Summary
Add a --create-pr flag that applies validated fix commands and opens a GitHub pull request automatically, giving teams a Dependabot-style automated fix workflow but with CVE Lite CLI's validated fix targets and parent-aware transitive guidance.
Motivation
CVE Lite CLI already produces validated, copy-and-run fix commands. The --fix flag applies direct dependency fixes automatically. The logical next step is closing the loop: after applying fixes, create a branch and open a PR without requiring the developer to do it manually.
This is the key distinction from Dependabot and Renovate:
- Dependabot / Renovate open PRs by bumping to the latest version — with no guarantee the target is non-vulnerable
- CVE Lite CLI
--create-pr would open PRs with OSV-validated fix versions — confirmed non-vulnerable before the PR is opened
Proposed behaviour
cve-lite . --fix --create-pr
- Run the scan
- Apply all validated direct dependency fixes (existing
--fix behaviour)
- Create a new branch (e.g.
cve-lite/fix-YYYY-MM-DD)
- Commit the lockfile and manifest changes
- Open a GitHub PR with:
- A structured title (
fix: resolve N vulnerable dependencies)
- A body listing each fixed package, the version bumped from/to, and the advisory IDs resolved
- A rescan result showing findings before and after
Scope considerations
- Requires a GitHub token (via
GITHUB_TOKEN env or gh CLI auth)
- Should support
--base <branch> to target a specific base branch
- Direct dependency fixes only in the first iteration — transitive fixes require upstream releases and are out of scope for automated PRs
--fail-on severity threshold should still apply (only create PR if findings meet the threshold)
Positioning value
This feature directly addresses the "CVE Lite gives me commands but I still have to run them and open the PR" friction point. It makes CVE Lite CLI a full automated remediation tool — not just a scanner — while keeping the core differentiator: every fix in the PR is OSV-validated before it is proposed.
"Dependabot opens PRs. CVE Lite opens PRs you can trust."
Related
Summary
Add a
--create-prflag that applies validated fix commands and opens a GitHub pull request automatically, giving teams a Dependabot-style automated fix workflow but with CVE Lite CLI's validated fix targets and parent-aware transitive guidance.Motivation
CVE Lite CLI already produces validated, copy-and-run fix commands. The
--fixflag applies direct dependency fixes automatically. The logical next step is closing the loop: after applying fixes, create a branch and open a PR without requiring the developer to do it manually.This is the key distinction from Dependabot and Renovate:
--create-prwould open PRs with OSV-validated fix versions — confirmed non-vulnerable before the PR is openedProposed behaviour
cve-lite . --fix --create-pr--fixbehaviour)cve-lite/fix-YYYY-MM-DD)fix: resolve N vulnerable dependencies)Scope considerations
GITHUB_TOKENenv orghCLI auth)--base <branch>to target a specific base branch--fail-onseverity threshold should still apply (only create PR if findings meet the threshold)Positioning value
This feature directly addresses the "CVE Lite gives me commands but I still have to run them and open the PR" friction point. It makes CVE Lite CLI a full automated remediation tool — not just a scanner — while keeping the core differentiator: every fix in the PR is OSV-validated before it is proposed.
Related
--fixflag (existing) — applies fixes locally--explainflag (LLM-powered context)