“What builders are lacking is early suggestions on the level the place the dependency resolution is made,” Sonu Kapoor, creator and maintainer of the undertaking, informed CSO. In keeping with Kapoor, conventional CI-centric workflows typically disconnect builders from the dependency decisions that launched threat within the first place.
CVE Lite CLI scans npm, pnpm, and Yarn lockfiles utilizing OSV vulnerability information and claims to focus closely on remediation steering, together with separating direct and transitive vulnerabilities, validating improve targets, and recommending actionable repair paths.
The undertaking is being pitched as a “local-first” developer instrument, versus a substitute for enterprise software program composition evaluation (SCA) platforms, very like how builders already use ESLint or unit checks domestically earlier than CI runs them once more later.
CVE Lite CLI targets an missed ache level
CVE Lite CLI is actually making an attempt to unravel a workflow downside, Kapoor says many builders quietly battle with. Dependency safety checks typically arrive after the work is already finished.