Skip to content

v1.25.0 - Override hygiene, SARIF enrichment, and validated transitive chain resolution

Latest
Latest

Choose a tag to compare

View all tags
@sonukapoor sonukapoor released this 20 Jun 17:42
v1.25.0
This tag was signed with the committer’s verified signature.
sonukapoor Sonu Kapoor
GPG key ID: 3306B2C5600CA6DB
Verified
Learn about vigilant mode.
2eed959
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Added

  • cve-lite overrides [path] subcommand audits override hygiene across npm, pnpm, yarn, and bun projects. Covers eight rules (OA001-OA008): orphaned target, floating tag, wrong section, surpassed pin, nested ineffective override, coupled platform binary, frozen latest (registry drift), and materialized vulnerable copy. Supports --fix, --rule <id>, --json, --fail-on <severity>, --audit-log <path>, and --check-network
  • --fix applies override-hygiene fixes as RFC 6902 patches with a chokepoint guard that prevents inventing new override keys
  • cve-lite [path] --fix now runs the override hygiene fix-and-verify hook after CVE fixes: applies fixable override findings, then re-audits the touched packages to confirm no vulnerable copy remains
  • Exit code 2 for post---fix verify failure, distinct from exit 1 (findings) and exit 3 (tool error)
  • --audit-log <path> (also via CVE_LITE_AUDIT_LOG) streams override detection and fix events as an NDJSON change-control log
  • --check-overrides runs per-folder override audits in multi-folder workspace scans
  • Override hygiene fixes participate in --create-pr
  • Validated transitive chain resolution with chain proof line (resolves via X -> Y (safe))
  • SARIF rule.shortDescription, rule.fullDescription, and rule.help populated from OSV advisory data: summary, details, CVSS, CWE, affected range, dependency path, and fix guidance

Fixed

  • OA006 (coupled platform binary) no longer false-positives on flat overrides that are actually effective; consults materialized node_modules before firing
  • Mistyped command or nonexistent path now exits with code 3 and prints "Did you mean 'X'?" using Levenshtein distance, rather than silently exiting 0
  • Restore Yarn Berry transitive graph edges when a dep ref lacks the npm: prefix; fixes misclassification of transitive packages as direct
  • Replace vague "lockfile refresh" message with a concrete package manager install instruction in within-range fix output
  • Remove em dashes from user-facing action strings in fix guidance output
  • --ratchet now gates on new findings when a baseline already exists instead of re-saving the baseline
  • Add pull_request trigger to docs-site CI workflow

Changed

  • "Copy And Run These Fix Commands" renamed to "Suggested Fix Commands" in terminal output

Validation

  • npm test
  • npm run build

Contributors

  • @alamb-hex - override-hygiene subsystem (OA001-OA008, --audit-log, --fix RFC 6902 patches, SARIF integration, 827 tests) and CLI mistyped-command exit with "Did you mean" suggestion
  • @Demiserular - "Suggested Fix Commands" rename and docs-site CI workflow pull_request trigger fix
  • @coder-Yash886 - fix version publish date in terminal and HTML output

Contributors

Demiserular, alamb-hex, and coder-Yash886
Assets 3
Loading