Add VS Code root lockfile example and verified case study

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to CVE Lite CLI will be documented in this file.
 
 ## [Unreleased]
 
+### Docs
+- Visual Studio Code case study added with verified baseline scan of a root npm lockfile snapshot (`examples/vscode/`, 1,374 packages, 9 findings at revision `bc678ca`), including CVE Lite CLI vs `npm audit` comparison.
+- Examples readme, docs sidebar, and README updated to reference the VS Code fixture and case study.
+
 ## [1.18.1] - 2026-05-27
 
 ### Added

README.md

@@ -212,8 +212,9 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
 - [Ghost](https://owasp.org/cve-lite-cli/docs/case-studies/ghost) — 26 vulnerable packages across 4,447 resolved in a professionally maintained CMS — every one transitive, including a critical XSS in the library responsible for making user content safe
 - [Astro](https://owasp.org/cve-lite-cli/docs/case-studies/astro) — verified baseline scan of a modern pnpm monorepo (2,228 packages, 34 findings at revision `221bb4b`) with a critical transitive SDK chain and four generated fix command groups
 - [Turborepo](https://owasp.org/cve-lite-cli/docs/case-studies/turborepo) — verified baseline scan of a build-system pnpm monorepo (1,776 packages, 13 findings at revision `c85d410`) with a critical no-fix sandbox beta, all-transitive risk, and zero auto-generated fix commands on this snapshot
+- [Visual Studio Code](https://owasp.org/cve-lite-cli/docs/case-studies/vscode) — verified baseline scan of the VS Code root npm lockfile (1,374 packages, 9 findings at revision `bc678ca`) with two direct Anthropic SDK advisories, a high-severity gulp toolchain chain, and two generated fix command groups
 
-In-repo lockfile fixtures for Astro and Turborepo live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
+In-repo lockfile fixtures for Astro, Turborepo, and Visual Studio Code live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
 
 These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
 

examples/readme.md

@@ -41,6 +41,14 @@ Lockfile-only snapshot from [vercel/turborepo](https://github.com/vercel/turbore
 |---|---|---|---|
 | `turborepo` | pnpm | https://github.com/vercel/turborepo | Monorepo build-system toolchain — 1,776 packages, 13 findings. |
 
+## In-repo snapshot: Visual Studio Code
+
+Lockfile-only snapshot from [microsoft/vscode](https://github.com/microsoft/vscode) at revision `bc678cad02f18de3e2b6bf72a8259e9fb322cdfc`. Commits root `package.json` and `package-lock.json` only — no application source. Scan scope is the root lockfile, not nested folders under `build/` or `extensions/`. [Case study](../website/docs/case-studies/vscode.md).
+
+| Folder | Package Manager | Source | Purpose |
+|---|---|---|---|
+| `vscode` | npm | https://github.com/microsoft/vscode | Developer-tool root lockfile — 1,374 packages, 9 findings (2 direct). |
+
 ## Local-only examples
 
 Full project clones used for real-world testing. Not committed to this repo — clone each separately into `examples/` for local use.
@@ -81,6 +89,9 @@ node dist/index.js examples/astro --verbose --all
 # In-repo snapshot: Turborepo
 node dist/index.js examples/turborepo --verbose --all
 
+# In-repo snapshot: Visual Studio Code
+node dist/index.js examples/vscode --verbose --all
+
 # Local-only (clone first)
 node dist/index.js examples/analog --verbose
 node dist/index.js examples/nest --verbose