Add LangChain.js lockfile example and verified case study

CHANGELOG.md

@@ -5,8 +5,9 @@ All notable changes to CVE Lite CLI will be documented in this file.
 ## [Unreleased]
 
 ### Docs
+- LangChain.js case study added with verified baseline scan of a pnpm lockfile snapshot (`examples/langchainjs/`, 2,174 packages, 13 findings at revision `1503c9b`), including CVE Lite CLI vs `pnpm audit` comparison and lean-graph triage narrative.
 - Visual Studio Code case study added with verified baseline scan of a root npm lockfile snapshot (`examples/vscode/`, 1,374 packages, 9 findings at revision `bc678ca`), including CVE Lite CLI vs `npm audit` comparison.
-- Examples readme, docs sidebar, and README updated to reference the VS Code fixture and case study.
+- Examples readme, docs sidebar, and README updated to reference the LangChain.js and VS Code fixtures and case studies.
 
 ## [1.18.1] - 2026-05-27
 

README.md

@@ -213,8 +213,9 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
 - [Astro](https://owasp.org/cve-lite-cli/docs/case-studies/astro) — verified baseline scan of a modern pnpm monorepo (2,228 packages, 34 findings at revision `221bb4b`) with a critical transitive SDK chain and four generated fix command groups
 - [Turborepo](https://owasp.org/cve-lite-cli/docs/case-studies/turborepo) — verified baseline scan of a build-system pnpm monorepo (1,776 packages, 13 findings at revision `c85d410`) with a critical no-fix sandbox beta, all-transitive risk, and zero auto-generated fix commands on this snapshot
 - [Visual Studio Code](https://owasp.org/cve-lite-cli/docs/case-studies/vscode) — verified baseline scan of the VS Code root npm lockfile (1,374 packages, 9 findings at revision `bc678ca`) with two direct Anthropic SDK advisories, a high-severity gulp toolchain chain, and two generated fix command groups
+- [LangChain.js](https://owasp.org/cve-lite-cli/docs/case-studies/langchainjs) — verified baseline scan of a pnpm LLM-framework monorepo (2,174 packages, 13 findings at revision `1503c9b`) with a lean-graph profile, three high-severity findings with validated fix targets, and a malicious-package advisory on OpenSearch integration paths
 
-In-repo lockfile fixtures for Astro, Turborepo, and Visual Studio Code live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
+In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, and LangChain.js live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
 
 These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
 

examples/langchainjs/package.json

@@ -0,0 +1,100 @@
+{
+  "name": "langchainjs",
+  "author": "LangChain",
+  "license": "MIT",
+  "private": true,
+  "homepage": "https://github.com/langchain-ai/langchainjs/tree/main/",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/langchain-ai/langchainjs.git"
+  },
+  "packageManager": "pnpm@10.14.0",
+  "scripts": {
+    "build": "turbo build:compile",
+    "watch": "turbo watch build:compile",
+    "clean": "turbo clean",
+    "dev": "pnpm --filter @langchain/build watch",
+    "format": "oxfmt .",
+    "format:check": "oxfmt --check .",
+    "lint": "oxlint .",
+    "lint:fix": "oxlint . --fix",
+    "precommit": "turbo precommit",
+    "prerelease": "BUILD_MODE=prerelease pnpm build",
+    "release": "changeset publish",
+    "test": "pnpm test:unit && pnpm test:exports:docker",
+    "test:bench": "turbo test:bench",
+    "test:unit": "turbo test --filter=\"!test-exports-*\" --filter=!examples --filter=!create-langchain-integration",
+    "test:unit:ci": "turbo test",
+    "test:ranges:docker": "docker compose -f dependency_range_tests/docker-compose.yml up --force-recreate",
+    "test:exports:docker": "docker compose -f environment_tests/docker-compose.yml up --force-recreate",
+    "test:standard:unit": "turbo test:standard:unit",
+    "test:standard:int": "turbo test:standard:int",
+    "test:standard": "pnpm test:standard:unit && pnpm test:standard:int",
+    "changeset": "changeset",
+    "changeset:version": "changeset version"
+  },
+  "devDependencies": {
+    "@changesets/changelog-github": "^0.6.0",
+    "@changesets/cli": "^2.30.0",
+    "@langchain/build": "workspace:*",
+    "@langchain/tsconfig": "workspace:*",
+    "@tsconfig/recommended": "^1.0.2",
+    "@types/jest": "^30.0.0",
+    "@types/semver": "^7",
+    "commander": "^14.0.3",
+    "dotenv": "^17.4.0",
+    "lint-staged": "^16.4.0",
+    "oxfmt": "^0.43.0",
+    "oxlint": "^1.58.0",
+    "semver": "^7.7.4",
+    "tsdown": "^0.21.7",
+    "tsx": "^4.21.0",
+    "turbo": "^2.9.14",
+    "typescript": "^5.9.3"
+  },
+  "pnpm": {
+    "overrides": {
+      "@langchain/core": "workspace:^",
+      "langchain": "workspace:^",
+      "protobufjs": "^7.5.5",
+      "form-data": "^4.0.4",
+      "tar": ">=7.5.11",
+      "node-forge": ">=1.4.0",
+      "minimatch": ">=3.1.3",
+      "underscore": ">=1.13.8",
+      "esbuild": ">=0.25.0",
+      "undici": ">=7.24.0",
+      "qs": ">=6.14.2",
+      "ajv@8": ">=8.18.0",
+      "yauzl": ">=3.2.1",
+      "fast-xml-parser": ">=5.5.7",
+      "@grpc/grpc-js": ">=1.8.22",
+      "flatted": ">=3.4.2",
+      "simple-git": ">=3.32.3",
+      "hono": ">=4.12.7",
+      "@hono/node-server": ">=1.19.10",
+      "express-rate-limit": ">=8.2.2",
+      "basic-ftp": ">=5.3.0",
+      "vite": "^7.3.2",
+      "defu": "^6.1.5",
+      "axios": ">=0.30.3",
+      "@tootallnate/once": ">=3.0.1",
+      "convict": ">=6.2.5",
+      "lodash": ">=4.18.0",
+      "path-to-regexp": ">=8.4.0",
+      "brace-expansion": ">=5.0.6",
+      "micromatch>picomatch": "2.3.2",
+      "anymatch>picomatch": "2.3.2",
+      "readdirp>picomatch": "2.3.2",
+      "express>path-to-regexp": "0.1.13",
+      "router>path-to-regexp": ">=8.4.0",
+      "picomatch@2": ">=2.3.2",
+      "picomatch@4": ">=4.0.4"
+    }
+  },
+  "lint-staged": {
+    "**/*.{ts,tsx}": [
+      "oxfmt --write"
+    ]
+  }
+}