Problem
When doing a risk evalution of a vulnerability, it is helpful to know if it is related to a devDependency or if the vulnerability is in the running code. The CLI tool have the --prod-only flag that removes the devDependencies from the output.
Proposed idea
Output if the dependency is a prod og dev dependency both in the console output and in the report
Why it fits this project
Explain why this aligns with CVE Lite CLI's goals:
- practical developer usability
- clear remediation guidance
Alternatives considered
Run with --prod-only and compare result or manually look into the package-lock.json file
Problem
When doing a risk evalution of a vulnerability, it is helpful to know if it is related to a devDependency or if the vulnerability is in the running code. The CLI tool have the --prod-only flag that removes the devDependencies from the output.
Proposed idea
Output if the dependency is a prod og dev dependency both in the console output and in the report
Why it fits this project
Explain why this aligns with CVE Lite CLI's goals:
Alternatives considered
Run with --prod-only and compare result or manually look into the package-lock.json file