As AI coding assistants accelerate software development, one OWASP-backed open-source project is arguing that dependency security tooling still arrives too late to be truly useful.
CVE Lite CLI, a JavaScript and TypeScript dependency vulnerability scanner focused on local lockfile analysis, is positioning itself around a simple idea. Developers should see dependency risks while they are still writing code, not hours later inside a failing CI pipeline.
“What developers are missing is early feedback at the point where the dependency decision is made,” Sonu Kapoor, creator and maintainer of the project, told CSO. According to Kapoor, traditional CI-centric workflows often disconnect developers from the dependency choices that introduced risk in the first place.
CVE Lite CLI scans npm, pnpm, and Yarn lockfiles using OSV vulnerability data and claims to focus heavily on remediation guidance, including separating direct and transitive vulnerabilities, validating upgrade targets, and recommending actionable fix paths.
The project is being pitched as a “local-first” developer tool, as opposed to a replacement for enterprise software composition analysis (SCA) platforms, much like how developers already use ESLint or unit tests locally before CI runs them again later.
CVE Lite CLI targets an overlooked pain point
CVE Lite CLI is essentially trying to solve a workflow problem, Kapoor says many developers quietly struggle with. Dependency security checks often arrive after the work is already done.
The tool scans JavaScript and TypeScript lockfiles locally across npm, pnpm, and Yarn projects, so developers can understand dependency risk while they are still coding, not later in response to a failing CI pipeline.
Instead of just focusing on detection, the tool claims to look into subsequent questions like whether the issue is direct or transitive, whether there is a clean upgrade path, or whether upgrading one package actually removes the vulnerable dependency.
“In one real case, CVE Lite CLI skipped 27 package versions before finding a safer version to recommend,” Kapoor said, explaining the granularity of the tool. “That is the kind of work developers should not have to do manually by reading logs and retrying upgrades one by one.”
Kapoor said the tool can be configured for JSON, SARIF, or HTML outputs and can also be integrated into CI workflows as a GitHub Action.
AI could be making things worse
The argument arrives as software supply chain security continues to collide with AI-assisted development practices that allow developers to generate code, integrate packages, and restructure projects much faster than before.
Kapoor said this velocity changes the nature of dependency risk itself. “AI coding assistants have made this more important, not less,” he said. “That speed is useful, but it also means dependency decisions can happen quickly and sometimes without the same level of manual review. I do not think AI assistants remove the need for security checks.”
On the contrary, they increase the need for fast, local, explainable checks that can be run while the work is happening, he added.
One cited example involved scans against lint-staged, a widely used JavaScript tooling package. According to Kapoor, a standard “npm audit –omit=dev” workflow failed to surface a production dependency issue that CVE Lite CLI later identified through lockfile analysis. “Honestly, I don’t think most developers understand those blind spots in detail, and I do not mean that as criticism of developers,” he said. “The dependency graph in a modern JavaScript project is extremely noisy.”
A developer meaning to install one direct dependency may end up with hundreds or thousands of transitive packages.
CVE Lite CLI isn’t falling for AI
The project also deliberately avoids turning itself into a broader AppSec platform, despite growing industry pressure to consolidate security tooling into an AI-enabled ecosystem.
“I do think security tooling has become too heavy for the day-to-day developer workflow,” Kapoor said. “That does not mean those platforms are bad. It means they often serve security organizations better than they serve the individual developer trying to make a safe dependency decision during a normal coding session.”
This philosophy also extends to the project’s approach toward AI itself. While CVE Lite CLI includes integrations that help AI coding assistants interpret scan results, Kapoor said the underlying vulnerability analysis intentionally remains deterministic.
“I do not think AI should decide whether a CVE exists,” he said. “That part needs to be boring, repeatable, and auditable.”
Instead, the project uses AI as what the founder described as an “explanation and workflow layer” around scan results rather than as the scanner itself. “CVE Lite CLI includes AI assistant skills that teach tools like Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot how to run CVE Lite CLI, read its structured output, and help the developer understand or prioritize the remediation plan,” Kapoor explained.
Caution around expansion
Kapoor said he has been receiving positive feedback from the companies and developers using CVE Lite CLI in real workflows, asking him whether the same approach could support .NET or Python ecosystems.
“That interest is encouraging because it tells me the local-first, remediation-oriented model is resonating beyond the original JavaScript and TypeScript use case,” he said. “But I am cautious about expanding the current tool too broadly.”
The explanation he gave was simple. Each ecosystem, he believes, has its own package manager behavior, lockfile format, dependency graph semantics, advisory sources, and remediation patterns. “Adding those directly into CVE Lite CLI could make the tool heavier and less clear for the JavaScript and TypeScript developers it was originally designed to help.” The project has now been adopted into the OWASP foundation ecosystem as an official OWASP project and is available for free to developers on GitHub.
No Responses