Skip to content

CONTRIBUTING.md

Latest commit

 

History

History
110 lines (74 loc) · 2.86 KB

CONTRIBUTING.md

File metadata and controls

110 lines (74 loc) · 2.86 KB

Contributing to CVE Lite CLI

Thanks for your interest in contributing to CVE Lite CLI.

CVE Lite CLI is a lightweight, developer-focused vulnerability scanner for JavaScript and TypeScript projects. The project is intentionally opinionated: it values fast local workflow, understandable output, practical remediation guidance, and a small dependency footprint.

What kinds of contributions are helpful

Contributions are especially welcome in these areas:

  • lockfile parsing edge cases
  • npm, pnpm, and Yarn compatibility improvements
  • output clarity and readability
  • remediation guidance improvements
  • JSON and SARIF output quality
  • CI examples and documentation
  • performance improvements
  • tests and reproducible bug cases
  • documentation and onboarding

Before you start

Please open an issue first for:

  • new features
  • larger refactors
  • behavior changes
  • output format changes

This helps keep the project focused and avoids duplicated work.

Small fixes such as typo corrections, tests, and minor docs updates can usually be opened directly as pull requests.

Development principles

Please keep these project principles in mind:

  • local-first workflow
  • small runtime dependency footprint
  • practical developer usability over complexity
  • honest security claims
  • clear output over noisy output
  • action-oriented remediation guidance

Setup

npm install
npm test
npm run build

Testing expectations

Contributors should run the automated checks before opening a pull request:

npm test
npm run build

Please add or update tests when a contribution changes behavior, parsing logic, scan logic, output shaping, or other user-visible results.

If a change is difficult to cover with an automated test, include a clear reproduction case in the pull request description.

Pull request guidelines

Please try to keep pull requests focused.

A good pull request usually includes:

  • a clear description of the problem
  • the reasoning behind the change
  • before/after examples when output changes
  • tests for behavior changes, or a clear explanation when tests are not practical
  • documentation updates if user-facing behavior changed

Commit guidance

Clear, plain-English commit messages are preferred.

Examples:

  • add pnpm lockfile edge case handling
  • improve SARIF output structure
  • fix direct vs transitive classification for nested paths
  • clarify remediation guidance in README

Reporting bugs

Please include:

  • operating system
  • Node.js version
  • package manager
  • lockfile type
  • command used
  • expected behavior
  • actual behavior
  • sample lockfile or minimal reproduction if possible

Security issues

Please do not open public issues for undisclosed security-sensitive problems in the tool itself.

A dedicated security policy will be added in SECURITY.md.

Code of conduct

A dedicated Code of Conduct will be added in CODE_OF_CONDUCT.md.