How to reveal folderpaths to detected-as-vulnerable package.json's in nested folders?

[ModalityZ]

In our monorepo there are many nested folders having their own package.json. When I run globally-installed cve-lite on the root folder of my monorepo working copy, and include --verbose, the output does not indicate in which package.json the detected vulnerabilities exist. This prevents me from updating those package.json's and pushing them to the monorepo. Instead the suggested commands seem they would have the effect of updating the global package.json (which is outside the root of my monorepo working copy) and prevents me from sharing the fixes.

Or, perhaps I misunderstand and using the suggested "npm install" commands that have no "-g" will update all package.json's that reference the indicated package? If so, it would be good education to add that tip in your README.md (because I have not come across such information after more than a decade of using npm).

[sonukapoor]

Thanks for the detailed write-up. This is exactly the kind of feedback that helps.

The workspace-scoped fix commands you are describing landed in v1.18.1 (released yesterday). When CVE Lite detects that a direct dependency lives in a workspace package rather than the root, the generated fix command now includes the workspace qualifier - -w packages/my-app for npm, --filter ./packages/my-app for pnpm, etc. - so the install targets the correct package.json.

Could you upgrade and try again?

npm install -g cve-lite-cli@latest
cve-lite . --verbose

If the fix commands still look like bare npm install without a workspace qualifier after upgrading, let me know your package manager and whether your root package.json has a workspaces field - that is what CVE Lite uses to detect the workspace structure.

[sonukapoor]

To clarify - we're not asking you to set up anything at the root, and there's no workaround needed here.

Your repo doesn't have npm workspaces - you have independent subfolders, each with their own package.json. That's a different structure entirely. In a true npm workspace monorepo, there's a single root package.json that declares all the packages it contains via a workspaces field, like:

{
  "name": "my-monorepo",
  "workspaces": ["packages/*"]
}

npm then links everything together under a single root node_modules and package-lock.json. That's the structure CVE Lite's workspace-scoped fix commands are designed for.

Your setup is simpler - just independent subfolders. CVE Lite is designed to be run from the folder that contains a package.json, so the correct usage for your setup is:

cd sessionManager
cve-lite .

If you have other subfolders with their own package.json, run it from each of those too. No root config, no maintenance.

Marking this as answered, but feel free to follow up if anything isn't working as expected.

[sonukapoor]

One more thing - re-reading your last message, I want to make sure we address the actual ask. You're right that there's a real gap here: if you run cve-lite . from the parent directory, the tool should be able to find the nested packages automatically and tell you which subfolder each finding belongs to, with fix commands scoped to the right location. No manual root config required.

That's exactly what we want to build. We've opened an issue to track it: #496

If you're open to it, sharing a sanitized version of your folder structure on that issue would help us design the right solution for your setup.

[ModalityZ]

I'm making this comment in order to provide the most direct answer. As of today there is no anticipated version of cve-lite that will "reveal folderpaths to detected-as-vulnerable package.json's in nested folders" for the general case. However, if one has "workspaces, dependencies, and devDependencies fields [in the] package.json [of your top-level folder]", then cve-lite can suggest commands to fix detected problems in nested folders.

[sonukapoor]

Good timing - we are working on exactly this right now. Issue #496 is the tracking issue, and implementation is underway today.

When it ships, running cve-lite . from your parent directory will automatically detect all subfolders with their own lockfiles and scan each one independently. The output will be grouped by subfolder, and fix commands will be prefixed with cd sessionManager && ... so they target the right location. No root package.json required.

We will post an update on #496 when there is a build you can try out.

[ModalityZ]

Thank you, I'm excited to try it when available.

Sanitizing our folder structure would require a cli pipeline that generated a sanitized/opaque alternate name for every item, and I don't know of any set of linux commands that would do that.

[sonukapoor]

Good news - multi-folder support is coming in the next release. I have a branch ready if you want to try it out now:

npm install -g OWASP/cve-lite-cli#feature/issue-496-multi-folder-scan

When CVE Lite finds no lockfile at the project root but discovers two or more lockfiles in subfolders, it automatically switches to multi-folder mode. You do not need any flags - it detects the layout on its own.

In that mode it:

• Prints a 📁 subfolder/ header before scanning each folder
• Groups findings and fix commands by folder in the terminal output
• Generates a single HTML report (--report) with a collapsible section per folder
• Adds a subfolder field to --json output so you can trace each finding back to its folder

One thing worth knowing: when CVE Lite scans a folder and finds a lockfile there, it stops recursing into that folder's subdirectories. This prevents double-counting packages that appear in both a workspace root lockfile and a nested one. Workspace monorepos (where the root package.json has a workspaces field and a single root lockfile) are unaffected - they go through the normal single-scan path as before.

Let me know how it goes.

[ModalityZ]

Btw, is the following a known issue?

