npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cve-lite-cli

v1.27.0

Published

Developer-friendly CLI for scanning JS/TS projects for dependency vulnerabilities using local lockfiles and OSV

Downloads

19,682

Readme

Most tools tell you what's wrong. CVE Lite CLI tells you what to run.

OWASP Lab Project npm version npm downloads CI GitHub Marketplace License Protected by CVE Lite CLI OpenSSF Best Practices

🏆 Officially recognized as an OWASP Lab Project

Scan. Understand. Fix.


Package Managers


Quick start

npm install -g cve-lite-cli
cve-lite /path/to/project

Or one-off with npx:

npx cve-lite-cli /path/to/project

No account. No configuration. No source code leaves your machine.

Usage

cve-lite /path/to/project                   # basic scan
cve-lite /path/to/project --verbose         # full fix plan with dependency paths
cve-lite /path/to/project --fix             # apply validated direct fixes and rescan
cve-lite /path/to/project --fail-on high    # exit non-zero on high severity and above
cve-lite /path/to/project --json            # JSON output
cve-lite /path/to/project --sarif           # SARIF output for GitHub Code Scanning
cve-lite /path/to/project --report          # interactive HTML dashboard
cve-lite /path/to/project --check-overrides # audit override hygiene alongside the CVE scan
cve-lite advisories sync                    # sync advisory DB for offline use
cve-lite /path/to/project --offline         # scan with no runtime API calls

For the full flag reference and exit codes see the CLI Reference guide and Fix mode guide.

Override hygiene (overrides)

overrides and resolutions are powerful, but they rot. CVE Lite CLI audits them across npm, pnpm, yarn, and bun, catching eleven classes of problem:

| Rule | What it catches | |---|---| | OA001 | Orphaned target: override for a package no longer in the tree | | OA002 | Floating tag: override pinned to a moving tag (latest, next) | | OA003 | Wrong section: override placed in the wrong container | | OA004 | Surpassed pin: the rest of the tree has moved past the pin | | OA005 | Nested ineffective override that never applies | | OA006 | Coupled platform binary: override fights a parent's exact pin | | OA007 | Frozen latest: registry has drifted past the pinned version (needs --check-network) | | OA008 | Materialized vulnerable copy still on disk despite the override | | OA009 | Stale floor: override range floor already met by all parent declarations | | PD001 | Override-only phantom: package imported in source but only present via an override pin | | PD002 | Transitive-only phantom: package imported in source but only present as a transitive dependency |

Use the overrides subcommand for a hygiene-only run (no CVE scan, faster, fully offline-capable) with auto-fix support. Use --check-overrides to append hygiene results to a regular CVE scan in one pass.

cve-lite /path/to/project overrides           # hygiene only - no CVE scan
cve-lite /path/to/project overrides --fix     # hygiene only, auto-fix where possible
cve-lite /path/to/project --check-overrides   # CVE scan + hygiene in one pass

For the full guide with per-rule examples and CI patterns, see the Override Hygiene Auditing guide.

What it looks like

Why CVE Lite CLI

Most security tooling is built around pipelines, not developers. Dependabot opens PRs you'll get to eventually. CI scanners block merges after the fact. Dashboards surface lists of CVE IDs with no clear path to fixing them. Developers learn to ignore it.

CVE Lite CLI is built for the moment before you push. It reads your lockfile locally, queries OSV, and produces copy-and-run npm install, pnpm add, yarn add, or bun add commands — not a list of identifiers. You see which packages are direct versus transitive, get parent-aware upgrade guidance, and can scan offline in restricted environments.

The closer a security tool is to a developer's natural workflow, the more likely it is to be used.

How it compares

No other free tool combines all of the following: lockfile scanning across npm, pnpm, Yarn, and Bun; parent-aware transitive remediation that tells you which package to upgrade (not just which one is vulnerable); fix version validation before suggesting an upgrade; and a fully offline advisory DB for restricted environments.

| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI | |---|:---:|:---:|:---:|:---:|:---:| | JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ | | npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ | | No account required | ✅ | ✅ | ✅ | ❌ | ❌ | | Free to use | ✅ | ✅ | ✅ | ❌ | ❌ | | Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | ⚠️ | | Direct vs transitive visibility | ✅ | ⚠️ | ✅ | ✅ | ✅ | | Dev vs runtime dependency labelling | ✅ | ⚠️ | ❌ | ⚠️ | ❌ | | Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | ⚠️ | | Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ | | Suggested remediation plan | ✅ | ❌ | ⚠️ | ✅ | ⚠️ | | Ratcheting mode (baseline suppression) | ✅ | ❌ | ❌ | ⚠️ | ❌ | | Interactive HTML report | ✅ | ❌ | ❌ | ✅ | ❌ | | SARIF / GitHub Code Scanning output | ✅ | ❌ | ✅ | ✅ | ❌ | | JSON output | ✅ | ✅ | ✅ | ✅ | ✅ | | Offline/local advisory DB | ✅ | ❌ | ⚠️ | ❌ | ❌ | | Override hygiene auditing | ✅ | ❌ | ❌ | ❌ | ❌ |

✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength

The transitive parent guidance is a key difference: CVE Lite CLI avoids recommending direct installs for packages that are only present transitively. For npm lockfiles, it can identify when npm update <parent> is enough to re-resolve a known non-vulnerable child within the current parent range, and when the parent package itself needs an upgrade.

For detailed per-tool analysis, see Comparison with other tools.

Replace Dependabot with one batched PR

CVE Lite CLI v1.26.0 ships a GitHub Action fix mode that runs on a schedule and opens a single batched pull request with all validated dependency upgrades - advisory IDs, before/after finding counts, and OSV-confirmed fix versions included.

Add this file to your repo:

# .github/workflows/cve-lite-fix.yml
name: CVE Lite security fixes
on:
  schedule:
    - cron: '0 6 * * 1'  # every Monday at 6am
  workflow_dispatch:
permissions:
  contents: write
  pull-requests: write
jobs:
  fix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.repository.default_branch }}
      - uses: OWASP/cve-lite-cli@v1
        with:
          fix: 'true'
          create-pr: 'true'

| | Dependabot | CVE Lite fix mode | |---|---|---| | PRs per run | One per package | One batched PR | | Advisory IDs in PR body | No | Yes (GHSA-xxxx, CVE-xxxx) | | Fix version validated against OSV | No | Yes | | Before/after finding counts | No | Yes | | pnpm / Yarn Berry / Bun | Limited | Full native support | | OWASP recognition | No | OWASP Lab Project |

Full Action documentation -> - for scan-only CI gating see the CI and Workflow Integration guide.

Real-world validation

CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues - including non-obvious transitive vulnerabilities and complex upgrade paths - not just low-signal advisory matches.

  • OWASP Juice Shop - scanning a deliberately vulnerable application with known dependency issues
  • NestJS - working through a real transitive dependency remediation sequence across a widely-used Node.js framework
  • Visual Studio Code - two direct Anthropic SDK advisories and a high-severity gulp toolchain chain in the VS Code root lockfile
  • Gatsby - Yarn Classic monorepo with 128 findings, five direct CVEs, and CVE Lite vs yarn audit deduplication
  • Analog - modern pnpm Angular monorepo with unexpected toolchain vulnerabilities

20+ case studies across npm, pnpm, Yarn, and Bun projects ->

In-repo lockfile fixtures for most projects live under examples/ - clone and scan immediately without downloading full upstream checkouts.

These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.

If you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository.

Press

Full press coverage ->

Recognized by OWASP

OWASP (Open Web Application Security Project) is the globally recognized nonprofit behind the security standards followed by millions of developers worldwide - most notably the OWASP Top 10, the most widely cited web application security reference in the industry. Organizations from startups to Fortune 500 companies use OWASP guidelines as the foundation of their security programs.

CVE Lite CLI is an OWASP Lab Project - reviewed and accepted by the OWASP community as a vendor-neutral, open source security tool.

