NX Workspaces
CVE Lite CLI supports both NX integrated and package-based workspace configurations.
NX Integrated Repos
NX integrated repos use a single root lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock) with all dependencies managed at the root. CVE Lite CLI scans the root lockfile by default.
Scan command:
cve-lite .
Examples:
- Strapi - Yarn Berry NX monorepo with 2,887 packages
- Twenty - Yarn Berry NX monorepo with 5,451 packages
NX Package-Based Repos
NX package-based repos have individual lockfiles for each project under apps/ and libs/ directories. CVE Lite CLI automatically discovers and scans all nested lockfiles.
Scan command:
cve-lite .
The default --search-depth of 4 is automatically applied, which is sufficient for most NX workspace structures. CVE Lite CLI will:
- Discover all lockfiles under
apps/andlibs/directories - Scan each lockfile independently
- Label findings by workspace project (e.g.,
apps/my-app/,libs/my-lib/) - Provide project-specific fix commands with correct working directories
Example output: (Note: Fix versions below are simulated. CVE Lite CLI generates real fix commands from live OSV data at scan time)
📁 apps/my-app/
────────────────────────────────
📦 Vulnerabilities found
────────────────────────────────
HIGH [email protected]
Direct dependency
Fix: upgrade to 0.21.1
────────────────────────────────
🛠 Copy And Run These Fix Commands
────────────────────────────────
> cd apps/my-app && npm install [email protected]
📁 libs/my-lib/
────────────────────────────────
📦 Vulnerabilities found
────────────────────────────────
CRITICAL [email protected]
Direct dependency
Fix: upgrade to 4.17.21
────────────────────────────────
🛠 Copy And Run These Fix Commands
────────────────────────────────
> cd libs/my-lib && npm install [email protected]
Scanned 2 folders: apps/my-app/, libs/my-lib/
2 total findings across all folders
Mixed Scenarios
Some NX workspaces have both a root lockfile AND nested lockfiles (e.g., root dev tools + per-project dependencies).
Known gap: Currently, CVE Lite CLI only scans the root lockfile in mixed scenarios. Nested lockfiles under apps/ and libs/ are not discovered when a root lockfile exists.
Workaround: Run scans separately for each project:
cve-lite apps/my-app
cve-lite libs/my-lib
Future fix: We plan to add support for scanning both root and nested lockfiles in mixed scenarios. See the examples/nx-mixed fixture for a test case.
Deeply Nested Structures
For unusually deep NX workspace structures (e.g., apps/platform/frontend/app/), increase the search depth:
cve-lite . --search-depth 6
CI/CD Integration
For CI/CD pipelines, use the standard workflow integration patterns:
- name: Scan for vulnerabilities
run: cve-lite . --fail-on high --json > results.json
See Workflow Integration for full CI/CD patterns.
Limitations
- --fix mode: Not yet supported in multi-folder mode. Run
cve-lite .from each subfolder individually for auto-fix. - --sarif and --cdx: Not yet supported in multi-folder mode.
- Mixed scenarios: Root lockfile + nested lockfiles only scans the root lockfile (see above for workaround).
- Workspace boundaries: Monorepo workspace boundaries are only partially modeled in this version. Findings are labeled by folder path but not by NX project graph.