Summary
Add a real-world LangChain.js monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
LangChain.js is one of the most widely adopted TypeScript frameworks for building LLM-powered applications. Its pnpm monorepo spans core packages, provider integrations, and tooling with 2,000+ resolved packages. A committed lockfile snapshot and documented case study would:
- Extend AI/LLM framework coverage beyond the Vercel AI SDK and Mastra proposals
- Show how CVE Lite CLI performs on a large pnpm workspace where most risk is transitive despite a massive graph
- Document verified baseline findings and fix command groups without applying remediation
- Provide a side-by-side comparison with
pnpm audit on the same lockfile
Preliminary scan (CVE Lite CLI v1.18.1, lockfile-only, 2026-05-28)
| Metric |
Value |
| Upstream revision (candidate) |
1503c9beaa6a578f6a30739b2cfc1af9d18dd805 |
| Lockfile |
pnpm-lock.yaml |
| Resolved packages |
2,174 |
| Vulnerable packages |
10 (7 OSV advisory matches) |
| Severity |
2 high · 8 medium |
Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.
Proposed changes
- Add
examples/langchainjs/ with package.json and pnpm-lock.yaml pinned to a specific upstream commit
- Add
website/docs/case-studies/langchainjs.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
- Bundle LangChain logo under
website/static/img/ (do not rely on external raw URLs)
- Wire the case study into docs sidebar, README,
examples/readme.md, and CHANGELOG
Scope
- Documentation and example fixture only
- No changes to scanner source code or existing examples
- All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)
Acceptance criteria
Summary
Add a real-world LangChain.js monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
LangChain.js is one of the most widely adopted TypeScript frameworks for building LLM-powered applications. Its pnpm monorepo spans core packages, provider integrations, and tooling with 2,000+ resolved packages. A committed lockfile snapshot and documented case study would:
pnpm auditon the same lockfilePreliminary scan (CVE Lite CLI v1.18.1, lockfile-only, 2026-05-28)
1503c9beaa6a578f6a30739b2cfc1af9d18dd805pnpm-lock.yamlProposed changes
examples/langchainjs/withpackage.jsonandpnpm-lock.yamlpinned to a specific upstream commitwebsite/docs/case-studies/langchainjs.mdwith verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)website/static/img/(do not rely on external raw URLs)examples/readme.md, and CHANGELOGScope
Acceptance criteria
website/static/img/