Dependency vulnerability scanning in JavaScript and TypeScript initiatives has lengthy sat on the finish of the event pipeline. Pull requests get opened, steady integration runs, and a safety scanner returns a listing of CVE identifiers that builders then should triage hours or days after writing the code. CVE Lite CLI, now an formally acknowledged OWASP Incubator Undertaking, strikes that test to the developer’s terminal.
The open-source software, maintained by Sonu Kapoor, reads a mission’s lockfile, queries the Open Supply Vulnerabilities database, and returns copy-and-run repair instructions scoped to the related bundle supervisor. It helps npm, pnpm, Yarn, and Bun.
Closing the suggestions loop earlier
“In lots of groups, dependency vulnerabilities are first surfaced in CI. That’s helpful, but it surely typically occurs late within the workflow,” Kapoor advised Assist Internet Safety. “A developer modifications a dependency, pushes the department, waits for CI, will get a big scanner report, after which has to work backward by way of the output to grasp what modified, whether or not the weak bundle is direct or transitive, and what can really be fastened.”
CVE Lite CLI runs domestically with no account, no cloud platform, and no supply code leaving the developer’s machine. A scan completes in seconds in opposition to a cached advisory database. The output distinguishes direct dependencies from transitive ones, identifies the top-priority repair, and offers the precise set up command to use it. For transitive npm findings, the software recommends npm replace when the prevailing guardian vary can resolve to a non-vulnerable little one, and flags circumstances the place the guardian itself wants an improve.
Kapoor described the design intent in plain phrases. “The shift I care about is shifting from ‘CI discovered a big report later’ to ‘the developer will get a transparent repair plan domestically whereas the dependency change continues to be recent.’”
Integration is opt-in
CVE Lite CLI doesn’t block dependency set up or interrupt growth by default. Groups select the place to position the test. It may be run manually, added as a bundle script, wired right into a pre-commit or pre-push hook, or executed in CI by way of the mission’s first-party GitHub Motion.
“CVE Lite CLI offers the quick native scanner and the structured output; the staff decides the place that test belongs in its workflow,” Kapoor mentioned.
For steady integration, the --fail-on flag exits non-zero when findings meet or exceed a severity threshold. SARIF output uploads on to GitHub Code Scanning, surfacing ends in the Safety tab and as inline pull request annotations.
OSV because the advisory supply
The choice to question OSV displays the mission’s deal with package-and-version-oriented scanning. Kapoor mentioned OSV’s knowledge mannequin suits a lockfile scanner as a result of it maps advisories cleanly to open supply bundle ecosystems and affected model ranges.
He acknowledged the boundaries of any single supply. “I don’t assume any single advisory supply ought to be handled as good. Protection gaps, timing variations, severity variations, and fixed-version knowledge high quality can range throughout sources. That’s the reason CVE Lite CLI is specific in its output that OSV is the advisory supply.”
Future work could embody clearer alias show, visibility into fixed-version confidence, and cross-referencing extra advisory feeds the place it may be accomplished with out slowing the software.
The way it performs in the actual world
Kapoor mentioned he wished to see how CVE Lite CLI would carry out in opposition to actual purposes with identified dependency CVEs, and pointed to OWASP Juice Store as a consultant check as a result of its dependency tree resembles that of real-world JavaScript initiatives.
In accordance with Kapoor, the software lowered findings from 39 to 18 throughout two remediation passes and cleared the high-severity concern, whereas making upstream dependency threat simpler to separate from issues a developer might tackle domestically. “The helpful half helps builders perceive which vulnerabilities are direct, that are transitive, which will be fastened now, and which require broader dependency choices,” Kapoor mentioned.
Offline help and enterprise use
For restricted-network and air-gapped environments, the CLI helps syncing the advisory database forward of time. Ingesting roughly 217,000 advisory information completes in underneath 9 seconds, which the mission says is 9.9 instances quicker than the preliminary implementation. Scans then run with no outbound API calls.
CVE Lite CLI additionally writes AI assistant ability recordsdata for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot by way of the install-skill command, letting coding assistants parse scan output and produce remediation plans.
CVE Lite CLI is obtainable totally free on GitHub.
Should learn:
Subscribe to the Assist Internet Safety ad-free month-to-month e-newsletter to remain knowledgeable on the important open-source cybersecurity instruments. Subscribe right here!