Skip to main content

NX Workspaces

CVE Lite CLI supports both NX integrated and package-based workspace configurations.

NX Integrated Repos

NX integrated repos use a single root lockfile (package-lock.json, pnpm-lock.yaml, or yarn.lock) with all dependencies managed at the root. CVE Lite CLI scans the root lockfile by default.

Scan command:

cve-lite .

Examples:

  • Strapi - Yarn Berry NX monorepo with 2,887 packages
  • Twenty - Yarn Berry NX monorepo with 5,451 packages

NX Package-Based Repos

NX package-based repos have individual lockfiles for each project under apps/ and libs/ directories. CVE Lite CLI automatically discovers and scans all nested lockfiles.

Scan command:

cve-lite .

The default --search-depth of 4 is automatically applied, which is sufficient for most NX workspace structures. CVE Lite CLI will:

  • Discover all lockfiles under apps/ and libs/ directories
  • Scan each lockfile independently
  • Label findings by workspace project (e.g., apps/my-app/, libs/my-lib/)
  • Provide project-specific fix commands with correct working directories

Example output: (Note: Fix versions below are simulated. CVE Lite CLI generates real fix commands from live OSV data at scan time)

📁 apps/my-app/
────────────────────────────────
📦 Vulnerabilities found
────────────────────────────────
Direct dependency
Fix: upgrade to 0.21.1
────────────────────────────────
🛠 Copy And Run These Fix Commands
────────────────────────────────
> cd apps/my-app && npm install [email protected]

📁 libs/my-lib/
────────────────────────────────
📦 Vulnerabilities found
────────────────────────────────
Direct dependency
Fix: upgrade to 4.17.21
────────────────────────────────
🛠 Copy And Run These Fix Commands
────────────────────────────────
> cd libs/my-lib && npm install [email protected]

Scanned 2 folders: apps/my-app/, libs/my-lib/
2 total findings across all folders

Mixed Scenarios

Some NX workspaces have both a root lockfile AND nested lockfiles (e.g., root dev tools + per-project dependencies).

Known gap: Currently, CVE Lite CLI only scans the root lockfile in mixed scenarios. Nested lockfiles under apps/ and libs/ are not discovered when a root lockfile exists.

Workaround: Run scans separately for each project:

cve-lite apps/my-app
cve-lite libs/my-lib

Future fix: We plan to add support for scanning both root and nested lockfiles in mixed scenarios. See the examples/nx-mixed fixture for a test case.

Deeply Nested Structures

For unusually deep NX workspace structures (e.g., apps/platform/frontend/app/), increase the search depth:

cve-lite . --search-depth 6

CI/CD Integration

For CI/CD pipelines, use the standard workflow integration patterns:

- name: Scan for vulnerabilities
run: cve-lite . --fail-on high --json > results.json

See Workflow Integration for full CI/CD patterns.

Limitations

  • --fix mode: Not yet supported in multi-folder mode. Run cve-lite . from each subfolder individually for auto-fix.
  • --sarif and --cdx: Not yet supported in multi-folder mode.
  • Mixed scenarios: Root lockfile + nested lockfiles only scans the root lockfile (see above for workaround).
  • Workspace boundaries: Monorepo workspace boundaries are only partially modeled in this version. Findings are labeled by folder path but not by NX project graph.

References