Summary

This PR makes transitive vulnerability output more actionable by trying to identify the parent package the user should upgrade.

Before this change, output for transitive issues showed the vulnerable package path, for example:

project -> express-jwt -> jsonwebtoken

That was useful for tracing, but it did not tell the user what to update. This PR adds best-effort parent upgrade guidance so CVE Lite CLI can recommend the direct dependency upgrade when it can determine one reliably.

What changed

• added recommendedParentUpgrade to findings
• added remediation logic to resolve likely parent package upgrade targets for transitive issues
• updated compact output to show the recommended parent upgrade when available
• updated verbose path hints to show:
  • the full dependency path
  • the recommended parent upgrade directly below it
• highlighted the package to upgrade in verbose mode
• updated README wording to reflect the new capability

Example

Before:

• jsonwebtoken@0.1.0
project -> express-jwt -> jsonwebtoken

After:

• jsonwebtoken@0.1.0
project -> express-jwt -> jsonwebtoken
Recommended parent upgrade: express-jwt 0.1.0 -> 6.0.0

Notes

• this is strongest for common transitive cases where the path is clear
• when a reliable parent upgrade cannot be determined, output falls back to the existing generic guidance
• full dependency paths are still shown

Why this matters

This improves the practical remediation value of CVE Lite CLI. Instead of only showing that a transitive package is vulnerable, the tool can now often point to the package the developer actually controls.

Closes #42