Add Payload CMS lockfile example and verified case study

[raj-krr]

Summary

Add a real-world Payload CMS lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Payload CMS is a popular TypeScript-first headless CMS and application framework (~22k GitHub stars) — available as a self-hosted platform, cloud service, and npm package suite. The upstream repo is a large pnpm workspace monorepo with a root pnpm-lock.yaml. A committed lockfile snapshot and documented case study would:

• Extend CMS / application-platform coverage alongside CopilotKit, Mastra, OpenAI Agents JS, and CamoFox
• Show CVE Lite on a pnpm lockfile at meaningful scale (2,602 resolved packages) — distinct from existing pnpm fixtures
• Demonstrate pnpm workspace-scoped fix commands (pnpm add --filter …) for direct deps across nested workspace paths
• Surface mixed outcomes: actionable direct fixes, parent-upgrade remediation paths, and advisory-only transitive findings (file-type, yaml)
• Provide a side-by-side comparison with pnpm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.22.0, lockfile-only, 2026-06-08)

Metric	Value
Upstream revision (candidate)	eb5708b3d3834a50a29f19d93df7406011e08114
Lockfile	root pnpm-lock.yaml (pnpm workspace monorepo)
Resolved packages	2,602
Vulnerable packages	18
Severity	1 critical · 7 high · 9 medium · 1 low
Direct vs transitive	1 direct / 17 transitive
CVE count (deduplicated)	36 CVEs across 18 packages
Fix command groups (preliminary)	2 groups covering 5 packages (5 of 18 findings)

Notable findings (preliminary):

• drizzle-orm@0.44.7 — high (direct) — pnpm add --filter packages/drizzle-adapter drizzle-orm@latest
• fast-xml-parser@4.2.5 — critical (transitive) — ⊘ skipped (no direct parent upgrade path)
• undici@7.18.2 — high (transitive) — parent-upgrade path available via wrangler
• @sentry/nextjs → uuid@9.0.1 — medium (transitive) — path-specific parent-upgrade remediation available
• file-type@20.5.0 — medium (transitive) — ⊘ skipped (OSV fix hint present, no auto-generated fix command)
• yaml@2.4.5 — medium (transitive) — ⊘ skipped (advisory-only)

pnpm audit (same lockfile): 18 vulnerabilities (1 critical · 7 high · 9 medium · 1 low) — totals align closely with CVE Lite's deduplicated view.

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/payload/ with root package.json and pnpm-lock.yaml pinned to a specific upstream commit
• Add website/docs/case-studies/payload.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
• Bundle project logo under website/static/img/ (from Payload branding/assets — do not rely on external raw URLs that 404)
• Wire the case study into docs sidebar, examples/readme.md, README.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• Baseline only — no fake "after" remediation results

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study explains pnpm workspace --filter fix commands and partial monorepo modeling caveats
• Case study documents parent-upgrade remediation paths where applicable (e.g. wrangler → undici)
• Comparison note explains CVE Lite vs pnpm audit alignment (36 CVEs / 18 packages)
• Baseline findings table matches live scan JSON output
• Logo bundled locally under website/static/img/
• Scan results are re-verified before publishing

---

Claiming this issue — happy to open a PR once maintainers confirm scope. @sonukapoor

[sonukapoor]

Thanks for the detailed prep work @raj-krr - this is well scoped and the preliminary scan looks solid. A few notes before you open the PR:

• The --filter workspace scoped fix commands are a good angle - make sure the case study explains why pnpm monorepos need workspace flags and what happens without them
• The skipped critical (fast-xml-parser with no parent upgrade path) is worth calling out explicitly in the Fix Journey section - explaining why it's skipped is educational, not a weakness
• pnpm audit totals align closely with CVE Lite here, so the comparison note should focus on the deduplicated package view and the specific fix commands rather than total counts
• Re-verify all numbers locally before publishing - the preliminary scan is a good starting point but the acceptance criteria require a live re-run

Go ahead and open a PR when ready. Follow the structure of an existing pnpm case study (Astro or Analog are good references) and make sure the Before vs After table has real measured rows.

[raj-krr]

Thanks for the detailed prep work @raj-krr - this is well scoped and the preliminary scan looks solid. A few notes before you open the PR:

• The --filter workspace scoped fix commands are a good angle - make sure the case study explains why pnpm monorepos need workspace flags and what happens without them
• The skipped critical (fast-xml-parser with no parent upgrade path) is worth calling out explicitly in the Fix Journey section - explaining why it's skipped is educational, not a weakness
• pnpm audit totals align closely with CVE Lite here, so the comparison note should focus on the deduplicated package view and the specific fix commands rather than total counts
• Re-verify all numbers locally before publishing - the preliminary scan is a good starting point but the acceptance criteria require a live re-run

Go ahead and open a PR when ready. Follow the structure of an existing pnpm case study (Astro or Analog are good references) and make sure the Before vs After table has real measured rows.

okay I will kept all these things in mind before raising the PR.

[sonukapoor]

Merged via PR #638. Thank you @raj-krr!