JavaScript/TypeScript Dependency Scanner — An OWASP Foundation Project

Scan. Understand. Fix.

Most security tools are built around pipelines, not developers. CVE Lite CLI scans your lockfile locally in seconds, explains the dependency path, and tells you what to update before you push.

View on GitHub View on npm GitHub Action

No account required
npm, pnpm, Yarn, and Bun lockfile support
Usage-aware reachability scanning
Offline scans with local advisory DB
Copy-and-run direct fix commands
Parent-aware transitive guidance
Conservative auto-remediation with --fix

FreeFree to useNo account, no subscription, no cloud required

LocalRuns locallyNothing leaves your machine

FastFastResults in seconds, rescans near-instant

Run locally before you push

npm install -g cve-lite-cli
cve-lite /path/to/project --verbose

Local-first

Scans your lockfile on your machine. No hosted account or cloud dashboard required.

Actionable

Prioritizes copy-and-run commands instead of leaving you with raw CVE IDs.

Designed for fix loops

Run a scan, apply the suggested command, rescan immediately, and keep moving without waiting on CI.

Parent-aware remediation

Fix the package that controls the vulnerable dependency path.

Transitive CVEs are easy to mishandle. CVE Lite CLI avoids recommending direct installs for packages that are only present transitively and points at the parent package instead.

Avoid for transitive-only packages

npm install vulnerable-child@fixed

Prefer when the range allows it

npm update parent-package

Use when the range must change

npm install parent-package@target

Understands npm parent ranges

For npm lockfiles, the CLI checks whether a known non-vulnerable child can be resolved inside the current parent range first.

Works with workspace hoisting

Workspace-local package context is preserved so hoisted npm packages can still map back to their logical parent chain.

Explains the decision

Read the remediation strategy to see when the CLI recommends direct upgrades, parent updates, or parent upgrades.

Guides

Go deeper when you need the details.

Learn how CVE Lite CLI builds reports, handles restricted networks, compares with common scanners, and behaves across package-manager lockfiles.

HTML reports

Generate a self-contained dashboard with severity cards, searchable findings, and copy-ready fix commands. Read the guide.

Offline advisory DB

Sync OSV data locally and scan restricted environments without runtime advisory API calls. Read the guide.

Tool comparison

See how CVE Lite CLI compares with Dependabot, npm audit, OSV-Scanner, Snyk, and Socket. Compare tools.