You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Added
GitHub Action: fix: true and create-pr: true inputs enable scheduled security fix PRs - a direct Dependabot alternative for npm/pnpm/yarn/bun repos. A single batched PR is opened (or updated in place) with advisory IDs, before/after finding counts, and OSV-validated fix versions
GitHub Action: base-branch, labels, and token inputs for the fix PR workflow
Override hygiene hint shown when overrides/resolutions/patchedDependencies are detected but --check-overrides was not passed - single tip line at end of terminal output, suppressed in --json/--sarif/--cdx/--ratchet modes
Fixed
--fix exit code suppressed when fix mode is active so remaining transitive findings do not block the Action PR creation step
bun.lockb added to DEPENDENCY_FILES_TO_STAGE in create-pr.ts
cve-lite-fix-result.json added to .gitignore
Circular ESM import between override-findings-terminal.ts and formatters.ts causing 35 test failures
ReversingLabs logo on homepage press bar: red square had no fill, LABS text had wrong fill color, REVERSING text was black on dark background
HTML override report: severity group rows now carry the severity CSS class; location cell shows file > jsonPath separator; fix commands render with inline block and copy button
e2e test fixture fragility when new CVEs appear in the live OSV DB
pnpm dual-document lockfile (bootstrap + project sections) fails to parse
Exact-pinned transitive dependency misclassified as within-range refresh
JSON parse errors in local-db.ts now caught and handled gracefully
Performance
Compact JSON serialization in advisory cache reduces file size and I/O overhead
Parallelized validateDirectFixTargets with runWithConcurrency and promise-based packument cache deduplication
publishedAt included in fix version resolutions to eliminate redundant registry call
Parsed version tuples cached in compareVersions to avoid redundant string splits
Cache timestamp hoisted before write loop; three findings.filter() passes collapsed into a single counted loop
Inline base64 logo constants in HTML reporter replaced with runtime PNG loader and module-level Map cache
Changed
Override hygiene terminal output: verbose mode uses cyan header without separators; compact mode wraps section in separator lines
.npmrc added with allow-git=none to block git-sourced dependencies
Third-party GitHub Actions pinned to immutable commit SHA digests across all workflows
GitHub Action: --report flag exposed as input with --no-open applied automatically in CI context
Docs
GitHub Action inputs reference page covering all inputs grouped by purpose
5 new case studies: Cline, CopilotKit, Dyad, Builder.io, Mitosis
Usage-aware triage sections added to Analog, NestJS, and Juice Shop case studies
Override hygiene auditing documentation with per-rule pages and real-world fixtures
The Register coverage added to press page, README, and homepage bar
Comparison page expanded with DependencyCheck and dep-scan sections
Override hygiene docs updated to use --check-overrides flag throughout