Skip to content

Add Mastra lockfile example and verified case study #479

Open
Open
Add Mastra lockfile example and verified case study#479
Assignees
Ayush7614
Labels
documentationImprovements or additions to documentationgood first issueGood for newcomers
@Ayush7614

Description

@Ayush7614
Ayush7614
opened on May 27, 2026

Summary

Add a real-world Mastra monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Mastra is a TypeScript-native AI agent framework with a large pnpm monorepo covering core runtime, provider integrations, playground UI, and client SDKs. A committed lockfile snapshot and documented case study would:

  • Document dependency risk in a production AI agent framework (not just an LLM client library)
  • Show how CVE Lite CLI handles a 4,500+ package pnpm workspace with critical transitive findings (e.g. auth and protobuf chains)
  • Surface validated fix command groups where parent upgrades are identifiable
  • Provide a side-by-side comparison with pnpm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.18.0, lockfile-only, 2026-05-27)

Metric Value
Upstream revision (candidate) 5ee740cfe3bac6bae0c6303c43622a4e6abbfac7
Lockfile pnpm-lock.yaml
Resolved packages 4,556
Vulnerable packages 60 (87 OSV advisory matches)
Severity 3 critical · 30 high · 25 medium · 2 low

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

  • Add examples/mastra/ with package.json and pnpm-lock.yaml pinned to a specific upstream commit
  • Add website/docs/case-studies/mastra.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
  • Wire the case study into docs sidebar, README, examples/readme.md, and CHANGELOG

Scope

  • Documentation and example fixture only
  • No changes to scanner source code or existing examples
  • All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)

Acceptance criteria

  • Lockfile snapshot is pinned to a documented upstream revision
  • Case study includes scan verification section with reproduce commands
  • Comparison note explains CVE Lite vs native audit count differences (if totals differ)
  • Baseline findings table matches live scan JSON output

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationgood first issueGood for newcomers

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions