npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cve-lite-cli

v1.0.4

Published

Developer-friendly CLI for scanning JS/TS projects for dependency vulnerabilities using local lockfiles and OSV

Downloads

480

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

sonukapoorsonukapoor

Keywords

securitycvevulnerabilitycliosvowaspnpmpnpmyarn

Readme

Scan. Prioritize. Fix.

What is CVE Lite CLI

CVE Lite CLI helps developers scan their projects for known package vulnerabilities without signing up for an expensive platform. It is built for the moment right before release, when you want a clear answer, a practical fix plan, and a tool you can actually afford to use.

Quick start

Install globally:

npm install -g cve-lite-cli

Then run:

cve-lite /path/to/project

Or run it one-off with npx:

npx cve-lite-cli /path/to/project

Usage

# Basic scan
cve-lite /path/to/project

# Show all findings
cve-lite /path/to/project --all

# Focus only on urgent findings
cve-lite /path/to/project --min-severity high

# Show full detailed output, fix plan, paths, and full table
# Recommended for CI logs when you want full context
cve-lite /path/to/project --verbose

# Fail a build on high severity and above
cve-lite /path/to/project --fail-on high

# JSON output
cve-lite /path/to/project --json

# SARIF output
cve-lite /path/to/project --sarif --output reports/scan.sarif

What it looks like

CVE Lite CLI produces a clean, summary-first console view by default, designed for fast triage before release.

For deeper investigation, running with --verbose provides full details, including dependency paths, a complete fix plan, and a detailed table view.

That is the core idea: install it, point it at your project, and immediately get a practical fix plan instead of a wall of raw advisories.

The final status line also gives the scan a clear ending, which makes terminal use and screenshots easier to read.

See the example below using OWASP Juice Shop for real output samples.

Example: Scanning OWASP Juice Shop (Real Output)

CVE Lite CLI can be used against real-world vulnerable applications such as the OWASP Juice Shop.

OWASP Juice Shop is a deliberately insecure JavaScript application widely used for security training and testing. Running CVE Lite CLI against it provides a realistic example of how the tool behaves on a dependency tree with known vulnerabilities.

To try this yourself:

Example:

git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop
cve-lite .

Verbose examples:

Why this tool exists

A lot of developers want a practical dependency scan right before release, but they do not want the cost, complexity, or friction of a larger platform just to answer a simple question:

Do we have known vulnerable packages in this project, and what should we fix first?

CVE Lite CLI is built for that workflow.

It focuses on being:

  • fast
  • local-first
  • easy to understand
  • useful in CI
  • honest about what it does and does not do

Project scope and differentiation

CVE Lite CLI is intentionally focused.

It is built for JavaScript and TypeScript dependency scanning, especially in the workflows where developers want a fast local check before release or a simple CI gate during dependency review.

The project emphasizes:

  • npm, pnpm, and Yarn lockfile support
  • direct vs transitive visibility
  • top-priority fixes and a suggested remediation plan
  • JSON and SARIF output for automation
  • a small, reviewable runtime footprint

That narrow scope is deliberate. CVE Lite CLI is not trying to be a full application security platform or a broad multi-surface scanner. It is trying to be a lightweight, understandable, developer-first tool for teams that want practical vulnerability scanning without extra cost or complexity.

Relationship to similar OWASP projects

CVE Lite CLI is not trying to replace broader OWASP security tooling.

Its role is narrower and workflow-focused:

  • focused on JavaScript and TypeScript dependency scanning
  • designed for fast local checks and simple CI release gates
  • centered on direct vs transitive visibility
  • built to highlight top-priority fixes and a suggested remediation plan
  • intentionally lightweight in runtime footprint and setup

This section is here to make the scope clear. CVE Lite CLI aims to complement the broader security ecosystem by being a practical, low-friction option for JS/TS dependency checks close to release time.