$ sudo npm install -g OWASP/cve-lite-cli#feature/issue-496-multi-folder-scan
[sudo] password for david: 
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
npm error code ENOENT
npm error syscall spawn sh
npm error path /usr/local/lib/node_modules/cve-lite-cli/node_modules/better-sqlite3
npm error errno -2
npm error enoent spawn sh ENOENT
npm error enoent This is related to npm not being able to find a file.
npm error enoent
npm error A complete log of this run can be found in: /root/.npm/_logs/2026-06-01T21_01_45_363Z-debug-0.log

Then, I wasn't able to test it. Sorry I don't know how you want me to test, because the standard invocation isn't recognized:

$ cve-lite . --verbose
cve-lite: command not found

$ cve-lite-cli . --verbose
cve-lite-cli: command not found

[sonukapoor]

Apologies for the confusion with the global install — that does not work because of a native dependency that needs pre-built binaries only available from the npm registry. A local install does work though:

mkdir cve-lite-test && cd cve-lite-test
npm install OWASP/cve-lite-cli#feature/issue-496-multi-folder-scan

Then run it with:

node node_modules/cve-lite-cli/dist/index.js /path/to/your/project

Replace /path/to/your/project with the parent directory containing your sessionManager folder. Let us know what you see.

[ModalityZ]

david@plum:~/Desktop/Tools$ mkdir cve-lite-test && cd cve-lite-test
david@plum:~/Desktop/Tools/cve-lite-test$ npm install OWASP/cve-lite-cli#feature/issue-496-multi-folder-scan
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.

added 43 packages in 19s

10 packages are looking for funding
  run `npm fund` for details
npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts:
npm warn allow-scripts   better-sqlite3@12.10.0 (install: prebuild-install || node-gyp rebuild --release)
npm warn allow-scripts
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.
david@plum:~/Desktop/Tools/cve-lite-test$ node node_modules/cve-lite-cli/dist/index.js ~/Desktop/Repos_ModalityAI/redacted/
node:internal/modules/cjs/loader:1251
  throw err;
  ^

Error: Cannot find module '/home/david/Desktop/Tools/cve-lite-test/node_modules/cve-lite-cli/dist/index.js'
    at Module._resolveFilename (node:internal/modules/cjs/loader:1248:15)
    at Module._load (node:internal/modules/cjs/loader:1074:27)
    at TracingChannel.traceSync (node:diagnostics_channel:315:14)
    at wrapModuleLoad (node:internal/modules/cjs/loader:217:24)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:166:5)
    at node:internal/main/run_main_module:30:49 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}

Node.js v22.9.0

[sonukapoor]

Apologies for the friction — building from source requires the full TypeScript toolchain which is not a reasonable ask. We are publishing an alpha to npm right now so you can install it the normal way. Will post the command here shortly.

[sonukapoor]

The alpha is now live on npm. Install it with:

npm install -g cve-lite-cli@alpha

Then run it from your parent directory:

cve-lite . --verbose

No TypeScript toolchain needed. Let us know what you see.

[ModalityZ]

david@plum:~/Desktop/Tools$ sudo npm install -g cve-lite-cli@alpha
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.

added 43 packages in 4s

10 packages are looking for funding
  run `npm fund` for details
npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts:
npm warn allow-scripts   better-sqlite3@12.10.0 (install: prebuild-install || node-gyp rebuild --release)
npm warn allow-scripts
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.
david@plum:~/Desktop/Tools$ cd ~/Desktop/Repos_ModalityAI/redacted/
david@plum:~/Desktop/Repos_ModalityAI/redacted$ cve-lite . --verbose
bash: /usr/local/bin/cve-lite: Permission denied

[sonukapoor]

The permission error is because sudo npm install -g installs the binary as root, so running it as a regular user is blocked. Two options:

Option 1 — run it with sudo:

sudo cve-lite . --verbose

Option 2 — fix the permissions once:

sudo chmod +x /usr/local/bin/cve-lite

Then run normally:

cve-lite . --verbose

Option 2 is cleaner going forward.

[ModalityZ]

It looks to me that your alpha is working...

david@plum:~/Desktop/Repos_ModalityAI/redacted1$ sudo chmod +x /usr/local/bin/cve-lite
david@plum:~/Desktop/Repos_ModalityAI/redacted1$ cve-lite . --verbose
>_  CVE Lite CLI (1.19.0-alpha.1)
────────────────────────────────
✔ Scan dependencies
✔ Highlight critical issues
✔ Show a clear fix plan

Fast. Local. Developer-first.


