Install globally
npm install -g cve-lite-cli
cve-lite /path/to/project
+
JavaScript/TypeScript Dependency Scanner — An OWASP Foundation Project
Scan. Understand. Fix.
Most security tools are built around pipelines, not developers. CVE Lite CLI scans your lockfile locally in seconds, generates copy-and-run fix commands scoped to your package manager, and tells you exactly what to upgrade — before you push.
- No account required
- npm, pnpm, Yarn, and Bun lockfile support
- Usage-aware reachability scanning
- Offline scans with local advisory DB
- Copy-and-run direct fix commands
- Conservative auto-remediation with `--fix`
Free to use
No account, no subscription, no cloud required
Runs locally
Nothing leaves your machine
Fast
Results in seconds, rescans near-instant
Quick Start
Run one-off with npx
npx cve-lite-cli /path/to/project --verboseBuilt for the developer, not the pipeline
HTML vulnerability dashboard
Generate a self-contained HTML report with `--report`: severity cards, an interactive findings table with filters, and copy-ready fix commands — all in a single local file with no CDN required.
Usage-aware reachability
Cut alert fatigue instantly. The `--usage` scanner statically analyzes your source code to detect if vulnerable packages are actually imported, and `--only-used` aggressively filters out the rest.
Conservative `--fix` mode
Apply validated direct dependency fixes automatically, then rescan immediately with a concise before/after summary.
Actionable output
Get summary-first scan results plus copy-and-run fix commands for manifest-declared direct dependencies, with lowest known non-vulnerable targets when data allows.
Direct vs transitive clarity
See where risk originates so teams can apply direct fixes where they own the dependency and use parent-upgrade paths for transitive issues.
CI and automation friendly
Use fail thresholds, JSON output, and a reusable first-party GitHub Action in release pipelines.
Offline advisory workflow
Sync advisories to a local SQLite DB and run scans with zero runtime advisory API calls.
Small runtime footprint
Security-focused by design with minimal runtime dependencies and transparent behavior.
Developer-first by default
Built for practical release-time checks and fast local fix loops without forcing teams onto a heavier paid platform.
Three Workflow Modes
1. Standard online scan
cve-lite /path/to/project2. Advisory DB sync
cve-lite advisories sync3. Offline local DB scan
cve-lite /path/to/project --offlineFix Loop Speed Matters
CI-only flow is slow
Upgrade one package, push, wait for checks, inspect logs, then repeat for the next version target.
CVE Lite local flow is faster
Scan locally, copy suggested command, re-run scan immediately, and keep iterating in the same session with transparent scanned/excluded version counts.
Why teams adopt it
The goal is not just finding vulnerabilities. It is shortening the time from finding to fixing, especially when one dependency path needs multiple incremental upgrades.
Case Studies and Guides
Real-world case studies
See practical scan-fix-rescan workflows and remediation examples on large projects, then use the verbose-output guide to turn each section into next actions quickly.
OWASP Juice Shop NestJS Analog Fix mode guide (--fix) HTML report guide (--report) How to read verbose output
GitHub Action
Use the reusable first-party action to run CVE Lite CLI in CI with minimal setup.
Add a badge to your project
Using CVE Lite CLI? Add a badge to your README to show your project scans for vulnerabilities.
[](https://github.com/OWASP/cve-lite-cli)
Guides and deep dives
Detailed documentation for offline workflows, CI integration, tool comparisons, and architectural reference.
Offline advisory DB guide CI and workflow integration Comparison with other tools How it works Roadmap
Trust and support
Transparent network behavior, community channels, and project scope so you know what to expect before running the scanner.
Network behavior and privacy Community and support GitHub Issues