Differences in cve-lite-cli and Github Dependabot

[githubtkompare]

Summary

May not be a bug.

I don't know if this will help you or not. I ran cve-lite /path/to/project --report on an internal typescript POC project I am developing. I compared its results to what I see in GitHub Dependabot alerts. I had Dependabot rescan the project for vulnerabilities, so they should be up-to-date as far as Github is concerned. I attached a screenshot of the cve-lite report as well as Dependabot results. They are slightly different.

Environment

• OS: MacOS
• Node.js version: v25.2.1
• Package manager: npm - package-lock.json. No pnpm-lock.yaml, yarn.lock, or bun.lockb.
• Lockfile type: package-lock.json - npm's lockfile format.
• CVE Lite CLI version: 1.9.0

Command used

cve-lite  /path/to/project --report

Expected behavior

Should cve-lite produce the same vulnerability list as Dependabot?

Actual behavior

The lists of vulnerabilities are different.

Reproduction

I produced the same results with two runs of cve-lite

Relevant files or output

`% cve-lite /path/to/project --report

_ CVE Lite CLI (1.9.0)
────────────────────────────────
✔ Scan dependencies
✔ Highlight critical issues
✔ Show a clear fix plan

Fast. Local. Developer-first.

Advisory source: OSV (https://api.osv.dev)
Parsed 327 packages from package-lock (package-lock.json)
✓ Queried OSV in 4 batches
✓ Loaded 9 vulnerability detail records

────────────────────────────────
📦 Vulnerabilities found
────────────────────────────────

────────────────────────────────
🛠 Copy And Run These Fix Commands
────────────────────────────────

Detected package manager: npm (package-lock.json)
1 command group ready across 1 package (1 medium).
Validation: scanned 3 package versions; 2 are still known vulnerable.

Medium severity direct fixes

npm install uuid@14.0.0

────────────────────────────────
Summary
────────────────────────────────

4 vulnerable packages
4 medium
1 direct · 3 transitive

▲ Scan complete. 4 issues found.
Run with --verbose for fix plan, paths, and full table.

Report: /Path/To/IndexFile/index.html`

[sonukapoor]

@githubtkompare Thanks. Could you please generate the json from your project and provide that? You can run: cve-lite /path/to/project --json > report.json

[sonukapoor]

@githubtkompare This might also help to understand the differences: https://github.com/OWASP/cve-lite-cli/blob/main/docs/comparison.md#comparison-with-other-tools

[githubtkompare]

@sonukapoor Here is the JSON report. report.json

[sonukapoor]

Thanks for sharing the JSON. That helped clarify what is going on.

In this case, the underlying vulnerable packages appear to match, but CVE Lite CLI and Dependabot are presenting them differently.

Dependabot is showing one alert per advisory, which is why you see 9 open alerts.

CVE Lite CLI 1.9.0 grouped multiple advisories affecting the same package/version into a single package-level finding. In your JSON, that is most visible with hono:

• Dependabot shows 6 separate hono alerts
• CVE Lite CLI reports 1 hono finding containing 6 vulnerability records

So the difference here is mostly alert grouping, not necessarily missing vulnerability detection.

The JSON also exposed a real weakness in the older npm transitive handling: the transitive findings had flattened dependency paths and no resolved parent package context (primaryParent: null). We have already tracked that work in #250, and the fixes are planned for the next release.

So the short version is:

• Dependabot: advisory-level alerts
• CVE Lite CLI 1.9.0: package-level grouped findings
• npm transitive parent/path handling was also weaker in 1.9.0, and that is already being addressed in #250

Thanks again for the report. It was useful for validating both the grouping difference and the npm transitive remediation/path work.

[githubtkompare]

Cheers. I'm glad it helped.

[sonukapoor]

Thanks again for the detailed report and the JSON output. The workspace/transitive dependency handling work related to this discrepancy has now shipped in v1.11.0: https://github.com/OWASP/cve-lite-cli/releases/tag/v1.11.0

The fix improves npm workspace scans by preserving workspace-local package context and building a logical dependency graph from package-lock.json, so hoisted packages can be mapped back to their actual parent chain. It also improves transitive remediation recommendations by respecting parent dependency ranges before suggesting updates.

If you have a chance, please try the latest version and rerun the scan. I’ll keep this issue open for now until we can confirm whether the reported Dependabot/CVE Lite CLI differences are fully resolved or if there are still remaining mismatches to investigate.