When CVE Lite CLI recommends a fix version, it currently shows the version number but not when that version was published. This makes it impossible to evaluate whether the fix version is "fresh" (potentially risky from a supply chain perspective) or well-established.
Proposed change
Show the npm publish date of the recommended fix version alongside the version number in terminal output and HTML report. For example:
fix: npm install lodash@4.17.21 (published 2021-02-20, 4 years ago)
Motivation
Teams using minimum release age policies (e.g. rejecting packages published less than N days ago to mitigate supply chain attacks) currently have no way to act on CVE Lite CLI's fix suggestions without manually checking npm. Surfacing the publish date lets them make a severity-based decision inline:
- CRITICAL/HIGH CVE + young fix version: weigh exploit risk vs supply chain risk
- LOW/MEDIUM CVE + young fix version: bypass the pre-commit hook and wait for the fix to age
This was surfaced by a DINUM (French government) user running CVE Lite CLI with a pre-commit hook and a minimum release age policy.
When CVE Lite CLI recommends a fix version, it currently shows the version number but not when that version was published. This makes it impossible to evaluate whether the fix version is "fresh" (potentially risky from a supply chain perspective) or well-established.
Proposed change
Show the npm publish date of the recommended fix version alongside the version number in terminal output and HTML report. For example:
Motivation
Teams using minimum release age policies (e.g. rejecting packages published less than N days ago to mitigate supply chain attacks) currently have no way to act on CVE Lite CLI's fix suggestions without manually checking npm. Surfacing the publish date lets them make a severity-based decision inline:
This was surfaced by a DINUM (French government) user running CVE Lite CLI with a pre-commit hook and a minimum release age policy.