Skip to content

Add VS Code lockfile example and verified case study #480

Closed
#484
Closed
Add VS Code lockfile example and verified case study#480
#484
Labels
documentationImprovements or additions to documentation
@Ayush7614

Description

@Ayush7614
Ayush7614
opened on May 27, 2026

Summary

Add a real-world Visual Studio Code root lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

VS Code is one of the most widely used developer tools in the world. Its root package-lock.json captures the editor’s JavaScript/TypeScript build and tooling dependencies (distinct from the full multi-folder product tree). A committed lockfile snapshot and documented case study would:

  • Add a high-recognition developer-tool example to the case study portfolio
  • Show how CVE Lite CLI performs on a large npm lockfile where most risk is transitive and findings are relatively few despite 1,000+ resolved packages
  • Document direct vs transitive split (including dev-tooling direct deps like SDK packages)
  • Provide a side-by-side comparison with npm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.18.0, lockfile-only, 2026-05-27)

Metric Value
Upstream revision (candidate) 1897fa34033285d932624a72654cb1cf943f634f
Lockfile package-lock.json
Resolved packages 1,374
Vulnerable packages 9 (7 OSV advisory matches)
Severity 1 high · 8 medium
Direct vs transitive 2 direct · 7 transitive

Numbers are from a lockfile-only baseline scan of the root lockfile and must be re-verified locally before publishing the case study.

Proposed changes

  • Add examples/vscode/ with root package.json and package-lock.json pinned to a specific upstream commit
  • Add website/docs/case-studies/vscode.md with verified scan results (CVE Lite CLI version, npm audit comparison, reproducible commands)
  • Wire the case study into docs sidebar, README, examples/readme.md, and CHANGELOG

Scope

  • Documentation and example fixture only
  • No changes to scanner source code or existing examples
  • All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)
  • Scan scope is the root lockfile only (not every nested package.json in the VS Code tree)

Acceptance criteria

  • Lockfile snapshot is pinned to a documented upstream revision
  • Case study includes scan verification section with reproduce commands
  • Comparison note explains CVE Lite vs native audit count differences (if totals differ)
  • Baseline findings table matches live scan JSON output
  • Case study clearly states scan scope (root lockfile vs full product tree)

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions