cve-lite-cli
CVE Lite CLI is a terminal-based dependency vulnerability scanner for JavaScript/TypeScript projects that reads your lockfile locally and outputs actionable fix commands (npm/pnpm/yarn/bun install commands) rather than just CVE lists. It runs entirely on your machine with no data sent to external services, integrates into CI pipelines, and is maintained as an OWASP Lab Project.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | OWASP/cve-lite-cli |
| Owner | OWASP |
| Primary language | TypeScript |
| License | MIT — OSI-approved |
| Stars | 623 |
| Forks | 104 |
| Open issues | 35 |
| Latest release | v1.26.0 (2026-07-04) |
| Last updated | 2026-07-07 |
| Source | https://github.com/OWASP/cve-lite-cli |
What cve-lite-cli is
TypeScript-based CLI tool that parses npm/pnpm/yarn/bun lockfiles, queries the OSV (Open Source Vulnerabilities) database, identifies direct and transitive vulnerabilities, and generates validated package manager commands for remediation. Supports JSON/SARIF output, offline scanning, override hygiene auditing (OA001–OA009), and automated fix application via --fix flag.
Get the cve-lite-cli source
Clone the repository and explore it locally.
git clone https://github.com/OWASP/cve-lite-cli.gitcd cve-lite-cli# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Node.js runtime; install globally (npm install -g cve-lite-cli) or run one-off via npx. Lock Node.js version in CI for deterministic scans.
- Lockfile format must be recognized (package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lockb). If using monorepos, run per workspace or scan root lockfile depending on structure.
- OSV advisory database is queried at runtime by default; --offline mode requires prior sync with cve-lite advisories sync. Plan network access or pre-download for restricted environments.
- Overrides/resolutions in lockfile are honored during scanning. Stale or broken overrides are flagged by --check-overrides; ensure team processes update them regularly.
- Fix mode (--fix) applies validated direct package updates only. Transitive fixes may require manual resolution or parent package upgrades; review changes before committing.
When to avoid it — and what to weigh
- Non-JavaScript/TypeScript projects — Tool is purpose-built for JS/TS and package managers (npm, pnpm, yarn, bun). Not applicable to Python, Java, Go, or other ecosystems; alternative language-specific scanners required.
- Real-time threat intelligence required — While OSV is kept current, the tool does not provide real-time vulnerability feeds or custom advisory rules. If your threat model requires zero-day rapid response or proprietary CVE feeds, consider paid SaaS alternatives.
- Enterprise policy and provenance tracking — Tool focuses on CVE/advisory scanning; it does not audit software provenance, license compliance at scale, or enforce organizational policy workflows. Use alongside SBOM/compliance tools if policy auditing is a hard requirement.
- Proprietary or air-gapped security appliance deployment — Tool is a CLI designed for local/CI use. If infrastructure requires deployment as a managed security service with SIEM integration or appliance form factor, this is not the right fit.
License & commercial use
Licensed under MIT (Massachusetts Institute of Technology License). MIT is a permissive OSI-approved open-source license that permits commercial use, modification, and distribution with minimal restrictions (requires license and copyright notice in distributions).
MIT license permits unrestricted commercial use, including as a dependency in proprietary software, SaaS products, and enterprise tooling. No commercial support agreement stated in the provided data; refer to the OWASP Foundation for support/sponsorship options. Always review the full LICENSE file and consult legal counsel for organizational compliance.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Tool performs scanning locally with no code or dependency tree sent externally by default. OSV queries during online scan are queries only (advisory database, not code submission). No authentication or credential storage. Lockfile parsing runs locally, reducing attack surface. Operator must verify --offline database integrity and keep OSV data fresh. No formal security audit data provided; refer to OpenSSF Best Practices badge for governance practices.
Alternatives to consider
npm audit
Built-in npm tool; no install required. Lower friction for baseline scans but limited output clarity, no direct fix commands, and weaker transitive vulnerability visibility compared to CVE Lite CLI.
Snyk CLI
Commercial freemium SaaS with local CLI. Richer policy/license scanning and real-time threat intel, but requires account, cloud integration, and monitoring. Higher overhead than CVE Lite CLI for simple pre-commit use.
OWASP Dependency-Check
Broader ecosystem coverage (Java, .NET, Python, C++, etc.) and SPDx/NVD integration. More complex setup; heavier than CVE Lite CLI for JS/TS projects but useful if multi-language scanning needed.
Build on cve-lite-cli with DEV.co software developers
Install CVE Lite CLI globally or run via npx. No account, no configuration, no code leaves your machine. Get copy-and-run fix commands immediately.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
cve-lite-cli FAQ
Does CVE Lite CLI send my code to a server?
Can I use CVE Lite CLI in my CI pipeline?
What if I disagree with a fix or want to override it?
Does CVE Lite CLI work with monorepos?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like cve-lite-cli into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Scan Your Dependencies in Seconds
Install CVE Lite CLI globally or run via npx. No account, no configuration, no code leaves your machine. Get copy-and-run fix commands immediately.