Add Storybook lockfile example and verified case study

CHANGELOG.md

@@ -5,6 +5,8 @@ All notable changes to CVE Lite CLI will be documented in this file.
 ## [Unreleased]
 
 ### Docs
+- Storybook case study added with verified baseline scan of a Yarn Berry monorepo lockfile snapshot (`examples/storybook/`, 3,008 packages, 92 findings at revision `cc19ae1`), including CVE Lite CLI vs `yarn npm audit` comparison.
+- Examples readme, docs sidebar, and README updated to reference the Storybook fixture and case study.
 - Visual Studio Code case study added with verified baseline scan of a root npm lockfile snapshot (`examples/vscode/`, 1,374 packages, 9 findings at revision `bc678ca`), including CVE Lite CLI vs `npm audit` comparison.
 - Examples readme, docs sidebar, and README updated to reference the VS Code fixture and case study.
 

README.md

@@ -213,8 +213,9 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
 - [Astro](https://owasp.org/cve-lite-cli/docs/case-studies/astro) — verified baseline scan of a modern pnpm monorepo (2,228 packages, 34 findings at revision `221bb4b`) with a critical transitive SDK chain and four generated fix command groups
 - [Turborepo](https://owasp.org/cve-lite-cli/docs/case-studies/turborepo) — verified baseline scan of a build-system pnpm monorepo (1,776 packages, 13 findings at revision `c85d410`) with a critical no-fix sandbox beta, all-transitive risk, and zero auto-generated fix commands on this snapshot
 - [Visual Studio Code](https://owasp.org/cve-lite-cli/docs/case-studies/vscode) — verified baseline scan of the VS Code root npm lockfile (1,374 packages, 9 findings at revision `bc678ca`) with two direct Anthropic SDK advisories, a high-severity gulp toolchain chain, and two generated fix command groups
+- [Storybook](https://owasp.org/cve-lite-cli/docs/case-studies/storybook) — verified baseline scan of a Yarn Berry monorepo (3,008 packages, 92 findings at revision `cc19ae1`) spanning cross-framework sandbox templates, five critical transitive chains, and one direct vite fix command
 
-In-repo lockfile fixtures for Astro, Turborepo, and Visual Studio Code live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
+In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, and Storybook live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
 
 These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
 

examples/.gitignore

@@ -1,4 +1,5 @@
 node_modules/
+.yarn/
 
 # Full project clones — too large for in-repo fixtures.
 # Clone these separately for local testing (see readme).

examples/readme.md

@@ -49,6 +49,14 @@ Lockfile-only snapshot from [microsoft/vscode](https://github.com/microsoft/vsco
 |---|---|---|---|
 | `vscode` | npm | https://github.com/microsoft/vscode | Developer-tool root lockfile — 1,374 packages, 9 findings (2 direct). |
 
+## In-repo snapshot: Storybook
+
+Lockfile-only snapshot from [storybookjs/storybook](https://github.com/storybookjs/storybook) at revision `cc19ae1a2145e8f7cda8dc869f1b90d5346dcedb`. Commits `package.json` and `yarn.lock` only — no application source. [Case study](../website/docs/case-studies/storybook.md).
+
+| Folder | Package Manager | Source | Purpose |
+|---|---|---|---|
+| `storybook` | Yarn Berry | https://github.com/storybookjs/storybook | Cross-framework UI tooling monorepo — 3,008 packages, 92 findings. |
+
 ## Local-only examples
 
 Full project clones used for real-world testing. Not committed to this repo — clone each separately into `examples/` for local use.
@@ -92,6 +100,9 @@ node dist/index.js examples/turborepo --verbose --all
 # In-repo snapshot: Visual Studio Code
 node dist/index.js examples/vscode --verbose --all
 
+# In-repo snapshot: Storybook
+node dist/index.js examples/storybook --verbose --all
+
 # Local-only (clone first)
 node dist/index.js examples/analog --verbose
 node dist/index.js examples/nest --verbose