📁 aws/lambda/redacted2/
✓ Queried OSV in 1 batch
✓ Loaded 33 vulnerability detail records
✓ Analyzed vulnerability findings

📁 aws/lambda/redacted3/
✓ Queried OSV in 1 batch
✓ Loaded 25 vulnerability detail records
✓ Analyzed vulnerability findings

📁 aws/lambda/redacted4/
✓ Queried OSV in 3 batches
✓ Loaded 2 vulnerability detail records
✓ Analyzed vulnerability findings

📁 database/tools/
✓ Queried OSV in 1 batch
✓ Loaded 28 vulnerability detail records
✓ Analyzed vulnerability findings

📁 messenger/src/
✓ Queried OSV in 1 batch
✓ Loaded 2 vulnerability detail records
✓ Analyzed vulnerability findings

📁 starfish/dev/
✓ Queried OSV in 10 batches
✓ Loaded 59 vulnerability detail records
✓ Analyzed vulnerability findings

📁 starfish/personal/frontend/
✓ Queried OSV in 2 batches
✓ Loaded 50 vulnerability detail records
✓ Analyzed vulnerability findings

📁 aws/lambda/redacted2/
──────────────────────────────────────────────────
✗ Found 11 packages (33 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    2     │  2   │   7    │  0  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 0 vulnerable packages look directly fixable in this project.
- 11 issues come through other dependencies.
- 33 CVEs matched overall.
- 11 packages include a fixed-version hint from OSV.

🛠  Copy And Run These Fix Commands
Detected package manager: npm (package-lock.json)
1 command group ready across 1 package (1 critical).

Critical severity parent updates within range
┌─────────┬─────────┬────────────────────┬───────┬──────────────────────────────────────────────────────────────┐
│ Package │ Current │ Recommended target │ Usage │ Context                                                      │
├─────────┼─────────┼────────────────────┼───────┼──────────────────────────────────────────────────────────────┤
│ twilio  │ 5.1.0   │ lockfile refresh   │ n/a   │ twilio@5.1.0 already permits qs@6.15.2 — refreshing the      │
│         │         │                    │       │ lockfile is enough.                                          │
└─────────┴─────────┴────────────────────┴───────┴──────────────────────────────────────────────────────────────┘
> cd aws/lambda/redacted2 && npm update twilio

Running all commands above should fix 1 of 11 findings.

Showing medium+ findings in the main table. Use --all to show everything.
┌──────────────────┬─────────┬──────────┬────────────┬───────┬────────┬──────────────────────────────────────────┐
│ Package          │ Version │ Severity │ Type       │ Usage │ Fixed  │ IDs                                      │
├──────────────────┼─────────┼──────────┼────────────┼───────┼────────┼──────────────────────────────────────────┤
│ form-data        │ 4.0.0   │ critical │ transitive │ n/a   │ 4.0.4  │ GHSA-fjxv-7rqg-78g4                      │
│ form-data        │ 2.3.3   │ critical │ transitive │ n/a   │ 2.5.4  │ GHSA-fjxv-7rqg-78g4                      │
│ axios            │ 1.7.2   │ high     │ transitive │ n/a   │ 1.16.0 │ GHSA-35jp-ww65-95wh, GHSA-3g43-6gmg-66j… │
│ jws              │ 3.2.2   │ high     │ transitive │ n/a   │ 3.2.3  │ GHSA-869p-cjfg-cm3x                      │
│ ajv              │ 6.12.6  │ medium   │ transitive │ n/a   │ 6.14.0 │ GHSA-2g4f-4pwh-qvx6                      │
│ follow-redirects │ 1.15.6  │ medium   │ transitive │ n/a   │ 1.16.0 │ GHSA-r4q5-vmmm-2653                      │
│ qs               │ 6.12.1  │ medium   │ transitive │ n/a   │ 6.15.2 │ GHSA-6rw7-vpxm-498p, GHSA-q8mj-m7cp-5q2… │
│ qs               │ 6.5.3   │ medium   │ transitive │ n/a   │ 6.14.1 │ GHSA-6rw7-vpxm-498p                      │
│ request          │ 2.88.2  │ medium   │ transitive │ n/a   │ 3.0.0  │ GHSA-p8p7-x288-28g6                      │
│ tough-cookie     │ 2.5.0   │ medium   │ transitive │ n/a   │ 4.1.3  │ GHSA-72xf-g2v4-qvf3                      │
│ uuid             │ 3.4.0   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq                      │
└──────────────────┴─────────┴──────────┴────────────┴───────┴────────┴──────────────────────────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
✖ Scan complete. 11 issues found (2 critical, 2 high). Start with the priority fixes above.

──────────────────────────────────────────────────

📁 aws/lambda/redacted3/
──────────────────────────────────────────────────
✗ Found 5 packages (25 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    1     │  1   │   2    │  1  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 2 vulnerable packages look directly fixable in this project.
- 3 issues come through other dependencies.
- 25 CVEs matched overall.
- 4 packages include a fixed-version hint from OSV.

