惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
雷峰网
雷峰网
罗磊的独立博客
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
量子位
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
人人都是产品经理
人人都是产品经理
GbyAI
GbyAI
Cisco Talos Blog
Cisco Talos Blog
Engineering at Meta
Engineering at Meta
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
A
About on SuperTechFans
D
Darknet – Hacking Tools, Hacker News & Cyber Security
The Cloudflare Blog
Know Your Adversary
Know Your Adversary
T
Threat Research - Cisco Blogs
Spread Privacy
Spread Privacy
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
爱范儿
爱范儿
U
Unit 42
Security Latest
Security Latest
M
MIT News - Artificial intelligence
月光博客
月光博客
Scott Helme
Scott Helme
G
Google Developers Blog
有赞技术团队
有赞技术团队
T
Tor Project blog
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
博客园 - Franky
H
Hackread – Cybersecurity News, Data Breaches, AI and More
aimingoo的专栏
aimingoo的专栏
The GitHub Blog
The GitHub Blog
V
V2EX
B
Blog
Apple Machine Learning Research
Apple Machine Learning Research
S
Securelist
博客园 - 三生石上(FineUI控件)
Blog — PlanetScale
Blog — PlanetScale
TaoSecurity Blog
TaoSecurity Blog
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
腾讯CDC
D
Docker
Google Online Security Blog
Google Online Security Blog

OWASP

Aikido and OWASP bring agentic Code Audit to the global AppSec community | OWASP Foundation Community update regarding Richard Greenberg | OWASP Foundation OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation Juice Shop v20.0.0 — a fresh squeeze of features, now with AI | OWASP Foundation Welcome to the Google Summer of Code 2026! | OWASP Foundation OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software | OWASP Foundation The OWASP Foundation appoints Missie Lindsey as Director of Corporate Relations | OWASP Foundation Bridging the Gap in Product Lifecycle Management: How OpenEoX and CLE Work Together | OWASP Foundation Announcing the Retirement of OWASP Meetup Platform | OWASP Foundation The OWASP Foundation appoints Stacey Ebbs as Communications & Marketing Manager | OWASP Foundation OWASP Certified Secure Software Developer | OWASP Foundation GSoC 2025 Recap | OWASP Foundation OWASP Top 10 Community Survey | OWASP Foundation OWASP Elections 2025 - Become a member today! | OWASP Foundation Help Support Sherif Mansour by donating blood today! | OWASP Foundation cdxgen and CycloneDX .NET Join GitHub Secure Open Source Fund | OWASP Foundation InfoSecMap x OWASP Collaboration | OWASP Foundation OWASP x Google Summer of Code 2025 - Enabling 15 opportunities for impact | OWASP Foundation OWASP Enables AI Regulation That Works with OWASP AI Exchange | OWASP Foundation OWASP Calls to Build a Unified Framework for Global Vulnerability Intelligence | OWASP Foundation ASVS 5.0 RC1 is ready for your review! | OWASP Foundation OWASP Education and Training Committee update | OWASP Foundation Committees Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation OWASP Juice Shop leadership changes & contributor recognition | OWASP Foundation Lifecycle events are part of the secure supply chain | OWASP Foundation More than a Password Day 2024 | OWASP Foundation A workaround for OWASP Foundation emails being blocked by Microsoft Office 365 | OWASP Foundation Securing React Native Mobile Apps with OWASP MAS | OWASP Foundation
OWASP CVE Lite CLI Graduates to Lab Project Status | OWASP Foundation
Sonu Kapoor · 2026-07-06 · via OWASP
image

Monday, July 6, 2026

CVE Lite CLI, a fast open source dependency vulnerability scanner for JavaScript and TypeScript projects, has graduated to OWASP Lab Project status three months after its initial release.


OWASP CVE Lite CLI graduated to Lab Project status in June 2026, recognized for clear documentation, active development, and growing adoption across open source and enterprise teams. The project launched in March 2026.


What CVE Lite CLI does

CVE Lite CLI scans lockfiles locally and matches dependencies against the OSV database to surface known vulnerabilities. It supports npm, pnpm, Yarn, and Bun lockfiles and classifies every finding as direct or transitive. Rather than stopping at detection, it generates a ranked remediation plan with copy-and-run upgrade commands for direct dependencies and parent-aware upgrade guidance for transitive chains.

The tool is built for the developer workflow: it runs in seconds at the terminal, requires no account, sends no data to a third party, ships with a local advisory cache for offline use, and keeps its runtime dependency footprint to four packages. HTML and JSON output modes and a --fail-on severity flag make it suitable for CI pipelines as well.


What sets it apart

Most developer-facing vulnerability tools either surface alerts without actionable guidance, or require a cloud account and CI integration before they show anything useful. CVE Lite CLI is designed for the moment before a push: scan locally, get a prioritized list, run the fix commands, push clean.

The remediation output goes further than a list of vulnerable packages. For transitive dependencies, the tool identifies which parent package controls the vulnerable version and, where the parent supports a range that includes a safe version, generates a direct upgrade command. Developers get a concrete next action rather than a dependency graph to reason about on their own.


Early traction

CVE Lite CLI reached 621 GitHub stars, more than 100 forks, and over 25,000 npm downloads in its first three months. The project has been covered by SecurityWeek, SD Times, CSO Online, Help Net Security, and The Register, which featured the tool’s override hygiene detection in a dedicated piece.

Adoption has spread across sectors. Developers at DINUM, France’s interministerial digital ministry, integrated CVE Lite CLI across multiple French government digital service repositories as a pre-push fail gate. The British Columbia government’s Ministry of Citizens’ Services runs it as a merge gate with SARIF output for security dashboard integration. CVE Lite CLI was independently selected as a subject in a Colorado State University research paper on CVE prioritization methodology, alongside tools from Microsoft and Hugging Face.


“Most vulnerability tools tell you what’s broken after the code lands in CI. CVE Lite CLI tells you what to run before you push. Three months in, with government teams and open source maintainers using it in production, reaching Lab status feels like the right validation at the right time.”

  • Sonu Kapoor, creator of OWASP CVE Lite CLI

What’s coming

Override hygiene detection, which identifies stale and redundant version overrides in lockfiles, shipped in v1.27.0 and was the subject of the recent Register coverage. Active development is underway on SARIF 2.1.0 output for GitHub Code Scanning integration, a phantom dependency detector, and a maintenance risk scorer for abandonware packages.


Availability

CVE Lite CLI is available now on npm. Documentation, lockfile coverage details, and remediation guidance are at the project website.

npm install -g cve-lite-cli
cve-lite .

About OWASP CVE Lite CLI

OWASP CVE Lite CLI is a fast, developer-friendly dependency vulnerability scanner for JavaScript and TypeScript projects. It scans lockfiles locally, queries the OSV database, supports npm, pnpm, Yarn, and Bun, shows direct vs transitive findings, and generates a ranked remediation plan with copy-and-run upgrade commands. The tool is free and open source under the OWASP Foundation. Learn more at owasp.org/cve-lite-cli.

About OWASP

The OWASP Foundation is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. To learn more or to become a member, visit owasp.org.