How it works

Architectural Philosophy

CVE Lite CLI is designed as a local-first, metadata-only scanner. Unlike traditional SaaS security platforms that require code uploads or heavy agent installations, this tool operates directly within the developer's environment. It focuses on the "moment of release"—providing a high-speed, low-noise assessment of the dependency tree by analyzing resolved versions in project lockfiles.

Workflow Specifications

  • Trust Boundary & Privacy: The scan is non-intrusive. Only package names and exact versions are extracted. No source code, environment variables, or proprietary logic is ever transmitted to the external OSV (Open Source Vulnerability) API.
  • Lockfile-Driven Accuracy: By parsing package-lock.json, pnpm-lock.yaml, or yarn.lock, the tool avoids the "it works on my machine" discrepancy. It scans the exact dependency tree that will be deployed.
  • Intelligent Triage: The Analysis engine utilizes the lockfile's graph structure to distinguish between dependencies you manage directly and those brought in by third-party packages (transitive). This allows for a "Fix the Root" strategy rather than chasing individual nested vulnerabilities.
  • Performance Optimization: A local TTL (Time-To-Live) cache stores advisory results. This ensures that subsequent scans—common in iterative development or CI/CD retry loops—are near-instant and respect external API rate limits.
  • Standards-Based Output: Results are natively available in SARIF (Static Analysis Results Interchange Format) and JSON, ensuring compatibility with modern DevSecOps dashboards and IDE integrations.

What makes it stand out

  • fast, low-friction workflow
    Run it locally against a project without adopting a large security platform.

  • practical remediation guidance
    It does not stop at raw advisory output. It highlights top-priority fixes and suggests a fix plan.

  • direct vs transitive visibility
    The output makes it easier to see whether the risk comes from something you installed directly or from a nested package.

  • developer-first
    It is optimized for developers working with npm, pnpm, and Yarn lockfiles.

  • budget-friendly
    It is intended for developers and teams who want useful security checks without paying for a large commercial product.

  • local-first
    It reads your project locally and uses package/version matching against OSV advisories.

  • release-focused
    It is especially useful before a release, in CI, or during final dependency cleanup.

Features

1. Lockfile-based scanning

CVE Lite CLI scans resolved dependency versions from:

  • package-lock.json
  • pnpm-lock.yaml
  • yarn.lock

It also supports a limited package.json fallback for exact pinned direct dependencies.

2. Clear vulnerability output

Instead of only showing advisory IDs, the CLI reports:

  • package name and version
  • severity
  • direct vs transitive relationship
  • fixed-version hint when available
  • advisory IDs
  • dependency path hints

By default, the CLI now presents a cleaner summary-first view, with --verbose available for the full detailed output.

3. Top priority fixes

The CLI highlights the most important issues first, so developers can focus on the findings most likely to matter immediately.

4. Suggested fix plan

CVE Lite CLI organizes likely remediation work into a practical sequence, such as:

  • direct critical and high issues first
  • urgent transitive issues next
  • medium direct cleanup after that
  • duplicated vulnerable packages to consolidate

5. Parent package hints for transitive issues

For transitive vulnerabilities, the tool can point to the likely parent dependency to review. That makes the output more actionable than simply saying a nested package is vulnerable.

6. JSON output

Structured JSON output makes it easier to integrate with scripts, logs, or pipeline artifacts.

7. SARIF output

CVE Lite CLI supports SARIF (Static Analysis Results Interchange Format) output for security tooling and code-scanning workflows. SARIF is a standardized JSON-based format for security and code analysis results, which means CI systems, scanners, and code analysis platforms can all understand the same output without custom adapters. This is important because it makes CVE Lite CLI more than just a terminal tool: you can export findings into a format that fits modern DevSecOps workflows, archive results as build artifacts, and integrate vulnerability scans into automated release pipelines. For developers and teams, SARIF support helps security results travel cleanly from a local scan into CI/CD and other tooling, instead of being trapped in plain console output.

Example:

cve-lite /path/to/project --sarif --output reports/scan.sarif

8. CI-friendly behavior

The CLI can be used in CI/CD pipelines and can fail builds based on severity thresholds.

