release: v1.11.0 (#266)

Author: sonukapoor

CHANGELOG.md

@@ -2,6 +2,18 @@
 
 All notable changes to CVE Lite CLI will be documented in this file.
 
+## [1.11.0] - 2026-04-30
+
+### Added
+- npm transitive remediation now builds a logical dependency graph from `package-lock.json` so hoisted packages can be mapped back to their actual parent chain.
+- npm transitive findings can now recommend `npm update <parent>` when a safe child version is reachable within the current parent dependency range.
+- The CLI now shows progress while analyzing vulnerability findings after advisory details are loaded, avoiding a silent pause during fix-target validation and transitive remediation analysis.
+
+### Fixed
+- npm workspace scans now preserve workspace-local package path context for dependency paths and remediation resolution.
+- npm transitive parent upgrade recommendations now respect parent dependency ranges before suggesting a target.
+- npm alias nodes in package locks now keep their alias identity when building the remediation graph.
+
 ## [1.10.0] - 2026-04-28
 
 ### Added

docs/index.html

@@ -51,7 +51,7 @@
       "description": "Free, local-first dependency vulnerability scanner for JavaScript and TypeScript projects. Scans npm, pnpm, Yarn, and Bun lockfiles, provides copy-and-run fix commands, and supports offline advisory DB scanning.",
       "url": "https://owasp.org/cve-lite-cli/",
       "downloadUrl": "https://www.npmjs.com/package/cve-lite-cli",
-      "softwareVersion": "1.10.0",
+      "softwareVersion": "1.11.0",
       "license": "https://github.com/OWASP/cve-lite-cli/blob/main/LICENSE",
       "releaseNotes": "https://github.com/OWASP/cve-lite-cli/releases",
       "codeRepository": "https://github.com/OWASP/cve-lite-cli",
@@ -109,10 +109,10 @@
             </a>
           </div>
         </div>
-        <a class="release-badge" href="https://github.com/OWASP/cve-lite-cli/releases/tag/v1.10.0"
-          aria-label="Latest release v1.10.0">
+        <a class="release-badge" href="https://github.com/OWASP/cve-lite-cli/releases/tag/v1.11.0"
+          aria-label="Latest release v1.11.0">
           <span class="release-badge-label">Latest Release</span>
-          <span class="release-badge-version">v1.10.0</span>
+          <span class="release-badge-version">v1.11.0</span>
         </a>
         <p class="eyebrow">JavaScript/TypeScript Dependency Scanner &mdash; <a href="https://owasp.org/cve-lite-cli" style="color:inherit;text-decoration:underline">An OWASP Foundation Project</a></p>
         <h1>Scan. Understand. Fix.</h1>
@@ -391,7 +391,7 @@ <h3>Trust and support</h3>
   <footer class="container site-footer">
     <p><em>Most tools tell you what's wrong. CVE Lite CLI tells you what to run.</em></p>
     <p>CVE Lite CLI is MIT licensed and built in public. <a href="https://owasp.org/cve-lite-cli">An OWASP Foundation Project</a>.</p>
-    <p>Latest: <a href="https://github.com/OWASP/cve-lite-cli/releases/tag/v1.10.0">v1.10.0</a></p>
+    <p>Latest: <a href="https://github.com/OWASP/cve-lite-cli/releases/tag/v1.11.0">v1.11.0</a></p>
     <p>Developed with love by <a href="https://sonukapoor.com">Sonu Kapoor</a>.</p>
     <p>
       <a href="https://github.com/OWASP/cve-lite-cli/issues">Open an issue</a>
@@ -437,4 +437,4 @@ <h3>Trust and support</h3>
   </script>
 </body>
 
-</html>
+</html>

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "cve-lite-cli",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "description": "Developer-friendly CLI for scanning JS/TS projects for dependency vulnerabilities using local lockfiles and OSV",
   "type": "module",
   "bin": {