Where it fits in the OWASP ecosystem:

CVE Lite CLI fills a specific gap - fast, local-first JS/TS dependency scanning close to release time - that broader OWASP tools are not optimized for:

| Tool | Focus | |---|---| | CVE Lite CLI | Lockfile-first, local developer CLI, remediation-focused, JS/TS | | OWASP Dependency-Check | Multi-language, SAST-style, broader ecosystem | | OWASP dep-scan | Multi-language and environment, SBOM and cloud-native | | OWASP Dependency-Track | Platform and SBOM management, not a local CLI |

CVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management - it is the fast local check you run before pushing.

Community and adoption

CVE Lite CLI is used in production across organizations and independent developers in multiple countries. Confirmed users span government digital services, enterprise engineering platforms, open-source libraries, and security education.

Notable adopters include:

  • DINUM (France) - integrated across four French government digital service repositories, including official AI training infrastructure for civil servants
  • DGAFP (France) - Ministry for Civil Service, used as a pre-commit hook on a public-sector HR chatbot
  • Government of British Columbia (Canada) - running as a required merge gate alongside Trivy at the Ministry of Citizens' Services
  • Valibot and Formish - integrated as a GitHub Action and dev script with branch protection

Current limitations

  • does not detect malicious packages before they appear in advisory data
  • does not perform behavioral malware detection or package content analysis
  • does not prove exploitability or verify runtime reachability
  • does not scan container images, binaries, secrets, or IaC
  • does not replace a full application security program
  • currently focused on JS/TS dependency scanning
  • local advisory sync performance will need continued optimization as the advisory dataset grows

Dependency footprint

Runtime: yaml · yarn-lockfile · better-sqlite3 · fflate

Dev only: @types/node · tsx · typescript

This is intentional. Because CVE Lite CLI is a security-oriented tool, runtime dependencies are kept minimal and reviewable.

More documentation

  • Troubleshooting guide - no lockfile found, zero results, slow advisory sync, offline DB errors, --fix skipping findings, CI failures
  • Parser Coverage guide - supported lockfile formats, selection priority, package.json fallback, monorepos, private registries
  • Remediation Strategy guide - how CVE Lite CLI chooses upgrade targets and parent update paths

Security and verification

Every release is signed - GPG-signed git tags for source, Sigstore Artifact Attestations for the release tarball, and ECDSA signatures via the npm registry. Verify with:

gh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli
npm audit signatures

For full details, fingerprints, and the project's threat model, see SECURITY.md and the Security Assurance Case.

For governance details - roles, decision-making, and dispute resolution - see CONTRIBUTING.md.

Contributing

Feedback on output clarity, remediation guidance, ecosystem coverage, and CI usage is especially valuable.

See CONTRIBUTING.md to get started.

Add a badge to your project

If you use CVE Lite CLI in your project, add this badge to your README:

[![Protected by CVE Lite CLI](https://img.shields.io/badge/Protected_by-CVE_Lite_CLI-brightgreen)](https://github.com/OWASP/cve-lite-cli)

Protected by CVE Lite CLI

Community and support

For bug reports and feature requests: GitHub Issues

Helpful feedback includes reproducible bug reports, real-world lockfile edge cases, ideas for clearer output and remediation guidance, and CI or JSON workflow examples.

Using CVE Lite CLI at your company or in your projects? Share your use case in the community thread.

For security-related reporting: SECURITY.md

This project follows a Code of Conduct. Please review it before participating.

If CVE Lite CLI helps your release workflow, a GitHub star helps more developers find it.

Contributors

Thanks to everyone who helps improve CVE Lite CLI - issues, pull requests, documentation, case studies, and real-world lockfile feedback all count.

New here? See CONTRIBUTING.md to get started, and review the Code of Conduct before participating.


Maintainer note: CVE Lite CLI is an OWASP Lab Project maintained by Sonu Kapoor. The goal is to build a tool the security and developer community trusts and returns to - not a product that requires vendor lock-in or a dashboard to be useful. If you find a real-world lockfile edge case, a remediation gap, or a workflow that doesn't fit, open an issue. Real-world feedback from real projects is the most valuable input this project gets. See CONTRIBUTING.md for how to get involved.


License

MIT - built in public and maintained as an OWASP Foundation Project by Sonu Kapoor.