Skip to content

v1.26.0 - GitHub Action fix mode and Dependabot alternative

Latest

Choose a tag to compare

@sonukapoor sonukapoor released this 04 Jul 00:46
v1.26.0
99b7b0d

Added

  • GitHub Action: fix: true and create-pr: true inputs enable scheduled security fix PRs - a direct Dependabot alternative for npm/pnpm/yarn/bun repos. A single batched PR is opened (or updated in place) with advisory IDs, before/after finding counts, and OSV-validated fix versions
  • GitHub Action: base-branch, labels, and token inputs for the fix PR workflow
  • Override hygiene hint shown when overrides/resolutions/patchedDependencies are detected but --check-overrides was not passed - single tip line at end of terminal output, suppressed in --json/--sarif/--cdx/--ratchet modes

Fixed

  • --fix exit code suppressed when fix mode is active so remaining transitive findings do not block the Action PR creation step
  • bun.lockb added to DEPENDENCY_FILES_TO_STAGE in create-pr.ts
  • cve-lite-fix-result.json added to .gitignore
  • Circular ESM import between override-findings-terminal.ts and formatters.ts causing 35 test failures
  • ReversingLabs logo on homepage press bar: red square had no fill, LABS text had wrong fill color, REVERSING text was black on dark background
  • HTML override report: severity group rows now carry the severity CSS class; location cell shows file > jsonPath separator; fix commands render with inline block and copy button
  • e2e test fixture fragility when new CVEs appear in the live OSV DB
  • pnpm dual-document lockfile (bootstrap + project sections) fails to parse
  • Exact-pinned transitive dependency misclassified as within-range refresh
  • JSON parse errors in local-db.ts now caught and handled gracefully

Performance

  • Compact JSON serialization in advisory cache reduces file size and I/O overhead
  • Parallelized validateDirectFixTargets with runWithConcurrency and promise-based packument cache deduplication
  • publishedAt included in fix version resolutions to eliminate redundant registry call
  • Parsed version tuples cached in compareVersions to avoid redundant string splits
  • Cache timestamp hoisted before write loop; three findings.filter() passes collapsed into a single counted loop
  • Inline base64 logo constants in HTML reporter replaced with runtime PNG loader and module-level Map cache

Changed

  • Override hygiene terminal output: verbose mode uses cyan header without separators; compact mode wraps section in separator lines
  • .npmrc added with allow-git=none to block git-sourced dependencies
  • Third-party GitHub Actions pinned to immutable commit SHA digests across all workflows
  • GitHub Action: --report flag exposed as input with --no-open applied automatically in CI context

Docs

  • GitHub Action inputs reference page covering all inputs grouped by purpose
  • 5 new case studies: Cline, CopilotKit, Dyad, Builder.io, Mitosis
  • Usage-aware triage sections added to Analog, NestJS, and Juice Shop case studies
  • Override hygiene auditing documentation with per-rule pages and real-world fixtures
  • The Register coverage added to press page, README, and homepage bar
  • Comparison page expanded with DependencyCheck and dep-scan sections
  • Override hygiene docs updated to use --check-overrides flag throughout

Validation

  • npm test
  • npm run build