CVE Lite CLI

Version updated for https://github.com/sonukapoor/cve-lite-cli to version v1.8.0.

• This action is used across all versions by ? repositories.

Action Type

This is a Composite action.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

CVE Lite CLI is a GitHub Action and CLI tool designed to scan JavaScript and TypeScript projects for known dependency vulnerabilities by analyzing lockfiles and querying the Open Source Vulnerabilities (OSV) database. It automates the process of identifying and prioritizing fixes with actionable remediation guidance, including direct fix commands, while offering features like offline scanning, transitive dependency visibility, and local-first operation without requiring a cloud account. The tool is optimized for fast, developer-friendly use in secure environments and supports multiple package managers.

What’s Changed

Added

• Usage-aware dependency analysis phase 1: The CLI now statically analyzes project source code to detect if vulnerable dependencies are actually imported and reachable.
• Added --usage and --only-used flags. Used findings bubble to the top, and --only-used aggressively filters out unreachable/unused dependencies to eliminate noise.
• CLI tables now feature a dedicated Usage column indicating import counts or unused status, color-coded red and green.
• Migrated the breaking change annotation into its own dedicated Breaking? column with a ⚠ symbol in the fix plan tables.

Validation

• npm test
• npm run build

• Sonukapoor
• GitHub Actions