9. Local cache

It caches advisory detail results locally so repeated scans are faster and make fewer repeated requests.

10. Clear final scan status

At the end of each run, CVE Lite CLI prints a short final status line so users immediately know whether the scan was clean or whether they should start with the priority fixes above.

11. Small runtime footprint

This project intentionally keeps runtime dependencies minimal to reduce attack surface and keep the tool easier to review.

Dependency footprint

CVE Lite CLI is intentionally designed with a very small dependency surface.

Runtime dependencies

  • yaml
  • yarn-lockfile

Development dependencies

  • @types/node
  • tsx
  • typescript

This is a deliberate design choice. Because CVE Lite CLI is itself a security-oriented tool, we want to minimize unnecessary third-party packages and keep the runtime as small and reviewable as possible.

Example use cases

CVE Lite CLI is a good fit for:

  • independent developers shipping side projects
  • startups watching every tool budget
  • consultants doing release checks for client projects
  • teams that want a lightweight dependency scan in CI
  • developers who want a second opinion alongside other tools
  • OSS maintainers who need a practical scan before publishing

Supported workflows

Local development

Run it before a release, during dependency cleanup, or after a major package upgrade.

CI/CD

This repository also uses CVE Lite CLI in its own GitHub Actions workflow to scan itself as part of CI. See self-scan.yml.

For CI, we recommend using --verbose so build logs include the full fix plan, dependency paths, and detailed table output when a scan fails.

Use it as a release gate in CI:

cve-lite . --verbose --fail-on high

Export SARIF in CI:

cve-lite . --verbose --sarif --output reports/scan.sarif

Scripted automation

Use JSON output for custom reporting:

cve-lite . --json > cve-lite-report.json

Comparison with other tools

CVE Lite CLI is not trying to be everything for everyone. It is designed to be one of the easiest and most actionable vulnerability scanners for JavaScript and TypeScript developers who want fast release-time checks without the cost and complexity of a full security platform.

Where CVE Lite CLI stands out

Compared with other tools in this space, CVE Lite CLI focuses on:

  • free to use
  • fast to run
  • easy to understand
  • practical remediation guidance instead of just raw advisory dumps
  • clear direct vs transitive visibility
  • top priority fixes and a suggested fix plan
  • support for npm, pnpm, and Yarn lockfiles
  • SARIF and JSON output for CI and automation
  • a lightweight, security-conscious dependency footprint
  • a developer-friendly option for teams that want useful CVE scanning without paying for a larger commercial product

At a glance

| Tool | Best at | Ecosystem scope | Lockfile support | Guided remediation | JSON/SARIF | Best fit | |---|---|---|---|---|---|---| | CVE Lite CLI | Fast, developer-friendly pre-release CVE scanning | Focused on JS/TS | npm, pnpm, Yarn | Yes | Yes | Developers and small teams who want a free, practical release-time check | | npm audit | Built-in npm auditing | npm-centric | npm | Basic remediation info | Limited compared to dedicated scanner workflows | Teams already living fully inside npm | | OSV-Scanner | Broad multi-ecosystem scanning | Broad | Many ecosystems and lockfiles | More general-purpose | Strong machine-readable workflows | Teams needing wider ecosystem coverage | | Snyk CLI | Broader enterprise security workflows | Broad | Strong ecosystem coverage | Strong commercial guidance | Strong | Teams adopting a larger security platform | | Socket CLI | Broader package and supply-chain risk visibility | Broad | Multi-ecosystem/package-risk focus | Strong for package risk workflows | Strong | Teams that want more than CVE scanning alone |

CVE Lite CLI vs npm audit

npm audit is the built-in default for npm users, which makes it convenient when your workflow is entirely npm-based.

CVE Lite CLI stands out when you want:

  • support across npm, pnpm, and Yarn lockfiles
  • cleaner, more guided console output
  • priority fixes and a suggested remediation plan
  • a more focused pre-release scanning experience for JS/TS teams

CVE Lite CLI vs OSV-Scanner

OSV-Scanner supports many ecosystems and lockfile types, which makes it broader overall.

