Skip to content

Add Gatsby lockfile example and verified case study #477

Open
Open
Add Gatsby lockfile example and verified case study#477
Assignees
Ayush7614
Labels
documentationImprovements or additions to documentationgood first issueGood for newcomers
@Ayush7614

Description

@Ayush7614
Ayush7614
opened on May 27, 2026

Summary

Add a real-world Gatsby monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Gatsby is a widely used static-site and meta-framework with a large Yarn Classic monorepo and a deep dependency graph spanning build tooling, plugins, and documentation apps. A committed lockfile snapshot and documented case study would:

  • Extend framework coverage beyond Astro (pnpm) with a Yarn Classic lockfile format at production scale
  • Show how CVE Lite CLI handles a mature SSG monorepo with a broad transitive vulnerability surface
  • Document verified baseline findings, fix command groups, and remaining risk without applying remediation
  • Provide a side-by-side comparison with yarn npm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.18.0, lockfile-only, 2026-05-27)

Metric Value
Upstream revision (candidate) 1f38c85963fd6bcfa9ccee2f925e5e02b00eafbb
Lockfile yarn.lock (Yarn Classic)
Resolved packages 3,568
Vulnerable packages 128 (160 OSV advisory matches)
Severity 9 critical · 66 high · 42 medium · 11 low

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

  • Add examples/gatsby/ with package.json and yarn.lock pinned to a specific upstream commit
  • Add website/docs/case-studies/gatsby.md with verified scan results (CVE Lite CLI version, yarn audit comparison, reproducible commands)
  • Wire the case study into docs sidebar, README, examples/readme.md, and CHANGELOG

Scope

  • Documentation and example fixture only
  • No changes to scanner source code or existing examples
  • All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)

Acceptance criteria

  • Lockfile snapshot is pinned to a documented upstream revision
  • Case study includes scan verification section with reproduce commands
  • Comparison note explains CVE Lite vs native audit count differences (if totals differ)
  • Baseline findings table matches live scan JSON output

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationgood first issueGood for newcomers

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions