You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR adds a CVE Lite dependency audit workflow to help catch vulnerable dependencies before they land in main.
CVE Lite CLI is an OWASP Lab Project that scans lockfiles locally without installing packages. It reads the pnpm lockfile directly, queries the OSV vulnerability database, and classifies findings as direct or transitive so you know exactly what you control. A scan of the current main branch found 34 findings total - 3 critical, 16 high, 14 medium, and 1 low.
The workflow runs on every push to main, every pull request targeting main, and on a weekly schedule every Monday morning. When vulnerabilities at high severity or above are found, the job fails so they do not go unnoticed in CI. Results are also exported as a SARIF file and uploaded to GitHub Code Scanning, which surfaces findings directly on the Security tab with file and line context.
All Actions are pinned to immutable commit SHAs rather than mutable version tags, so the supply chain for the workflow itself is locked down.
A companion PR with direct dependency upgrades is coming separately once this is reviewed.
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
One quick note: CVE Lite CLI v1.26.0 shipped a scheduled fix mode that can automate what the companion fix PR does manually. Adding fix: true and create-pr: true to this workflow would have it open a single batched PR with the next round of upgrades automatically - OSV-confirmed versions and advisory IDs included. Here's an example of what that looks like: sonukapoor/cve-lite-test#2
Want me to update this PR to include that? It does require enabling "Allow GitHub Actions to create and approve pull requests" in your repo settings first.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a CVE Lite dependency audit workflow to help catch vulnerable dependencies before they land in main.
CVE Lite CLI is an OWASP Lab Project that scans lockfiles locally without installing packages. It reads the pnpm lockfile directly, queries the OSV vulnerability database, and classifies findings as direct or transitive so you know exactly what you control. A scan of the current main branch found 34 findings total - 3 critical, 16 high, 14 medium, and 1 low.
The workflow runs on every push to main, every pull request targeting main, and on a weekly schedule every Monday morning. When vulnerabilities at high severity or above are found, the job fails so they do not go unnoticed in CI. Results are also exported as a SARIF file and uploaded to GitHub Code Scanning, which surfaces findings directly on the Security tab with file and line context.
All Actions are pinned to immutable commit SHAs rather than mutable version tags, so the supply chain for the workflow itself is locked down.
A companion PR with direct dependency upgrades is coming separately once this is reviewed.
Full documentation and the OWASP project page are at https://owasp.org/cve-lite-cli