Add LangChain.js lockfile example and verified case study

[Ayush7614]

Summary

• Adds lockfile-only snapshot examples/langchainjs/ from langchain-ai/langchainjs@1503c9b (package.json + pnpm-lock.yaml).
• Documents verified baseline scan in website/docs/case-studies/langchainjs.md (2,174 packages, 13 findings, pnpm audit comparison).
• Bundles LangChain.js logo at website/static/img/langchainjs-logo.svg.
• Leads with lean-graph / actionable high-severity narrative per maintainer review on Add LangChain.js lockfile example and verified case study #489 (validated targets for axios, thrift, tmp; malicious OpenSearch signal).
• Includes Remaining risk, full 13-row Baseline findings table, and Want your project reviewed?

Closes #489

Test plan

• npm run build && node dist/index.js examples/langchainjs --verbose --all — 13 findings (0 critical · 3 high · 8 medium · 1 low · 1 malicious)
• pnpm audit in examples/langchainjs — 18 entries documented in case study
• cd website && npm run build — Docusaurus build succeeds
• High-severity validated targets confirmed: axios→1.16.0, thrift→0.23.0, tmp→0.2.6 (0 auto command groups on lockfile-only snapshot — documented honestly)

Made with Cursor

[sonukapoor]

The lean-graph story is worth documenting, and the malicious-package advisory on @opensearch-project/opensearch is a genuinely newsworthy signal. The 0-direct framing is handled well in the Summary.

One fix in CHANGELOG.md: the second bullet reads:

Examples readme, docs sidebar, and README updated to reference the LangChain.js and VS Code fixtures and case studies.

VS Code shipped in v1.18.1 — it shouldn't appear in [Unreleased]. Please either remove that second bullet entirely (README/sidebar updates don't need a separate changelog line), or trim it to reference LangChain.js only.