🛠  Copy And Run These Fix Commands
Detected package manager: npm (package-lock.json)
1 command group ready across 1 package (1 critical).

Critical severity fix commands
┌─────────┬─────────┬────────┬───────┬──────────────────┬────────────────────────┬───────────┐
│ Package │ Current │ Target │ Usage │ Versions scanned │ Still known vulnerable │ Breaking? │
├─────────┼─────────┼────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ axios   │ 1.9.0   │ 4.0.5  │ n/a   │ -                │ -                      │ ⚠         │
├─────────┼─────────┼────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ Total   │ -       │ -      │ -     │ 0                │ 0                      │           │
└─────────┴─────────┴────────┴───────┴──────────────────┴────────────────────────┴───────────┘
  Note: Advisory fixed-version hint 0.30.2 is still known vulnerable for axios; scanned 17 package versions above current version (16 still known vulnerable); using lowest known non-vulnerable version 1.16.0.
> cd aws/lambda/redacted3 && npm install axios@4.0.5

No auto-fix command available for these direct dependencies:
- aws-sdk@2.1692.0: No known non-vulnerable published version was found above 2.1692.0 for aws-sdk.

Showing medium+ findings in the main table. Use --all to show everything.
┌──────────────────┬─────────┬──────────┬────────────┬───────┬────────┬──────────────────────────────────────────┐
│ Package          │ Version │ Severity │ Type       │ Usage │ Fixed  │ IDs                                      │
├──────────────────┼─────────┼──────────┼────────────┼───────┼────────┼──────────────────────────────────────────┤
│ form-data        │ 4.0.2   │ critical │ transitive │ n/a   │ 4.0.4  │ GHSA-fjxv-7rqg-78g4                      │
│ axios            │ 1.9.0   │ high     │ direct     │ n/a   │ 1.16.0 │ GHSA-35jp-ww65-95wh, GHSA-3g43-6gmg-66j… │
│ follow-redirects │ 1.15.9  │ medium   │ transitive │ n/a   │ 1.16.0 │ GHSA-r4q5-vmmm-2653                      │
│ uuid             │ 8.0.0   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq                      │
└──────────────────┴─────────┴──────────┴────────────┴───────┴────────┴──────────────────────────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
✖ Scan complete. 5 issues found (1 critical, 1 high). Start with the priority fixes above.

──────────────────────────────────────────────────

📁 aws/lambda/redacted4/
──────────────────────────────────────────────────
✗ Found 3 packages (2 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    0     │  0   │   3    │  0  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 0 vulnerable packages look directly fixable in this project.
- 3 issues come through other dependencies.
- 2 CVEs matched overall.
- 3 packages include a fixed-version hint from OSV.

Showing medium+ findings in the main table. Use --all to show everything.
┌────────────┬─────────┬──────────┬────────────┬───────┬────────┬─────────────────────┐
│ Package    │ Version │ Severity │ Type       │ Usage │ Fixed  │ IDs                 │
├────────────┼─────────┼──────────┼────────────┼───────┼────────┼─────────────────────┤
│ protobufjs │ 7.5.6   │ medium   │ transitive │ n/a   │ 7.5.8  │ GHSA-jggg-4jg4-v7c6 │
│ uuid       │ 8.3.2   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq │
│ uuid       │ 9.0.1   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq │
└────────────┴─────────┴──────────┴────────────┴───────┴────────┴─────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
▲ Scan complete. 3 issues found. Review the suggested fix plan above.

──────────────────────────────────────────────────

📁 database/tools/
──────────────────────────────────────────────────
✗ Found 5 packages (28 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    1     │  2   │   2    │  0  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 2 vulnerable packages look directly fixable in this project.
- 3 issues come through other dependencies.
- 28 CVEs matched overall.
- 5 packages include a fixed-version hint from OSV.

🛠  Copy And Run These Fix Commands
Detected package manager: npm (package-lock.json)
2 command groups ready across 2 packages (1 critical, 1 high).

Critical severity fix commands
┌─────────┬─────────┬────────┬───────┬──────────────────┬────────────────────────┬───────────┐
│ Package │ Current │ Target │ Usage │ Versions scanned │ Still known vulnerable │ Breaking? │
├─────────┼─────────┼────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ axios   │ 1.7.7   │ 4.0.5  │ n/a   │ -                │ -                      │ ⚠         │
├─────────┼─────────┼────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ Total   │ -       │ -      │ -     │ 0                │ 0                      │           │
└─────────┴─────────┴────────┴───────┴──────────────────┴────────────────────────┴───────────┘
  Note: Advisory fixed-version hint 0.30.0 is still known vulnerable for axios; scanned 25 package versions above current version (24 still known vulnerable); using lowest known non-vulnerable version 1.16.0.
> cd database/tools && npm install axios@4.0.5

