Most security tools are built around pipelines, not developers. CVE Lite CLI scans your lockfile locally in seconds, explains the dependency path, and tells you what to update before you push.
Fix the package that controls the vulnerable dependency path.
Transitive CVEs are easy to mishandle. CVE Lite CLI avoids recommending direct installs for packages that are only present transitively and points at the parent package instead.
Avoid for transitive-only packages
npm install vulnerable-child@fixed
Prefer when the range allows it
npm update parent-package
Use when the range must change
npm install parent-package@target
Understands npm parent ranges
For npm lockfiles, the CLI checks whether a known non-vulnerable child can be resolved inside the current parent range first.
Works with workspace hoisting
Workspace-local package context is preserved so hoisted npm packages can still map back to their logical parent chain.