CVE Lite CLI stands out when you want:

  • a narrower, easier-to-understand tool built specifically around JS/TS dependency workflows
  • remediation-first output instead of a more general multi-ecosystem scanner experience
  • a more approachable local workflow for everyday developers

CVE Lite CLI vs Snyk CLI

Snyk CLI is part of a much broader commercial platform with wider enterprise coverage.

CVE Lite CLI stands out when you want:

  • a simpler and lighter dependency CVE workflow
  • an affordable option for small teams, startups, consultants, and independent developers
  • a focused tool for lockfile-based release checks without adopting a larger platform

CVE Lite CLI vs Socket CLI

Socket CLI goes beyond CVEs into broader package and supply-chain risk signals.

CVE Lite CLI stands out when you want:

  • a focused dependency vulnerability scanner
  • a straightforward answer to “what should I fix before release?”
  • readable output centered on known vulnerability findings and practical next steps

Best fit

CVE Lite CLI is best for:

  • developers shipping JavaScript or TypeScript applications
  • teams that want a lightweight release gate
  • maintainers who want actionable vulnerability output without heavy platform overhead
  • users who care about simplicity, readability, and fast adoption

If your goal is a practical developer-first CVE scan right before release, CVE Lite CLI is designed to be one of the most approachable options in that workflow.

Current limitations

To keep the project honest, here is what it does not do in the current version:

  • it does not prove exploitability
  • it does not verify runtime reachability
  • it does not scan container images, binaries, secrets, or IaC
  • it does not replace a full application security program
  • it is currently focused on JS/TS dependency scanning

Positioning

CVE Lite CLI is best described as:

A fast, developer-friendly dependency vulnerability scanner for JavaScript and TypeScript projects, built for teams that want actionable results without the cost and complexity of a full security platform.

Roadmap

CVE Lite CLI is evolving from a vulnerability scanner into a comprehensive remediation engine.

Phase 1: Advanced Remediation Intelligence (Short-Term)

  • Executable Fix-Plan: Move from suggesting a plan to generating executable commands (e.g., npm install package@version) to resolve direct vulnerabilities.
  • Transitive Parent Mapping: Enhance output to explicitly map the dependency path from the root to the vulnerable nested package, making manual triage effortless.
  • Deduplication Analysis: Identify instances where multiple versions of the same vulnerable package exist and suggest a single version for consolidation.

Phase 2: Ecosystem & Integration (Mid-Term)

  • Official GitHub Action: Create a dedicated Action for one-line setup in CI/CD pipelines.
  • Expanded Lockfile Support: Introduce parsers for emerging JS/TS ecosystems, including bun.lockb.
  • IDE Integration: Develop a lightweight extension to highlight vulnerable packages directly within the code editor.

Phase 3: Maturity & Compliance (Long-Term)

  • Standardized SBOM Support: Add the ability to export findings as an SBOM (Software Bill of Materials) in CycloneDX or SPDX formats.
  • Community Plugin System: Decouple the scanner logic to allow community-contributed data sources and custom security rules.

Contributing

This project is being shaped around real-world developer usability. Feedback on output clarity, remediation guidance, ecosystem coverage, and CI usage is especially valuable.

To get started, see CONTRIBUTING.md.

Community and support

CVE Lite CLI is being shaped in public and feedback is welcome.

If you run into a bug, want to suggest an improvement, or have a lockfile edge case that the tool should handle better, please open an issue in the repository.

Helpful feedback includes:

  • reproducible bug reports
  • real-world lockfile edge cases
  • ideas for clearer output and remediation guidance
  • CI usage examples
  • JSON and SARIF workflow feedback
  • comparison feedback based on real usage

As the project grows, contribution and security guidance will be expanded further in dedicated project docs.

For bug reports and feature requests, please use GitHub Issues. For contribution guidance, see CONTRIBUTING.md. For security-related reporting, see SECURITY.md.

License

MIT