Summary
Add a real-world Mitosis lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
Mitosis is a high-visibility cross-framework UI compiler (~13.8k GitHub stars) from Builder.io — write components once, compile to React, Vue, Angular, Svelte, Solid, Qwik, Alpine, and more. The upstream repo is a Yarn Berry + Nx monorepo spanning compiler packages, e2e sandboxes, and multi-framework test fixtures. A committed lockfile snapshot and documented case study would:
- Add cross-framework compiler / codegen monorepo coverage — distinct from Storybook (UI tooling sandboxes), Svelte (compiler-only pnpm graph), and single-framework snapshots
- Show CVE Lite on a large Yarn Berry lockfile (
yarn.lock, 2,476 resolved packages) with framework-sandbox critical chains (Qwik, Next.js, handlebars, form-data in e2e paths)
- Demonstrate six direct
esbuild majors on the root manifest surface — all direct findings are esbuild version fragmentation, not application runtime deps
- Highlight Yarn Berry MVP path limits: 109 of 145 findings classified as
unknown relationship when workspace/importer paths are incomplete on a lockfile-only snapshot
- Provide a Storybook-parallel narrative:
yarn npm audit --all default scope vs CVE Lite full-lockfile parse (3 root-scope entries vs 145 deduplicated packages)
Preliminary scan (CVE Lite CLI v1.22.0, lockfile-only, 2026-06-12)
| Metric |
Value |
| Upstream revision (candidate) |
a2434f9632438133ce08e17b0b646de378dfb5ca |
| Lockfile |
yarn.lock (Yarn Berry monorepo, workspaces: packages/*, e2e/*) |
| Resolved packages |
2,476 |
| Vulnerable packages |
145 |
| Severity |
18 critical · 70 high · 47 medium · 10 low |
| Direct vs transitive vs unknown |
6 direct / 30 transitive / 109 unknown |
| CVE count (deduplicated) |
256 CVE/advisory entries across 145 packages |
| Fix command groups (preliminary) |
5 groups covering 27 packages |
| First-pass coverage (preliminary) |
27 of 145 findings |
Notable findings (preliminary):
- Critical sandbox/tooling cluster:
@builder.io/qwik, @builder.io/qwik-city, next@13.5.5, handlebars, ejs, form-data, vitest@0.34.6 — mostly e2e / framework compile-test paths, not Mitosis npm consumer surface
- Critical direct-adjacent:
shell-quote@1.7.3 — within-range lockfile refresh via yarn upgrade shell-quote
- Six direct
esbuild versions (0.12.29 through 0.23.0) — CVE Lite generates yarn add esbuild@0.28.1 as validated target across all direct rows
- Nx orchestration path:
yarn add nx@19.6.1 for critical form-data@4.0.0 via nx → axios chain
- High within-range refresh cluster:
axios, braces, cross-spawn, flatted, glob, minimatch, picomatch, tmp — grouped lockfile refresh commands
yarn npm audit --all (same lockfile, default workspace scope): ~3 vulnerability entries on root workspace direct deps — case study should explain full-lockfile parse vs Yarn Berry default audit scope (parallel to Storybook case study).
Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.
Proposed changes
- Add
examples/mitosis/ with root package.json and yarn.lock pinned to a specific upstream commit
- Add
website/docs/case-studies/mitosis.md with verified scan results (CVE Lite CLI version, yarn npm audit comparison, reproducible commands)
- Bundle project logo under
website/static/img/ (from packages/fiddle/public/mitosis-logo-white.png — do not rely on external raw URLs that 404)
- Wire the case study into docs sidebar,
examples/readme.md, README.md, CHANGELOG, and website/docs/case-studies/index.md (sorted npm/pnpm/Yarn sections)
Scope
- Documentation and example fixture only
- No changes to scanner source code or existing examples
- Baseline only — no fake “after” remediation results
Acceptance criteria
- Lockfile snapshot is pinned to a documented upstream revision
- Case study explains Yarn Berry workspace /
unknown relationship caveats on lockfile-only snapshots
- Comparison note explains CVE Lite vs
yarn npm audit --all default scope (~3 entries vs 145 deduplicated packages)
- Baseline findings table matches live scan JSON output
- Logo bundled locally under
website/static/img/
Opened by @Ayush7614 after preliminary lockfile-only scan. Happy to implement the case study PR once maintainers confirm scope.
Summary
Add a real-world Mitosis lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
Mitosis is a high-visibility cross-framework UI compiler (~13.8k GitHub stars) from Builder.io — write components once, compile to React, Vue, Angular, Svelte, Solid, Qwik, Alpine, and more. The upstream repo is a Yarn Berry + Nx monorepo spanning compiler packages, e2e sandboxes, and multi-framework test fixtures. A committed lockfile snapshot and documented case study would:
yarn.lock, 2,476 resolved packages) with framework-sandbox critical chains (Qwik, Next.js, handlebars, form-data in e2e paths)esbuildmajors on the root manifest surface — all direct findings are esbuild version fragmentation, not application runtime depsunknownrelationship when workspace/importer paths are incomplete on a lockfile-only snapshotyarn npm audit --alldefault scope vs CVE Lite full-lockfile parse (3 root-scope entries vs 145 deduplicated packages)Preliminary scan (CVE Lite CLI v1.22.0, lockfile-only, 2026-06-12)
a2434f9632438133ce08e17b0b646de378dfb5cayarn.lock(Yarn Berry monorepo, workspaces:packages/*,e2e/*)Notable findings (preliminary):
@builder.io/qwik,@builder.io/qwik-city,next@13.5.5,handlebars,ejs,form-data,vitest@0.34.6— mostly e2e / framework compile-test paths, not Mitosis npm consumer surfaceshell-quote@1.7.3— within-range lockfile refresh viayarn upgrade shell-quoteesbuildversions (0.12.29through0.23.0) — CVE Lite generatesyarn add esbuild@0.28.1as validated target across all direct rowsyarn add nx@19.6.1for criticalform-data@4.0.0via nx → axios chainaxios,braces,cross-spawn,flatted,glob,minimatch,picomatch,tmp— grouped lockfile refresh commandsyarn npm audit --all(same lockfile, default workspace scope): ~3 vulnerability entries on root workspace direct deps — case study should explain full-lockfile parse vs Yarn Berry default audit scope (parallel to Storybook case study).Proposed changes
examples/mitosis/with rootpackage.jsonandyarn.lockpinned to a specific upstream commitwebsite/docs/case-studies/mitosis.mdwith verified scan results (CVE Lite CLI version,yarn npm auditcomparison, reproducible commands)website/static/img/(frompackages/fiddle/public/mitosis-logo-white.png— do not rely on external raw URLs that 404)examples/readme.md,README.md,CHANGELOG, andwebsite/docs/case-studies/index.md(sorted npm/pnpm/Yarn sections)Scope
Acceptance criteria
unknownrelationship caveats on lockfile-only snapshotsyarn npm audit --alldefault scope (~3 entries vs 145 deduplicated packages)website/static/img/Opened by @Ayush7614 after preliminary lockfile-only scan. Happy to implement the case study PR once maintainers confirm scope.