docs: add Strapi case study (#373)

[Ayush7614]

Summary

• Adds verified Strapi case study at strapi/strapi@e666ee2 — 2,887 packages, 29 findings (1 critical · 12 high · 13 medium · 3 low)
• Updates examples/strapi/ lockfile snapshot (Yarn Berry 4.12.0) and documents six fix command groups covering 12/29 findings
• Highlights CMS parallels with Ghost (html-minifier no-fix), direct lodash/qs fixes vs transitive critical handlebars chain, and mixed minimatch remediation paths
• Documents yarn npm audit limitation on lockfile-only Yarn Berry catalog snapshots (same class as Storybook)

Closes #373

Verified scan output

Parsed 2887 packages from yarn-lock (yarn.lock)
Found 29 packages (61 CVEs) with known OSV matches
Critical: 1 | High: 12 | Medium: 13 | Low: 3
6 command groups ready across 12 packages (1 critical, 2 high, 3 medium)
Running all commands above should fix 12 of 29 findings.

Key generated commands:

yarn upgrade handlebars
yarn add lodash@4.18.0
yarn upgrade axios && yarn upgrade cross-spawn && yarn upgrade minimatch && yarn upgrade tmp
yarn add qs@6.15.2
yarn upgrade brace-expansion && yarn upgrade ejs && yarn upgrade tough-cookie
yarn add @swc/cli@0.8.1 lint-staged@15.4.2

Test plan

• npm run build
• node dist/index.js examples/strapi --verbose --all — 29 findings, 6 command groups, 12/29 coverage
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-09T07-16-34.json)
• yarn npm audit attempted on fixture — fails with catalog protocol error (documented in case study)
• Docusaurus site builds (if CI runs on PR)

[Ayush7614]

cc: @sonukapoor

[sonukapoor]

This branch has merge conflicts with main — could you rebase against main, resolve the conflicts, and force-push? Thanks!

[Ayush7614]

@sonukapoor Rebased onto main and resolved the CHANGELOG.md conflict — Strapi entry is under [Unreleased], v1.21.0 section preserved. Force-pushed to ayush21. Thanks!

[sonukapoor]

@Ayush7614 Could you please resolve the conflicts and push again?

[Ayush7614]

@sonukapoor Rebased onto latest main again — resolved conflicts in CHANGELOG.md (Strapi under [Unreleased], v1.22.0 preserved) and website/docs/case-studies/index.md (added Strapi row to the updated table). Force-pushed to ayush21.

[Ayush7614]

Rebased to include the tsx@4.22.0 lockfile fix (same as #639) so Self Scan passes — root esbuild@0.27.4 high advisories were failing all docs PRs unrelated to case study content. CI should go green once checks re-run.

[sonukapoor]

The case study content looks solid - the CMS comparison angle with Ghost and the direct vs transitive split are well explained. Three things to fix before we can merge:

1. Please revert the package.json change (the tsx version bump from 4.19.2 to 4.22.0). Dependency updates are separate from case study PRs.
2. Please revert the package-lock.json change - this was generated from the tsx bump above.
3. Please revert the CHANGELOG.md change - we manage the changelog at release time, not in individual PRs.

Once those three files are reverted to match main, this is ready to merge.

[Ayush7614]

@sonukapoor Thanks for the review — addressed all three items:

• package.json / package-lock.json: dropped the unrelated tsx bump commit; branch is now rebased on main with a single case-study commit
• CHANGELOG.md: reverted to match main (no changelog edits in this PR)

PR now only touches the Strapi case study files. Ready for another look when you have a moment.

[sonukapoor]

Thanks for the case study contribution. A note for this PR and future ones: please only touch files specific to your study — the case study document, fixture files, and logo. Do not modify these shared files:

• website/docs/case-studies/index.md
• website/sidebars.ts
• README.md
• examples/readme.md
• CHANGELOG.md
• package.json / package-lock.json

When multiple case study PRs are open at the same time, all of them touch these files and conflicts pile up. Maintainers add the index/sidebar/README entries when merging. We have updated CONTRIBUTING.md to document this.

For this PR specifically: please rebase against main and resolve any conflicts, keeping the main branch version of the shared files.

[Ayush7614]

@sonukapoor Rebased onto latest main (post-#594 merge) and dropped all shared-file edits per the updated CONTRIBUTING guidance.

PR now only touches Strapi-specific files:

• examples/strapi/ (fixture)
• website/docs/case-studies/strapi.md
• website/static/img/strapi-logo.svg

No changes to index.md, sidebars.ts, README.md, or examples/readme.md. Conflicts should be resolved.

[sonukapoor]

Clean - only touches Strapi-specific files. Fixture works correctly (2,887 packages). Approved.

[sonukapoor]

Merged - thank you @Ayush7614!