@@ -49,6 +49,44 @@ Terminal snapshots from this run:
4949
5050![ Juice Shop dependency path hints and remaining risk] ( https://raw.githubusercontent.com/sonukapoor/cve-lite-cli/main/assets/owasp-juice-shop-5.png )
5151
52+ ## Auto-fix pass (` --fix ` ) evidence
53+
54+ After the planning scan, we ran a focused auto-fix pass:
55+
56+ ``` bash
57+ npx cve-lite-cli . --fix
58+ ```
59+
60+ Run outcome:
61+
62+ - applied direct package fixes: ` 7 `
63+ - skipped findings: ` 5 `
64+ - transitive (v1 skip): ` 3 `
65+ - no validated direct target: ` 2 `
66+ - findings before fix: ` 39 `
67+ - findings after fix pass: ` 39 `
68+ - remaining severity mix: critical ` 3 ` , high ` 1 ` , medium ` 11 ` , low ` 23 ` , unknown ` 1 `
69+
70+ Applied direct dependency upgrades:
71+
72+ - ` jsonwebtoken: 0.1.0 -> 9.0.0 `
73+ - ` sanitize-html: 1.4.2 -> 2.12.1 `
74+ - ` multer: 1.4.5-lts.2 -> 2.1.1 `
75+ - ` express-jwt: 0.1.3 -> 6.0.0 `
76+ - ` file-type: 16.5.4 -> 21.3.1 `
77+ - ` js-yaml: 4.0.0 -> 4.1.1 `
78+ - ` socket.io: 3.1.2 -> 4.6.2 `
79+
80+ Why the total finding count can remain unchanged after auto-fix:
81+
82+ - a large share of Juice Shop findings are transitive and still require parent-chain upgrades
83+ - some direct findings have no validated auto-apply target
84+ - duplicate vulnerable packages can still exist in other dependency paths until parent upgrades are applied
85+
86+ Auto-fix terminal snapshot:
87+
88+ ![ Juice Shop auto-fix summary output] ( https://raw.githubusercontent.com/sonukapoor/cve-lite-cli/main/assets/owasp-juice-shop-auto-fix.png )
89+
5290## Copy-and-run remediation output
5391
5492In this run, CVE Lite CLI generated ` 6 ` command groups across ` 10 ` packages:
0 commit comments