DEV.co
Open-Source Security · OWASP

cve-lite-cli

CVE Lite CLI is a terminal-based dependency vulnerability scanner for JavaScript/TypeScript projects that reads your lockfile locally and outputs actionable fix commands (npm/pnpm/yarn/bun install commands) rather than just CVE lists. It runs entirely on your machine with no data sent to external services, integrates into CI pipelines, and is maintained as an OWASP Lab Project.

Source: GitHub — github.com/OWASP/cve-lite-cli
623
GitHub stars
104
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryOWASP/cve-lite-cli
OwnerOWASP
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars623
Forks104
Open issues35
Latest releasev1.26.0 (2026-07-04)
Last updated2026-07-07
Sourcehttps://github.com/OWASP/cve-lite-cli

What cve-lite-cli is

TypeScript-based CLI tool that parses npm/pnpm/yarn/bun lockfiles, queries the OSV (Open Source Vulnerabilities) database, identifies direct and transitive vulnerabilities, and generates validated package manager commands for remediation. Supports JSON/SARIF output, offline scanning, override hygiene auditing (OA001–OA009), and automated fix application via --fix flag.

Quickstart

Get the cve-lite-cli source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/OWASP/cve-lite-cli.gitcd cve-lite-cli# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-commit developer workflow

Developers run cve-lite before pushing to catch vulnerabilities locally with immediate fix commands (npm install, pnpm add, etc.), reducing friction compared to blocking CI scanners.

CI/CD pipeline integration

Embed in GitHub Actions (official Marketplace action available), GitLab CI, or other pipelines; supports --fail-on severity thresholds, JSON/SARIF output for dashboards, and --offline mode for air-gapped environments.

Monorepo and lockfile hygiene audits

Use --check-overrides to audit npm/pnpm/yarn/bun overrides and resolutions for drift, orphaned pins, and stale floors across complex dependency trees; --fix mode auto-corrects fixable issues.

Implementation considerations

  • Requires Node.js runtime; install globally (npm install -g cve-lite-cli) or run one-off via npx. Lock Node.js version in CI for deterministic scans.
  • Lockfile format must be recognized (package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lockb). If using monorepos, run per workspace or scan root lockfile depending on structure.
  • OSV advisory database is queried at runtime by default; --offline mode requires prior sync with cve-lite advisories sync. Plan network access or pre-download for restricted environments.
  • Overrides/resolutions in lockfile are honored during scanning. Stale or broken overrides are flagged by --check-overrides; ensure team processes update them regularly.
  • Fix mode (--fix) applies validated direct package updates only. Transitive fixes may require manual resolution or parent package upgrades; review changes before committing.

When to avoid it — and what to weigh

  • Non-JavaScript/TypeScript projects — Tool is purpose-built for JS/TS and package managers (npm, pnpm, yarn, bun). Not applicable to Python, Java, Go, or other ecosystems; alternative language-specific scanners required.
  • Real-time threat intelligence required — While OSV is kept current, the tool does not provide real-time vulnerability feeds or custom advisory rules. If your threat model requires zero-day rapid response or proprietary CVE feeds, consider paid SaaS alternatives.
  • Enterprise policy and provenance tracking — Tool focuses on CVE/advisory scanning; it does not audit software provenance, license compliance at scale, or enforce organizational policy workflows. Use alongside SBOM/compliance tools if policy auditing is a hard requirement.
  • Proprietary or air-gapped security appliance deployment — Tool is a CLI designed for local/CI use. If infrastructure requires deployment as a managed security service with SIEM integration or appliance form factor, this is not the right fit.

License & commercial use

Licensed under MIT (Massachusetts Institute of Technology License). MIT is a permissive OSI-approved open-source license that permits commercial use, modification, and distribution with minimal restrictions (requires license and copyright notice in distributions).

MIT license permits unrestricted commercial use, including as a dependency in proprietary software, SaaS products, and enterprise tooling. No commercial support agreement stated in the provided data; refer to the OWASP Foundation for support/sponsorship options. Always review the full LICENSE file and consult legal counsel for organizational compliance.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Tool performs scanning locally with no code or dependency tree sent externally by default. OSV queries during online scan are queries only (advisory database, not code submission). No authentication or credential storage. Lockfile parsing runs locally, reducing attack surface. Operator must verify --offline database integrity and keep OSV data fresh. No formal security audit data provided; refer to OpenSSF Best Practices badge for governance practices.

Alternatives to consider

npm audit

Built-in npm tool; no install required. Lower friction for baseline scans but limited output clarity, no direct fix commands, and weaker transitive vulnerability visibility compared to CVE Lite CLI.

Snyk CLI

Commercial freemium SaaS with local CLI. Richer policy/license scanning and real-time threat intel, but requires account, cloud integration, and monitoring. Higher overhead than CVE Lite CLI for simple pre-commit use.

OWASP Dependency-Check

Broader ecosystem coverage (Java, .NET, Python, C++, etc.) and SPDx/NVD integration. More complex setup; heavier than CVE Lite CLI for JS/TS projects but useful if multi-language scanning needed.

Software development agency

Build on cve-lite-cli with DEV.co software developers

Install CVE Lite CLI globally or run via npx. No account, no configuration, no code leaves your machine. Get copy-and-run fix commands immediately.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cve-lite-cli FAQ

Does CVE Lite CLI send my code to a server?
No. The tool parses your lockfile locally and queries OSV for advisory data only (not your code or dependency tree contents). --offline mode eliminates all network calls if advisories are pre-synced.
Can I use CVE Lite CLI in my CI pipeline?
Yes. GitHub Actions action available in Marketplace; supports --fail-on severity, --json/--sarif output for dashboards, and --offline mode. Add step to workflow YAML and configure exit code handling.
What if I disagree with a fix or want to override it?
Use npm/pnpm/yarn/bun overrides/resolutions in your lockfile to pin specific versions. CVE Lite CLI's --check-overrides audits override hygiene and flags drift; --fix mode applies validated updates but respects existing pins.
Does CVE Lite CLI work with monorepos?
Yes. Run in root or per-workspace depending on your structure. Most monorepo tools (npm workspaces, pnpm, Yarn) generate a root lockfile that CVE Lite CLI can scan. Check documentation for workspace-specific patterns.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like cve-lite-cli into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Scan Your Dependencies in Seconds

Install CVE Lite CLI globally or run via npx. No account, no configuration, no code leaves your machine. Get copy-and-run fix commands immediately.