Skip to content

feat: show fix version publish date in output to support minimum release age policies #671

Description

@sonukapoor

When CVE Lite CLI recommends a fix version, it currently shows the version number but not when that version was published. This makes it impossible to evaluate whether the fix version is "fresh" (potentially risky from a supply chain perspective) or well-established.

Proposed change

Show the npm publish date of the recommended fix version alongside the version number in terminal output and HTML report. For example:

fix: npm install lodash@4.17.21   (published 2021-02-20, 4 years ago)

Motivation

Teams using minimum release age policies (e.g. rejecting packages published less than N days ago to mitigate supply chain attacks) currently have no way to act on CVE Lite CLI's fix suggestions without manually checking npm. Surfacing the publish date lets them make a severity-based decision inline:

  • CRITICAL/HIGH CVE + young fix version: weigh exploit risk vs supply chain risk
  • LOW/MEDIUM CVE + young fix version: bypass the pre-commit hook and wait for the fix to age

This was surfaced by a DINUM (French government) user running CVE Lite CLI with a pre-commit hook and a minimum release age policy.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions