OWASP CVE Lite CLI Graduates to Lab Project Status
By SecBurg
OWASP CVE Lite CLI is a fast, open source dependency vulnerability scanner for JavaScript and TypeScript projects.
It scans your lockfiles locally and matches dependencies against the OSV database to identify known vulnerabilities - no account required, and no data ever leaves your machine.
The tool has just graduated to OWASP Lab Project status, only three months after its initial launch in March 2026. In that time it picked up 621 GitHub stars, over 100 forks, and more than 25,000 npm downloads.
Some of the features that got it there:
Supports npm, pnpm, Yarn, and Bun lockfiles
Classifies findings as direct or transitive dependencies
Generates ranked remediation plans with copy-and-run upgrade commands
Local advisory cache for offline use
Minimal runtime dependency footprint (just four packages)
HTML and JSON output modes
--fail-on severity flag for CI pipeline integration
Override hygiene detection (since v1.27.0)
Getting started is a one-liner:
npm install -g cve-lite-cli
cve-lite .
Next up on the roadmap: SARIF 2.1.0 output for GitHub Code Scanning, a phantom dependency detector, and a maintenance risk scorer.
Check out the project page or the GitHub repo for more.
Happy scanning! :-)