High severity fix commands
┌───────────┬─────────┬────────┬───────┬──────────────────┬────────────────────────┬───────────┐
│ Package   │ Current │ Target │ Usage │ Versions scanned │ Still known vulnerable │ Breaking? │
├───────────┼─────────┼────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ csvtojson │ 2.0.10  │ 4.18.1 │ n/a   │ -                │ -                      │ ⚠         │
├───────────┼─────────┼────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ Total     │ -       │ -      │ -     │ 0                │ 0                      │           │
└───────────┴─────────┴────────┴───────┴──────────────────┴────────────────────────┴───────────┘
> cd database/tools && npm install csvtojson@4.18.1

Showing medium+ findings in the main table. Use --all to show everything.
┌──────────────────┬─────────┬──────────┬────────────┬───────┬────────┬──────────────────────────────────────────┐
│ Package          │ Version │ Severity │ Type       │ Usage │ Fixed  │ IDs                                      │
├──────────────────┼─────────┼──────────┼────────────┼───────┼────────┼──────────────────────────────────────────┤
│ form-data        │ 4.0.1   │ critical │ transitive │ n/a   │ 4.0.4  │ GHSA-fjxv-7rqg-78g4                      │
│ axios            │ 1.7.7   │ high     │ direct     │ n/a   │ 1.16.0 │ GHSA-35jp-ww65-95wh, GHSA-3g43-6gmg-66j… │
│ lodash           │ 4.17.21 │ high     │ transitive │ n/a   │ 4.18.0 │ GHSA-f23m-r3pf-42rh, GHSA-r5fr-rjxr-66j… │
│ csvtojson        │ 2.0.10  │ medium   │ direct     │ n/a   │ 2.0.13 │ GHSA-vrw9-g62v-7fmf                      │
│ follow-redirects │ 1.15.9  │ medium   │ transitive │ n/a   │ 1.16.0 │ GHSA-r4q5-vmmm-2653                      │
└──────────────────┴─────────┴──────────┴────────────┴───────┴────────┴──────────────────────────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
✖ Scan complete. 5 issues found (1 critical, 2 high). Start with the priority fixes above.

──────────────────────────────────────────────────

📁 messenger/src/
──────────────────────────────────────────────────
✗ Found 2 packages (2 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    0     │  0   │   1    │  1  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 1 vulnerable package look directly fixable in this project.
- 1 issue come through other dependencies.
- 2 CVEs matched overall.
- 1 package include a fixed-version hint from OSV.

No auto-fix command available for these direct dependencies:
- aws-sdk@2.1691.0: No known non-vulnerable published version was found above 2.1691.0 for aws-sdk.

Showing medium+ findings in the main table. Use --all to show everything.
┌─────────┬─────────┬──────────┬────────────┬───────┬────────┬─────────────────────┐
│ Package │ Version │ Severity │ Type       │ Usage │ Fixed  │ IDs                 │
├─────────┼─────────┼──────────┼────────────┼───────┼────────┼─────────────────────┤
│ uuid    │ 8.0.0   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq │
└─────────┴─────────┴──────────┴────────────┴───────┴────────┴─────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
▲ Scan complete. 2 issues found. Review the suggested fix plan above.

──────────────────────────────────────────────────

📁 starfish/dev/
──────────────────────────────────────────────────
✗ Found 32 packages (59 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    3     │  15  │   11   │  3  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 0 vulnerable packages look directly fixable in this project.
- 32 issues come through other dependencies.
- 59 CVEs matched overall.
- 32 packages include a fixed-version hint from OSV.

🛠  Copy And Run These Fix Commands
Detected package manager: npm (package-lock.json)
1 command group ready across 1 package (1 critical).

Critical severity parent updates within range
┌─────────────────────────────────────┬─────────┬────────────────────┬───────┬──────────────────────────────────────────────────────────────┐
│ Package                             │ Current │ Recommended target │ Usage │ Context                                                      │
├─────────────────────────────────────┼─────────┼────────────────────┼───────┼──────────────────────────────────────────────────────────────┤
│ amazon-kinesis-video-streams-webrtc │ 2.3.0   │ lockfile refresh   │ n/a   │ amazon-kinesis-video-streams-webrtc@2.3.0 already permits    │
│                                     │         │                    │       │ ws@8.21.0 — refreshing the lockfile is enough.               │
└─────────────────────────────────────┴─────────┴────────────────────┴───────┴──────────────────────────────────────────────────────────────┘
> cd starfish/dev && npm update amazon-kinesis-video-streams-webrtc

Running all commands above should fix 1 of 32 findings.

