Summary
Add a real-world Builder.io lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
Builder.io is a high-visibility visual development / headless CMS platform (~8.7k GitHub stars) — drag-and-drop editing, Figma-to-code, SDKs for React, Vue, Svelte, Qwik, Angular, Next.js, and more. The upstream repo is a Yarn Berry + Nx monorepo housing SDKs, plugins, starters, and dozens of framework examples. A committed lockfile snapshot and documented case study would:
- Add visual CMS / page-builder SDK monorepo coverage — distinct from Mitosis (cross-framework compiler) while sharing the Builder.io ecosystem
- Show CVE Lite on one of the largest Yarn Berry lockfiles in the portfolio (
yarn.lock, 5,655 resolved packages)
- Demonstrate an extreme triage graph: 315 unique vulnerable packages with only 2 direct findings and 313
unknown relationship rows on a lockfile-only snapshot
- Highlight two confident direct fixes amid massive transitive/sandbox noise:
octokit@2.1.0 and zx@7.2.1
- Provide a Storybook/Mitosis-parallel
yarn npm audit --all vs full lockfile comparison (~2 root-scope entries vs 315 deduplicated packages)
Preliminary scan (CVE Lite CLI v1.22.0, lockfile-only, 2026-06-12)
| Metric |
Value |
| Upstream revision (candidate) |
1219cc4ed49ed657a7ee5e7548ca13aeabafa725 |
| Lockfile |
yarn.lock (Yarn Berry monorepo, workspaces: packages/*, plugins/*, examples/*, etc.) |
| Resolved packages |
5,655 |
| Vulnerable packages |
315 |
| Severity |
32 critical · 164 high · 100 medium · 19 low |
| Direct vs transitive vs unknown |
2 direct / 0 transitive / 313 unknown |
| CVE count (deduplicated) |
328 CVE/advisory entries across 315 packages |
| Fix command groups (preliminary) |
2 groups covering 2 packages |
| First-pass coverage (preliminary) |
2 of 315 findings |
Notable findings (preliminary):
- Only 2 direct findings:
octokit@2.1.0 (high) → yarn add octokit@3.1.2 (breaking major flagged), zx@7.2.1 (medium) → yarn add zx@8.8.5 (breaking major flagged)
- Critical sandbox/SDK cluster (unknown relationship):
@angular/ssr, @builder.io/qwik, @builder.io/qwik-city, @nguniversal/*, @remix-run/node, next, handlebars, form-data, electron — framework example and SDK e2e paths, not Builder npm consumer surface
- Version fragmentation at scale: multiple majors of
esbuild, axios, minimatch, semver, rollup, vite, svelte, lodash across examples/plugins
- 313 skipped findings — overwhelmingly framework-sandbox packages where Yarn Berry path reconstruction is incomplete on this lockfile-only MVP snapshot
yarn npm audit --all (same lockfile, default workspace scope): ~2 vulnerability entries on root workspace direct deps — case study should explain full-lockfile parse vs Yarn Berry default audit scope.
Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.
Proposed changes
- Add
examples/builder/ with root package.json and yarn.lock pinned to a specific upstream commit
- Add
website/docs/case-studies/builder.md with verified scan results (CVE Lite CLI version, yarn npm audit comparison, reproducible commands)
- Bundle project logo under
website/static/img/ (from examples/next-js-builder-site/public/assets/logo.png — do not rely on external raw URLs that 404)
- Wire the case study into docs sidebar,
examples/readme.md, README.md, CHANGELOG, and website/docs/case-studies/index.md (sorted npm/pnpm/Yarn sections)
Scope
- Documentation and example fixture only
- No changes to scanner source code or existing examples
- Baseline only — no fake “after” remediation results
Acceptance criteria
- Lockfile snapshot is pinned to a documented upstream revision
- Case study explains Yarn Berry workspace /
unknown relationship caveats on lockfile-only snapshots at scale
- Comparison note explains CVE Lite vs
yarn npm audit --all default scope (~2 entries vs 315 deduplicated packages)
- Baseline findings table matches live scan JSON output (may use representative critical/high subset + full count summary given table size)
- Logo bundled locally under
website/static/img/
Opened by @Ayush7614 after preliminary lockfile-only scan. Happy to implement the case study PR once maintainers confirm scope.
Summary
Add a real-world Builder.io lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
Builder.io is a high-visibility visual development / headless CMS platform (~8.7k GitHub stars) — drag-and-drop editing, Figma-to-code, SDKs for React, Vue, Svelte, Qwik, Angular, Next.js, and more. The upstream repo is a Yarn Berry + Nx monorepo housing SDKs, plugins, starters, and dozens of framework examples. A committed lockfile snapshot and documented case study would:
yarn.lock, 5,655 resolved packages)unknownrelationship rows on a lockfile-only snapshotoctokit@2.1.0andzx@7.2.1yarn npm audit --allvs full lockfile comparison (~2 root-scope entries vs 315 deduplicated packages)Preliminary scan (CVE Lite CLI v1.22.0, lockfile-only, 2026-06-12)
1219cc4ed49ed657a7ee5e7548ca13aeabafa725yarn.lock(Yarn Berry monorepo, workspaces:packages/*,plugins/*,examples/*, etc.)Notable findings (preliminary):
octokit@2.1.0(high) →yarn add octokit@3.1.2(breaking major flagged),zx@7.2.1(medium) →yarn add zx@8.8.5(breaking major flagged)@angular/ssr,@builder.io/qwik,@builder.io/qwik-city,@nguniversal/*,@remix-run/node,next,handlebars,form-data,electron— framework example and SDK e2e paths, not Builder npm consumer surfaceesbuild,axios,minimatch,semver,rollup,vite,svelte,lodashacross examples/pluginsyarn npm audit --all(same lockfile, default workspace scope): ~2 vulnerability entries on root workspace direct deps — case study should explain full-lockfile parse vs Yarn Berry default audit scope.Proposed changes
examples/builder/with rootpackage.jsonandyarn.lockpinned to a specific upstream commitwebsite/docs/case-studies/builder.mdwith verified scan results (CVE Lite CLI version,yarn npm auditcomparison, reproducible commands)website/static/img/(fromexamples/next-js-builder-site/public/assets/logo.png— do not rely on external raw URLs that 404)examples/readme.md,README.md,CHANGELOG, andwebsite/docs/case-studies/index.md(sorted npm/pnpm/Yarn sections)Scope
Acceptance criteria
unknownrelationship caveats on lockfile-only snapshots at scaleyarn npm audit --alldefault scope (~2 entries vs 315 deduplicated packages)website/static/img/Opened by @Ayush7614 after preliminary lockfile-only scan. Happy to implement the case study PR once maintainers confirm scope.