Cline Case Study
Verified baseline scan — CVE Lite CLI v1.22.0 · 2026-06-14

Summary
- Project: Cline — autonomous coding agent (SDK, IDE extension, and CLI assistant)
- Revision:
9d59de4a4cfdcadc23a79bd03e8b531207cf2640 - Lockfile: root
bun.lock(Bun workspaces monorepo, Bun 1.3.13) - Baseline findings: 5 unique vulnerable packages (0 critical · 1 high · 2 medium · 2 low)
- OSV advisory matches: 6 CVE/advisory entries deduplicated into 5 packages
- Direct vs transitive (CVE Lite): 0 direct / 5 transitive
- Validated fix command groups generated: 0 — Bun workspace dependency paths are not fully modeled in this lockfile snapshot
bun audit(same lockfile): 6 vulnerability entries (1 high · 2 moderate · 3 low)- Remediation applied in this study: none — baseline scan and comparison only
What this case study demonstrates
Cline extends CVE Lite CLI coverage into AI coding-agent / IDE tooling alongside Mastra, OpenAI Agents JS, and CamoFox Browser. The upstream repository is a Bun workspace monorepo with nested SDK packages, CLI apps, hub webviews, and example workspaces — 1,518 resolved packages in a single root bun.lock.
At this revision the graph is lean on vulnerability surface: five unique packages, no criticals, and no high-severity runtime SDK paths in the finding set. That makes Cline a useful contrast to multi-thousand-package pnpm/Yarn case studies: the interesting story is how Bun workspace lockfiles are parsed, not raw finding volume.
[email protected] — high, transitive · dev. Pulled into Vite-powered webview workspaces (@cline/cline-hub-webview, example webviews). This advisory was not present in the preliminary issue scan (v1.19.2, 2026-06-08) — OSV data added between scans.
[email protected] — medium, transitive. XSS-class advisory on a CSS toolchain package shared across hub webview, @cline/code, and Tailwind/Vite consumers. bun audit names the workspace consumers explicitly; CVE Lite flags the package but does not emit bun add --filter … commands on this lockfile-only snapshot.
[email protected] — medium, transitive. Reached via @opentui/core in the CLI workspace. OSV fix hint targets 21.3.1 (major jump) — marked ⊘ skipped.
@ai-sdk/[email protected] — low, transitive. Shared AI SDK utility pulled through @cline/llms provider packages and webview ai dependencies. Fix hint 4.0.0 is a major bump — ⊘ skipped.
[email protected] — low, transitive. DoS-class advisory on jsdiff, present in CLI and webview toolchains via @opentui/core / shadcn paths per bun audit.
Comparison Note: CVE Lite CLI vs bun audit
Both tools were run against the same bun.lock on the same machine on 2026-06-14.
| Metric | bun audit (1.3.13) | CVE Lite CLI v1.22.0 |
|---|---|---|
| Packages parsed / audited | 1,518 | 1,518 |
| Total reported findings | 6 | 5 |
| Critical | 0 | 0 |
| High | 1 | 1 |
| Moderate / Medium | 2 | 2 |
| Low | 3 | 2 |
| Direct vs transitive breakdown | partial (workspace paths) | ✓ (0 / 5) |
| Deduplicated package view | ✗ | ✓ |
| Workspace-scoped fix commands | ✗ | ✗ (0 groups on this fixture) |
| Skipped findings with reason | ✗ | ✓ (5 entries) |
Why totals differ slightly: bun audit counts 6 vulnerability entries — esbuild carries both a high and a low advisory (GHSA-gv7w-rqvm-qjhr and GHSA-g7r4-m6w7-qqqr). CVE Lite deduplicates to one row per vulnerable package version, reporting esbuild once at high (max severity).
Workspace visibility: bun audit prints workspace consumers (e.g. workspace:@cline/cline-hub-webview › postcss). CVE Lite lists dependency paths as project → package on this Bun lockfile because monorepo workspace boundaries are only partially modeled (see coverage notes in scan output). Maintainers should cross-reference bun audit workspace paths when planning bun add --filter … upgrades.
Manual remediation (from bun audit workspace paths, not auto-generated by CVE Lite):
bun add --filter apps/cline-hub/src/webview --filter apps/examples/desktop-app --filter apps/examples/vscode/src/webview [email protected]
bun add [email protected]
Before vs After
No remediation pass was performed for this study.
| Stage | Findings | Critical | High | Medium | Low | Direct | Transitive | Command groups |
|---|---|---|---|---|---|---|---|---|
| Baseline (verified) | 5 | 0 | 1 | 2 | 2 | 0 | 5 | 0 |
Fix Journey
No commands were run for this study.