Showing medium+ findings in the main table. Use --all to show everything.
┌──────────────────────────────────────────┬─────────┬──────────┬────────────┬───────┬────────┬──────────────────────────────────────────┐
│ Package                                  │ Version │ Severity │ Type       │ Usage │ Fixed  │ IDs                                      │
├──────────────────────────────────────────┼─────────┼──────────┼────────────┼───────┼────────┼──────────────────────────────────────────┤
│ fast-xml-parser                          │ 4.5.0   │ critical │ transitive │ n/a   │ 5.7.0  │ GHSA-8gc5-j5rx-235r, GHSA-fj3w-jwp8-x2g… │
│ form-data                                │ 4.0.0   │ critical │ transitive │ n/a   │ 4.0.4  │ GHSA-fjxv-7rqg-78g4                      │
│ form-data                                │ 3.0.2   │ critical │ transitive │ n/a   │ 3.0.4  │ GHSA-fjxv-7rqg-78g4                      │
│ @babel/plugin-transform-modules-systemjs │ 7.25.0  │ high     │ transitive │ n/a   │ 7.29.4 │ GHSA-fv7c-fp4j-7gwp                      │
│ @xmldom/xmldom                           │ 0.7.13  │ high     │ transitive │ n/a   │ 0.8.13 │ GHSA-2v35-w6hq-6mfw, GHSA-f6ww-3ggp-fr8… │
│ @xmldom/xmldom                           │ 0.8.10  │ high     │ transitive │ n/a   │ 0.8.13 │ GHSA-2v35-w6hq-6mfw, GHSA-f6ww-3ggp-fr8… │
│ fast-uri                                 │ 3.0.3   │ high     │ transitive │ n/a   │ 3.1.2  │ GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc │
│ glob                                     │ 10.4.5  │ high     │ transitive │ n/a   │ 10.5.0 │ GHSA-5j98-mcp5-4vw2                      │
│ lodash                                   │ 4.17.21 │ high     │ transitive │ n/a   │ 4.18.0 │ GHSA-f23m-r3pf-42rh, GHSA-r5fr-rjxr-66j… │
│ minimatch                                │ 9.0.5   │ high     │ transitive │ n/a   │ 9.0.7  │ GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m2… │
│ minimatch                                │ 3.1.2   │ high     │ transitive │ n/a   │ 3.1.4  │ GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m2… │
│ node-forge                               │ 1.3.1   │ high     │ transitive │ n/a   │ 1.4.0  │ GHSA-2328-f5f3-gj25, GHSA-554w-wpv2-vw2… │
│ picomatch                                │ 2.3.1   │ high     │ transitive │ n/a   │ 2.3.2  │ GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj │
│ picomatch                                │ 3.0.1   │ high     │ transitive │ n/a   │ 3.0.2  │ GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj │
│ serialize-javascript                     │ 6.0.2   │ high     │ transitive │ n/a   │ 7.0.5  │ GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v │
│ tar                                      │ 6.2.1   │ high     │ transitive │ n/a   │ 7.5.11 │ GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28c… │
│ tmp                                      │ 0.0.33  │ high     │ transitive │ n/a   │ 0.2.6  │ GHSA-52f5-9888-hmc6, GHSA-ph9p-34f9-6g65 │
│ undici                                   │ 6.21.2  │ high     │ transitive │ n/a   │ 6.24.0 │ GHSA-2mjp-6q6p-2qxm, GHSA-4992-7rv2-5pv… │
│ ajv                                      │ 6.12.6  │ medium   │ transitive │ n/a   │ 6.14.0 │ GHSA-2g4f-4pwh-qvx6                      │
│ ajv                                      │ 8.17.1  │ medium   │ transitive │ n/a   │ 8.18.0 │ GHSA-2g4f-4pwh-qvx6                      │
│ brace-expansion                          │ 2.0.1   │ medium   │ transitive │ n/a   │ 2.0.3  │ GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw │
│ brace-expansion                          │ 1.1.11  │ medium   │ transitive │ n/a   │ 1.1.13 │ GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw │
│ js-yaml                                  │ 4.1.0   │ medium   │ transitive │ n/a   │ 4.1.1  │ GHSA-mh29-5h37-fv8m                      │
│ js-yaml                                  │ 3.14.1  │ medium   │ transitive │ n/a   │ 3.14.2 │ GHSA-mh29-5h37-fv8m                      │
│ postcss                                  │ 8.4.49  │ medium   │ transitive │ n/a   │ 8.5.10 │ GHSA-qx2v-qp2m-jg93                      │
│ uuid                                     │ 8.3.2   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq                      │
│ uuid                                     │ 7.0.3   │ medium   │ transitive │ n/a   │ 11.1.1 │ GHSA-w5hq-g745-h8pq                      │
│ ws                                       │ 8.18.2  │ medium   │ transitive │ n/a   │ 8.20.1 │ GHSA-58qx-3vcg-4xpx                      │
│ yaml                                     │ 2.5.1   │ medium   │ transitive │ n/a   │ 2.8.3  │ GHSA-48c2-rrv3-qjmp                      │
└──────────────────────────────────────────┴─────────┴──────────┴────────────┴───────┴────────┴──────────────────────────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
✖ Scan complete. 32 issues found (3 critical, 15 high). Start with the priority fixes above.