examples/storybook/package.json

@@ -0,0 +1,84 @@
+{
+  "name": "@storybook/root",
+  "private": true,
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/storybookjs/storybook.git"
+  },
+  "workspaces": {
+    "packages": [
+      "code",
+      "code/addons/*",
+      "code/builders/*",
+      "code/core",
+      "code/frameworks/*",
+      "code/lib/*",
+      "code/presets/*",
+      "code/renderers/*",
+      "scripts"
+    ]
+  },
+  "scripts": {
+    "ci-tests": "cd code; yarn ci-tests",
+    "docs:check": "yarn --cwd scripts docs:check",
+    "fmt:check": "oxfmt --check .",
+    "fmt:write": "oxfmt .",
+    "get-report-message": "cd scripts; yarn get-report-message",
+    "get-sandbox-dir": "cd scripts; yarn get-sandbox-dir",
+    "i": "yarn",
+    "postinstall": "husky",
+    "knip": "cd code; yarn knip",
+    "lint": "cd code; yarn lint",
+    "nx": "nx",
+    "start": "yarn task --task dev --template react-vite/default-ts --start-from=install",
+    "storybook:vitest": "NODE_OPTIONS=--max_old_space_size=4096 vitest watch --project storybook-ui",
+    "storybook:vitest:inspect": "INSPECT=true NODE_OPTIONS=--max_old_space_size=4096 vitest run --project storybook-ui",
+    "svelte-ecosystem-ci:before-test": "./scripts/ecosystem-ci/before-test.sh svelte-kit/skeleton-ts",
+    "svelte-ecosystem-ci:build": "./scripts/ecosystem-ci/build.sh svelte-kit/skeleton-ts svelte",
+    "svelte-ecosystem-ci:test": "./scripts/ecosystem-ci/test.sh svelte-kit/skeleton-ts",
+    "task": "yarn --cwd=./scripts task",
+    "test": "NODE_OPTIONS=--max_old_space_size=4096 vitest run",
+    "test:watch": "NODE_OPTIONS=--max_old_space_size=4096 vitest watch",
+    "upload-bench": "cd scripts; yarn upload-bench",
+    "vite-ecosystem-ci:before-test": "./scripts/ecosystem-ci/before-test.sh react-vite/default-ts",
+    "vite-ecosystem-ci:build": "./scripts/ecosystem-ci/build.sh react-vite/default-ts",
+    "vite-ecosystem-ci:test": "./scripts/ecosystem-ci/test.sh react-vite/default-ts"
+  },
+  "resolutions": {
+    "@babel/runtime": "latest",
+    "@babel/traverse": "latest",
+    "@babel/types": "^7.28.4",
+    "@playwright/test": "1.58.2",
+    "@testing-library/user-event@npm:^14.4.0": "patch:@testing-library/user-event@npm%3A14.6.1#~/.yarn/patches/@testing-library-user-event-npm-14.6.1-5da7e1d4e2.patch",
+    "@testing-library/user-event@npm:^14.6.1": "patch:@testing-library/user-event@npm%3A14.6.1#~/.yarn/patches/@testing-library-user-event-npm-14.6.1-5da7e1d4e2.patch",
+    "@types/babel__traverse@npm:*": "patch:@types/babel__traverse@npm%3A7.20.6#~/.yarn/patches/@types-babel__traverse-npm-7.20.6-fac4243243.patch",
+    "@types/babel__traverse@npm:^7.18.0": "patch:@types/babel__traverse@npm%3A7.20.6#~/.yarn/patches/@types-babel__traverse-npm-7.20.6-fac4243243.patch",
+    "@types/node": "^22.19.1",
+    "@types/react": "^18.0.0",
+    "@vitest/expect@npm:3.2.4": "patch:@vitest/expect@npm%3A3.2.4#~/.yarn/patches/@vitest-expect-npm-3.2.4-97c526d5cc.patch",
+    "aria-query@5.3.0": "^5.3.0",
+    "esbuild": "^0.27.0",
+    "playwright": "1.58.2",
+    "playwright-core": "1.58.2",
+    "react": "^18.2.0",
+    "type-fest": "~2.19",
+    "typescript": "^5.9.3"
+  },
+  "devDependencies": {
+    "@nx/workspace": "^22.6.1",
+    "@playwright/test": "^1.58.2",
+    "@types/kill-port": "^2.0.3",
+    "http-server": "^14.1.1",
+    "husky": "^9.1.7",
+    "jiti": "^2.6.1",
+    "kill-port": "^2.0.1",
+    "lint-staged": "^16.4.0",
+    "nx": "^22.6.1",
+    "oxfmt": "^0.41.0",
+    "std-env": "^4.0.0",
+    "vite": "^7.0.4",
+    "vitest": "^4.1.5"
+  },
+  "packageManager": "yarn@4.10.3"
+}