Add exact-pinned-intermediate regression fixture (Discussion #528 #2)

[Ayush7614]

Adds examples/exact-pinned-intermediate/ for Discussion #528 fixture ** Fixture 2**.

Summary

• Intermediate parent (body-parser) exact-pins qs@6.14.2 in the lockfile — not a semver range like ~6.14.0
• CVE Lite must not suggest npm update qs (within-range lockfile refresh)
• Correct fix: parent upgrade on express

Chain

express@4.22.1 → body-parser@1.20.4 → qs@6.14.2

• Lockfile declares "qs": "6.14.2" (exact) on body-parser — only that version satisfies the pin
• npm overrides isolate the deep path and pin vulnerable versions (same technique as deep-chain-no-fix)

Verified scan output

npm run build
node dist/index.js examples/exact-pinned-intermediate --verbose

Parsed 69 packages from package-lock.json
Found 1 package (1 CVE) with known OSV matches
1 medium finding: qs@6.14.2 (transitive via express → body-parser → qs)
Fix command: npm install express@4.22.2
Does NOT suggest: npm update qs

What changed

• examples/exact-pinned-intermediate/package.json + package-lock.json
• examples/readme.md — fixture table + scan command
• tests/fixture-scan.test.ts — asserts parent upgrade, not npm update qs

Contrast with related fixtures

Fixture	Parent declares	Expected fix
wrong-parent / pnpm-within-range	Range that covers the fix	npm update / pnpm update on vulnerable pkg
deep-chain-no-fix	Range that does not cover the fix	Parent upgrade
exact-pinned-intermediate	Exact pin (no range)	Parent upgrade — within-range refresh must not apply

Test plan

• node dist/index.js examples/exact-pinned-intermediate --verbose → npm install express@4.22.2, not npm update qs
• Fixture documented in examples/readme.md
• CI (npm test)

Closes Discussion #528 item fixture 2 (exact-pinned-intermediate).

cc: @sonukapoor