CVE Lite generated zero copy-and-run command groups on this fixture. All five findings were skipped with the reason “No dependency path available … Inspect your lockfile to find which package pulls it in.” That is expected for lockfile-only Bun workspace snapshots where workspace package names are not wired into CVE Lite’s parent-resolution graph.
The instinct on postcss and diff is a root-level bun add. bun audit shows these are workspace-scoped — postcss spans multiple webview packages; diff arrives through @opentui/core. file-type and @ai-sdk/provider-utils need upstream major-version decisions. esbuild is dev-only via Vite — patch through Vite/esbuild workspace upgrades.
Why this matters
Cline represents the autonomous agent category at Bun-native monorepo scale without enterprise-lockfile noise. Teams adopting Cline as a reference architecture get a realistic picture: 1,518 packages, five findings, zero criticals — but remediation still requires understanding workspace-scoped Bun graphs, not just running bun update at the root.
CVE Lite’s value here is deduplicated OSV triage at agent-tooling scale plus explicit skip reasons when automated Bun workspace fix commands cannot be generated. Pair CVE Lite with bun audit when you need workspace filter targets.
Scan command
Run from the Cline repository root or from the examples/cline directory in this repository:
cve-lite . --verbose --all
The example lockfile reflects Cline at revision 9d59de4a4cfdcadc23a79bd03e8b531207cf2640. OSV advisory data changes over time — re-scanning may show different counts on the same revision.
Scan verification
Every number in this case study comes from a live scan of the committed fixture at examples/cline/ in the CVE Lite CLI repository.
| Field | Value |
|---|---|
| Scan date | 2026-06-14 |
| CLI version | v1.22.0 |
| CVE Lite command | node dist/index.js examples/cline --verbose --all --json |
| bun audit command | bun audit (Bun 1.3.13) |
| Advisory source | OSV (https://api.osv.dev) — online mode |
| Lockfile source | examples/cline/bun.lock from cline/cline@9d59de4 |
| Packages parsed (CVE Lite) | 1,518 |
| Unique vulnerable packages (CVE Lite) | 5 |
| Vulnerability entries (bun audit) | 6 |
| Fix command groups (CVE Lite) | 0 |
| Skipped findings with reason (CVE Lite) | 5 |
Reproduce CVE Lite locally from the repository root:
npm install
npm run build
node dist/index.js examples/cline --verbose --all
Reproduce bun audit from the example directory (Bun 1.3.13+ recommended):
cd examples/cline
bun audit
Both tools were run against the same bun.lock on the same machine on 2026-06-14.
Remaining risk
All 5 baseline findings remain open at the time of this study. No remediation was applied.
- 1 high:
[email protected](transitive · dev) - 2 medium:
[email protected],[email protected] - 2 low:
@ai-sdk/[email protected],[email protected]
Zero findings have first-pass copy-and-run commands from CVE Lite on this Bun workspace lockfile snapshot.
Baseline findings
Full vulnerable package list from the verified scan on 2026-06-14 (revision 9d59de4):
| Package | Version | Severity | Relationship | Dev | Fix hint | Advisory IDs |
|---|---|---|---|---|---|---|
| esbuild | 0.27.7 | high | transitive | yes | 0.28.1 ⊘ | GHSA-g7r4-m6w7-qqqr, GHSA-gv7w-rqvm-qjhr |
| file-type | 16.5.4 | medium | transitive | no | 21.3.1 ⊘ | GHSA-5v7r-6r5c-r473, CVE-2026-31808 |
| postcss | 8.4.31 | medium | transitive | no | 8.5.10 ⊘ | GHSA-qx2v-qp2m-jg93, CVE-2026-41305 |
| @ai-sdk/provider-utils | 3.0.25 | low | transitive | no | 4.0.0 ⊘ | GHSA-866g-f22w-33x8, CVE-2026-8769 |
| diff | 8.0.2 | low | transitive | no | 8.0.3 ⊘ | GHSA-73rr-hh4g-fpgx, CVE-2026-24001 |
Fixture scope
The committed snapshot under examples/cline/ contains only the root package.json and bun.lock from upstream revision 9d59de4. Workspace source trees, VS Code extension packaging, and Python/FastAPI server dependencies are out of scope — consistent with other lockfile-only case study fixtures in this repository.
Want your project reviewed?
If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the CVE Lite CLI repository.
Please include:
- the repository link
- why the project would make a useful case study
- whether the dependency graph is publicly reproducible
Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows.