惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
宝玉的分享
宝玉的分享
I
InfoQ
P
Privacy International News Feed
V
V2EX
IT之家
IT之家
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
The Register - Security
The Register - Security
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
B
Blog
N
Netflix TechBlog - Medium
B
Blog RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Last Week in AI
Last Week in AI
T
Threatpost
Forbes - Security
Forbes - Security
U
Unit 42
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recorded Future
Recorded Future
L
Lohrmann on Cybersecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
月光博客
月光博客
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Jina AI
Jina AI
I
Intezer
V
Visual Studio Blog
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
MyScale Blog
MyScale Blog
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位

OWASP

Aikido and OWASP bring agentic Code Audit to the global AppSec community | OWASP Foundation Community update regarding Richard Greenberg | OWASP Foundation OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation Juice Shop v20.0.0 — a fresh squeeze of features, now with AI | OWASP Foundation Welcome to the Google Summer of Code 2026! | OWASP Foundation OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software | OWASP Foundation The OWASP Foundation appoints Missie Lindsey as Director of Corporate Relations | OWASP Foundation Bridging the Gap in Product Lifecycle Management: How OpenEoX and CLE Work Together | OWASP Foundation Announcing the Retirement of OWASP Meetup Platform | OWASP Foundation The OWASP Foundation appoints Stacey Ebbs as Communications & Marketing Manager | OWASP Foundation OWASP Certified Secure Software Developer | OWASP Foundation GSoC 2025 Recap | OWASP Foundation OWASP Top 10 Community Survey | OWASP Foundation OWASP Elections 2025 - Become a member today! | OWASP Foundation Help Support Sherif Mansour by donating blood today! | OWASP Foundation cdxgen and CycloneDX .NET Join GitHub Secure Open Source Fund | OWASP Foundation InfoSecMap x OWASP Collaboration | OWASP Foundation OWASP x Google Summer of Code 2025 - Enabling 15 opportunities for impact | OWASP Foundation OWASP Enables AI Regulation That Works with OWASP AI Exchange | OWASP Foundation OWASP Calls to Build a Unified Framework for Global Vulnerability Intelligence | OWASP Foundation ASVS 5.0 RC1 is ready for your review! | OWASP Foundation OWASP Education and Training Committee update | OWASP Foundation Committees Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation OWASP Juice Shop leadership changes & contributor recognition | OWASP Foundation Lifecycle events are part of the secure supply chain | OWASP Foundation More than a Password Day 2024 | OWASP Foundation A workaround for OWASP Foundation emails being blocked by Microsoft Office 365 | OWASP Foundation Securing React Native Mobile Apps with OWASP MAS | OWASP Foundation
OWASP CVE Lite CLI Graduates to Lab Project Status | OWASP Foundation
Sonu Kapoor · 2026-07-06 · via OWASP
image

Monday, July 6, 2026

CVE Lite CLI, a fast open source dependency vulnerability scanner for JavaScript and TypeScript projects, has graduated to OWASP Lab Project status three months after its initial release.


OWASP CVE Lite CLI graduated to Lab Project status in June 2026, recognized for clear documentation, active development, and growing adoption across open source and enterprise teams. The project launched in March 2026.


What CVE Lite CLI does

CVE Lite CLI scans lockfiles locally and matches dependencies against the OSV database to surface known vulnerabilities. It supports npm, pnpm, Yarn, and Bun lockfiles and classifies every finding as direct or transitive. Rather than stopping at detection, it generates a ranked remediation plan with copy-and-run upgrade commands for direct dependencies and parent-aware upgrade guidance for transitive chains.

The tool is built for the developer workflow: it runs in seconds at the terminal, requires no account, sends no data to a third party, ships with a local advisory cache for offline use, and keeps its runtime dependency footprint to four packages. HTML and JSON output modes and a --fail-on severity flag make it suitable for CI pipelines as well.


What sets it apart

Most developer-facing vulnerability tools either surface alerts without actionable guidance, or require a cloud account and CI integration before they show anything useful. CVE Lite CLI is designed for the moment before a push: scan locally, get a prioritized list, run the fix commands, push clean.

The remediation output goes further than a list of vulnerable packages. For transitive dependencies, the tool identifies which parent package controls the vulnerable version and, where the parent supports a range that includes a safe version, generates a direct upgrade command. Developers get a concrete next action rather than a dependency graph to reason about on their own.


Early traction

CVE Lite CLI reached 621 GitHub stars, more than 100 forks, and over 25,000 npm downloads in its first three months. The project has been covered by SecurityWeek, SD Times, CSO Online, Help Net Security, and The Register, which featured the tool’s override hygiene detection in a dedicated piece.

Adoption has spread across sectors. Developers at DINUM, France’s interministerial digital ministry, integrated CVE Lite CLI across multiple French government digital service repositories as a pre-push fail gate. The British Columbia government’s Ministry of Citizens’ Services runs it as a merge gate with SARIF output for security dashboard integration. CVE Lite CLI was independently selected as a subject in a Colorado State University research paper on CVE prioritization methodology, alongside tools from Microsoft and Hugging Face.


“Most vulnerability tools tell you what’s broken after the code lands in CI. CVE Lite CLI tells you what to run before you push. Three months in, with government teams and open source maintainers using it in production, reaching Lab status feels like the right validation at the right time.”

  • Sonu Kapoor, creator of OWASP CVE Lite CLI

What’s coming

Override hygiene detection, which identifies stale and redundant version overrides in lockfiles, shipped in v1.27.0 and was the subject of the recent Register coverage. Active development is underway on SARIF 2.1.0 output for GitHub Code Scanning integration, a phantom dependency detector, and a maintenance risk scorer for abandonware packages.


Availability

CVE Lite CLI is available now on npm. Documentation, lockfile coverage details, and remediation guidance are at the project website.

npm install -g cve-lite-cli
cve-lite .

About OWASP CVE Lite CLI

OWASP CVE Lite CLI is a fast, developer-friendly dependency vulnerability scanner for JavaScript and TypeScript projects. It scans lockfiles locally, queries the OSV database, supports npm, pnpm, Yarn, and Bun, shows direct vs transitive findings, and generates a ranked remediation plan with copy-and-run upgrade commands. The tool is free and open source under the OWASP Foundation. Learn more at owasp.org/cve-lite-cli.

About OWASP

The OWASP Foundation is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. To learn more or to become a member, visit owasp.org.