──────────────────────────────────────────────────

📁 starfish/personal/frontend/
──────────────────────────────────────────────────
✗ Found 28 packages (50 CVEs) with known OSV matches from package-lock
┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│    0     │  12  │   11   │  5  │    0    │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take
- 2 vulnerable packages look directly fixable in this project.
- 26 issues come through other dependencies.
- 50 CVEs matched overall.
- 28 packages include a fixed-version hint from OSV.

🛠  Copy And Run These Fix Commands
Detected package manager: npm (package-lock.json)
3 command groups ready across 5 packages (2 high, 1 medium).

High severity fix commands
┌────────────────────┬─────────┬─────────┬───────┬──────────────────┬────────────────────────┬───────────┐
│ Package            │ Current │ Target  │ Usage │ Versions scanned │ Still known vulnerable │ Breaking? │
├────────────────────┼─────────┼─────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ webpack            │ 5.91.0  │ 5.104.1 │ n/a   │ 32               │ 31                     │           │
│ webpack-dev-server │ 5.0.4   │ 8.21.0  │ n/a   │ -                │ -                      │ ⚠         │
├────────────────────┼─────────┼─────────┼───────┼──────────────────┼────────────────────────┼───────────┤
│ Total              │ -       │ -       │ -     │ 32               │ 31                     │           │
└────────────────────┴─────────┴─────────┴───────┴──────────────────┴────────────────────────┴───────────┘
  Note: Advisory fixed-version hint 5.2.1 is still known vulnerable for webpack-dev-server; scanned 6 package versions above current version (5 still known vulnerable); using lowest known non-vulnerable version 5.2.4.
> cd starfish/personal/frontend && npm install webpack@5.104.1 webpack-dev-server@8.21.0

High severity parent updates within range
┌─────────────────────┬─────────┬────────────────────┬───────┬──────────────────────────────────────────────────────────────┐
│ Package             │ Current │ Recommended target │ Usage │ Context                                                      │
├─────────────────────┼─────────┼────────────────────┼───────┼──────────────────────────────────────────────────────────────┤
│ html-webpack-plugin │ 5.6.0   │ lockfile refresh   │ n/a   │ html-webpack-plugin@5.6.0 already permits lodash@4.18.1 —    │
│                     │         │                    │       │ refreshing the lockfile is enough.                           │
│ webpack-cli         │ 5.1.4   │ lockfile refresh   │ n/a   │ webpack-cli@5.1.4 already permits cross-spawn@7.0.6 —        │
│                     │         │                    │       │ refreshing the lockfile is enough.                           │
└─────────────────────┴─────────┴────────────────────┴───────┴──────────────────────────────────────────────────────────────┘
> cd starfish/personal/frontend && npm update html-webpack-plugin && npm update webpack-cli

Medium severity parent updates within range
┌─────────────────────┬─────────┬────────────────────┬───────┬──────────────────────────────────────────────────────────────┐
│ Package             │ Current │ Recommended target │ Usage │ Context                                                      │
├─────────────────────┼─────────┼────────────────────┼───────┼──────────────────────────────────────────────────────────────┤
│ css-loader          │ 7.1.2   │ lockfile refresh   │ n/a   │ css-loader@7.1.2 already permits postcss@8.5.15 — refreshing │
│                     │         │                    │       │ the lockfile is enough.                                      │
└─────────────────────┴─────────┴────────────────────┴───────┴──────────────────────────────────────────────────────────────┘
> cd starfish/personal/frontend && npm update css-loader

Running all commands above should fix 4 of 28 findings.

Showing medium+ findings in the main table. Use --all to show everything.
┌───────────────────────┬─────────┬──────────┬────────────┬───────┬─────────┬──────────────────────────────────────────┐
│ Package               │ Version │ Severity │ Type       │ Usage │ Fixed   │ IDs                                      │
├───────────────────────┼─────────┼──────────┼────────────┼───────┼─────────┼──────────────────────────────────────────┤
│ body-parser           │ 1.20.2  │ high     │ transitive │ n/a   │ 1.20.3  │ GHSA-qwcr-r2fm-qrc7                      │
│ braces                │ 3.0.2   │ high     │ transitive │ n/a   │ 3.0.3   │ GHSA-grv7-fg5c-xmjg                      │
│ cross-spawn           │ 7.0.3   │ high     │ transitive │ n/a   │ 7.0.5   │ GHSA-3xgq-45jj-v275                      │
│ glob                  │ 10.3.12 │ high     │ transitive │ n/a   │ 10.5.0  │ GHSA-5j98-mcp5-4vw2                      │
│ http-proxy-middleware │ 2.0.6   │ high     │ transitive │ n/a   │ 2.0.9   │ GHSA-4www-5p9h-95mh, GHSA-9gqv-wp59-fq4… │
│ lodash                │ 4.17.21 │ high     │ transitive │ n/a   │ 4.18.0  │ GHSA-f23m-r3pf-42rh, GHSA-r5fr-rjxr-66j… │
│ minimatch             │ 9.0.4   │ high     │ transitive │ n/a   │ 9.0.7   │ GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m2… │
│ node-forge            │ 1.3.1   │ high     │ transitive │ n/a   │ 1.4.0   │ GHSA-2328-f5f3-gj25, GHSA-554w-wpv2-vw2… │
│ path-to-regexp        │ 0.1.7   │ high     │ transitive │ n/a   │ 0.1.13  │ GHSA-37ch-88jc-xwx2, GHSA-9wv6-86v2-598… │
│ picomatch             │ 2.3.1   │ high     │ transitive │ n/a   │ 2.3.2   │ GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj │
│ serialize-javascript  │ 6.0.2   │ high     │ transitive │ n/a   │ 7.0.5   │ GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v │
│ ws                    │ 8.17.0  │ high     │ transitive │ n/a   │ 8.20.1  │ GHSA-3h5v-q93c-6h6q, GHSA-58qx-3vcg-4xpx │
│ webpack               │ 5.91.0  │ medium   │ direct     │ n/a   │ 5.104.1 │ GHSA-38r7-794h-5758, GHSA-4vvj-4cpr-p98… │
│ webpack-dev-server    │ 5.0.4   │ medium   │ direct     │ n/a   │ 5.2.4   │ GHSA-4v9v-hfq4-rm2v, GHSA-79cf-xcqc-c78… │
│ ajv                   │ 6.12.6  │ medium   │ transitive │ n/a   │ 6.14.0  │ GHSA-2g4f-4pwh-qvx6                      │
│ ajv                   │ 8.13.0  │ medium   │ transitive │ n/a   │ 8.18.0  │ GHSA-2g4f-4pwh-qvx6                      │
│ brace-expansion       │ 2.0.1   │ medium   │ transitive │ n/a   │ 2.0.3   │ GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw │
│ follow-redirects      │ 1.15.6  │ medium   │ transitive │ n/a   │ 1.16.0  │ GHSA-r4q5-vmmm-2653                      │
│ micromatch            │ 4.0.5   │ medium   │ transitive │ n/a   │ 4.0.8   │ GHSA-952p-6rrq-rcjv                      │
│ nanoid                │ 3.3.7   │ medium   │ transitive │ n/a   │ 3.3.8   │ GHSA-mwcw-c2x4-8c55                      │
│ postcss               │ 8.4.38  │ medium   │ transitive │ n/a   │ 8.5.10  │ GHSA-qx2v-qp2m-jg93                      │
│ qs                    │ 6.11.0  │ medium   │ transitive │ n/a   │ 6.14.2  │ GHSA-6rw7-vpxm-498p, GHSA-w7fw-mjwx-w883 │
│ uuid                  │ 8.3.2   │ medium   │ transitive │ n/a   │ 11.1.1  │ GHSA-w5hq-g745-h8pq                      │
└───────────────────────┴─────────┴──────────┴────────────┴───────┴─────────┴──────────────────────────────────────────┘
Tip: use --all to include low findings, or --min-severity high to focus only on urgent issues.

Coverage notes
• Scanned resolved dependency versions from package-lock.json.
• Dependency paths are derived from lockfile package locations.
• This MVP checks package versions against OSV advisories. It does not prove exploitability or runtime reachability.
• Installed node_modules contents are not verified in this scan.
• Container images, binaries, secrets, and IaC files are not scanned.
• Monorepo workspace boundaries are only partially modeled in this version.

────────────────────────────────
✖ Scan complete. 28 issues found (0 critical, 12 high). Start with the priority fixes above.

Scanned 7 folders: aws/lambda/redacted2/, aws/lambda/redacted3/, aws/lambda/redacted4/, database/tools/, messenger/src/, starfish/dev/, starfish/personal/frontend/
86 total findings across all folders

[sonukapoor]

@ModalityZ Do you not see this chevron?

[sonukapoor]

Great news — v1.19.0 is now live on npm with multi-folder scan as a stable feature. You can upgrade with:

sudo npm install -g cve-lite-cli@latest

No more alpha needed. Thanks for helping us validate this — your real-world monorepo was the perfect test case.

[ModalityZ]

I'm using Chrome 148.0.7778.215 (Official Build) (64-bit) on Kubuntu, a Framework 13 laptop.

[sonukapoor]

We will take a look @ModalityZ

[sonukapoor]

@ModalityZ Would you be able to share how the CLI helped you and a bit about the use-case here: #481