.

What’s Changed

Added

• pnpm lockfile v9 support — the v9 format (default in current pnpm installations) uses name@version keys and a snapshots section instead of the legacy /name/version and packages layout; the parser now branches on lockfileVersion and routes v9+ lockfiles through a dedicated path, eliminating false negatives on modern pnpm projects
• Analog case study — full scan-fix workflow on a real pnpm v9 Angular monorepo (3,367 packages), including a comparison table against pnpm audit, fix journey, and baseline findings table
• Baseline findings tables backported to NestJS and Juice Shop case studies for structural consistency across all studies

Fixed

• BFS path-tracking in the pnpm parser replaced path-fingerprint seenPaths with a visited-key seenKeys set, eliminating exponential queue growth through circular dependency chains in large lockfiles (e.g. Analog’s 15 circular deps)

Validation

• npm test
• npm run build

• Sonukapoor
• GitHub Actions