The CVE Lite CLI vs npm audit section is thin compared to the Dependabot section — just an intro sentence and 4 generic bullets. It needs to be expanded to give developers a real, concrete understanding of how the two tools differ.
Changes
Expand the ## CVE Lite CLI vs npm audit section in website/docs/comparison.md to match the depth of the Dependabot section, covering:
- Why finding counts differ — npm audit counts each node in a transitive dependency chain as a separate finding; CVE Lite groups by root cause
- Fix suggestion quality — npm audit suggests
--force with an unvalidated version; CVE Lite validates the fix and gives an exact copy-and-run command
- Output noise — npm audit lists all individual CVEs per package flat; CVE Lite groups them
- npm-only limitation — npm audit doesn't work with pnpm or Yarn lockfiles
- Where npm audit has the edge — honest acknowledgement: built-in, no install required
Grounded in real output from the examples/direct-fixable and examples/transitive-path-high example repos.
The CVE Lite CLI vs npm audit section is thin compared to the Dependabot section — just an intro sentence and 4 generic bullets. It needs to be expanded to give developers a real, concrete understanding of how the two tools differ.
Changes
Expand the
## CVE Lite CLI vs npm auditsection inwebsite/docs/comparison.mdto match the depth of the Dependabot section, covering:--forcewith an unvalidated version; CVE Lite validates the fix and gives an exact copy-and-run commandGrounded in real output from the
examples/direct-fixableandexamples/transitive-path-highexample repos.