v1.23.0 - Git source classification, error handling, and 2x faster cold scans

Added

• Graded output for MAL- advisories from git sources: terminal shows ⚠ Git source (SHA-pinned) or ⚠ Git source (floating ref) with resolved URL; HTML report shows orange badge variant

Fixed

• Error handling and cleanup for SARIF, CycloneDX, and HTML report file writes; pre-existing directories preserved on write failure
• Duplicate db.close() call removed from osv-sync catch block that could mask original error

Performance

• CVE detail fetches now run concurrently — 2.2x faster on cold cache for large lockfiles (28.4s → 12.7s on a 170-CVE scan)
• Packument cache pre-warmed before transitive remediation loop to eliminate serial npm registry round-trips

Validation

• npm test
• npm run build

v1.22.0 - Dev dependency labelling and private registry detection for all parsers

Added

• Dev dependency labelling: terminal output and HTML report now show direct · dev / transitive · dev for findings from devDependencies; Yarn Classic and Berry parsers updated to detect dev status
• yarn-within-range and dev-only-finding example fixtures for regression testing

Fixed

• Private registry detection (⚠ Unverifiable (private source)) now works for pnpm (legacy and v9), Yarn Classic, and Bun lockfiles — previously only npm was supported

Validation

• npm test
• npm run build

v1.21.0 - Ratcheting mode for CI adoption with existing vulnerability debt

Added

• Ratcheting mode: run cve-lite . --ratchet once to snapshot current findings into .cve-lite/baseline.json. All subsequent scans automatically suppress known findings and only report new ones introduced above the baseline. No CI flag changes needed - the baseline file's presence activates suppression.

Docs

• New dedicated Ratcheting Mode page
• MAL- advisory handling and unverifiable private source findings documented in how-remediation-works

Validation

• npm test
• npm run build

v1.20.0 - Private registry MAL- detection, Yarn path reconstruction, and --create-pr

Added

• --create-pr flag: after --fix, commits lockfile changes and opens a GitHub PR via gh with a descriptive title listing upgraded packages and vulnerability count
• --base <branch> flag to set the base branch for --create-pr (default: main)
• Bun parser updated to reconstruct transitive paths from package relationships; within-range remediation now works for Bun lockfiles
• pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain regression fixtures
• CamoFox Browser case study
• mal-private-registry example fixture demonstrating unverifiable MAL- output for private registry packages

Fixed

• Yarn Classic parser now reconstructs full transitive dependency paths using BFS graph walk; within-range resolver correctly suggests yarn upgrade <pkg> for deep chains
• MAL- advisories for packages resolved from a private registry now surface as "Unverifiable (private source)" instead of a false-positive "Malicious" finding

Validation

• npm test
• npm run build

Contributors

• @coder-Yash886 - Yarn parser path reconstruction fix, bun-within-range fixture
• @Ayush7614 - pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain fixtures, CamoFox Browser case study
• @nkgotcode - fixture remediation scan tests

v1.19.2 - Fix transitive/direct classification and skipped findings UX

Fixed

• Transitive vulnerability findings now correctly classified as transitive when the same package is also installed as a direct dependency at a different version. Previously uuid@8.3.2 (transitive) was classified as direct because uuid@14.0.0 was in package.json, generating a wrong npm install command instead of a parent upgrade suggestion.
• Skip reason version hint now uses the validated fix version consistently with the findings table, eliminating version discrepancies between the two sections.
• --help output no longer repeats the tool name and version already shown in the banner.

Changed

• Skipped findings in verbose terminal output now show the advisory version with a gray ⊘ suffix, signalling it is an advisory hint only. A note below the table points to --report for detailed skip reasons.
• HTML report: ⊘ Skipped (N) filter button added to findings table. Fixed column shows ⊘ icon with tooltip for skipped findings.
• HTML report: findings section top margin fixed, scan notes moved to bottom after all important sections.
• Scan notes: removed outdated MVP language.
• Nested lockfile informational message moved from warnings (yellow) to notes (gray).

Added

• New How Remediation Works documentation page with Mermaid dependency tree diagrams and tabbed package manager commands.
• Usage examples added to --help output.
• 7 new case studies: Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n.
• Community contributors section added to README.

Validation

• npm test
• npm run build

v1.19.1 - Within-range transitive fix for deep dependency chains

Fixed

• Within-range transitive fix now detected for dependency chains deeper than 2 levels. When the immediate parent's declared range already covers a safe version of the vulnerable package, CVE Lite now suggests a lockfile refresh (npm update <package>) instead of an incorrect best-effort parent upgrade.

Example: project → aws-amplify → @aws-amplify/core → js-cookie@3.0.6

• Before: npm install aws-amplify@6.16.4 (wrong)
• After: npm update js-cookie (correct — @aws-amplify/core's ^3.0.5 range already covers the fix)

Validation

• npm test
• npm run build

v1.19.0 - Multi-folder scan for monorepos without a root lockfile

Added

• Multi-folder scan for monorepos without a root lockfile: when cve-lite . is run from a directory with no lockfile but two or more lockfiles in subfolders, the scanner automatically switches to multi-folder mode. Each subfolder is scanned independently, findings and fix commands are grouped per subfolder in terminal output, a single HTML report is generated with collapsible per-folder sections, and --json output includes a subfolder field on each finding.

Fixed

• isNewer update check now correctly parses pre-release version strings (e.g. 1.19.0-alpha.1) so alpha users do not see a false downgrade prompt.

Validation

• npm test
• npm run build

Contributors

Thank you to everyone who contributed to this release: @ModalityZ

v1.18.2 - pnpm alias fix, debug logging, and output improvements

Added

• --debug flag writes a timestamped JSONL log file alongside the scan with network requests, cache hits, and runtime events; a single stderr line identifies the log file path
• Unknown-severity findings no longer silently dropped from compact and verbose terminal output; compact mode now shows all direct unknown findings regardless of how many critical/high findings are present

Fixed

• pnpm v9 aliased dependencies (where the lockfile dep name differs from the real package name, e.g. '@remix-run/dev': '@vercel/remix-run-dev@1.16.1') now resolve correctly through the transitive graph; five downstream bugs fixed: wrong direct-install commands for unresolvable findings, missing parent upgrade suggestions for deep chains, blank context column for covered findings, and reason text being overwritten by lower-severity findings
• Spinner completion lines (✓ Loaded package matches from cache, etc.) no longer printed to stdout in --json mode
• Offline advisory database errors now include a sync hint (cve-lite advisories sync) to guide users to resolution
• SARIF output no longer includes empty artifactChanges arrays in fix objects, which caused GitHub Code Scanning to reject uploaded results
• Case studies index page added to resolve a Docusaurus build break

Changed

• CI workflow now declares explicit permissions: contents: read, matching the least-privilege stance already in place on all other workflows

Validation

• npm test
• npm run build

Contributors

Thank you to everyone who contributed to this release: @Ayush7614, @coder-Yash886, @MohammadYusif, @arpitjain099, @osfv, @MFA-G

v1.18.1 - Corporate SSL proxy support, workspace fix commands, and Turborepo case study

Added

• Corporate SSL proxy support: --ca-cert <path> flag passes a PEM CA certificate for a single scan or advisory sync; cve-lite config set ca-cert <path> saves the path persistently in ~/.cve-lite-cli/config.json so every future invocation uses it automatically; cve-lite config show and cve-lite config unset ca-cert manage the saved value. Cert is validated as a readable PEM file before saving. GitHub Action gains a matching ca-cert input.
• Workspace-scoped direct fix commands for monorepos: when scanning an npm, pnpm, yarn, or bun workspace project, direct dependency upgrade commands now include the appropriate workspace flag (npm install -w <workspace>, pnpm add --filter ./path, yarn workspace <name> add, bun add --filter <name>) so the install targets the correct workspace scope rather than the project root.

Changed

• Extracted all fix execution logic from src/index.ts into src/utils/fix-runner.ts: applyFixesIfRequested, FixExecutionResult, printFixModeSummary join the previously extracted buildFixCommandParts, runInstallCommand, and commandLabelForPackageManager.
• Extracted pluralize utility to src/utils/string.ts, eliminating repeated count ternaries across 9 files.

Docs

• New Corporate SSL Proxy guide covering one-time config setup, per-invocation flag, cert export from IT/keychain/browser, and air-gapped advisory sync fallback.
• CLI reference updated with Network/SSL section and config subcommand docs.
• Troubleshooting page updated with SSL certificate errors entry.
• Expanded CONTRIBUTING.md with code quality standards and file-size guidelines.
• Astro pnpm monorepo case study with verified baseline scan and CVE Lite vs pnpm audit comparison.
• Added Medium dedicated review and Hexaxia Labs integration post to press page, README, and homepage.
• Refreshed homepage press bar with new outlets and "View all press coverage" link.
• Turborepo case study added with verified baseline scan of a pnpm lockfile snapshot (examples/turborepo/, 1,776 packages, 13 findings at revision c85d410), including CVE Lite CLI vs pnpm audit comparison.
• Examples readme, docs sidebar, and README updated to reference the Turborepo fixture and case study.

Validation

• npm test
• npm run build

Contributors

• @Ayush7614 — Astro case study, Turborepo case study, and homepage press bar refresh
• @Kushaal-k — fix-runner extraction refactor
• @MohammadYusif — pluralize utility extraction

v1.18.0 - Lockfile-refresh commands for pnpm, yarn, and bun

Added

• Targeted retry and offline hints for OSV 429 rate-limit and 5xx server error responses
• Lockfile-refresh fix commands for pnpm (pnpm update), yarn (yarn upgrade), and bun (bun update) when the parent's declared range already covers the fixed transitive dependency version

Fixed

• Package manager hint added to --fix command failure errors

Changed

• Workspace-scoped lockfile-refresh commands for pnpm, yarn, and bun; fix-plan sections for lockfile-refresh targets now appear separately from direct-fix targets; fix coverage count ("Running these commands should fix X of Y findings") added to terminal and HTML output; "within current range" label renamed to "lockfile refresh" with rewritten context strings that plainly state the parent already permits the safe child version
• Unified EXCLUDED_DIRS constant for --usage source scanning
• Extracted formatAdvisoryDbFreshness, relativeAge, CLI flag validation, formatAdvisorySourceLine, countBySeverity, package.json helpers, and magic number constants into dedicated modules

Validation

• npm test
• npm run build

Contributors

Thanks to everyone who contributed to this release: @macayu17, @coder-Yash886, @luojiyin1987, @nanookclaw, @barton87, @Kushaal-k