Add Mitosis lockfile example and verified case study

[Ayush7614]

Document BuilderIO/mitosis at a2434f9 (2,476 packages, 145 findings) with Yarn Berry + Nx monorepo lockfile coverage, yarn npm audit --all comparison, and unknown-relationship caveats.

Fixes #640

Summary

• Adds lockfile-only snapshot examples/mitosis/ from BuilderIO/mitosis@a2434f9 (root package.json + yarn.lock)
• Documents verified baseline scan in website/docs/case-studies/mitosis.md — cross-framework UI compiler / codegen monorepo coverage on a Yarn Berry + Nx workspace (2,476 packages, 145 findings)
• 18 critical · 70 high · 47 medium · 10 low — large e2e sandbox graph with 109 unknown relationship rows on lockfile-only snapshot (Yarn Berry MVP path limits)
• Side-by-side comparison with yarn npm audit --all on the same lockfile (3 vulnerability entries vs 145 deduplicated packages)
• Bundles Mitosis logo at website/static/img/mitosis-logo.png

Case-study-only PR — no shared-file edits (index.md, sidebars.ts, README.md, examples/readme.md, CHANGELOG.md, root lockfile) per CONTRIBUTING guidance.

Why this change

Mitosis (~13.8k GitHub stars) is Builder.io's cross-framework UI compiler — write components once, compile to React, Vue, Angular, Svelte, Solid, Qwik, Alpine, and more. A committed Yarn Berry lockfile snapshot extends CVE Lite coverage into compiler / codegen monorepos with multi-framework e2e sandboxes — distinct from Storybook (UI tooling), Svelte (pnpm compiler graph), and single-framework snapshots — and documents how CVE Lite behaves on a large yarn.lock vs default yarn npm audit --all scope.

What changed

• examples/mitosis/package.json + examples/mitosis/yarn.lock pinned to upstream revision a2434f9
• website/docs/case-studies/mitosis.md with verified scan results, yarn npm audit --all comparison, Yarn Berry unknown-relationship caveats, and 145-row baseline findings table
• website/static/img/mitosis-logo.png (bundled locally from packages/fiddle/public/mitosis-logo-white.png)

Verified scan output

Parsed 2476 packages from yarn-lock (yarn.lock)
Found 145 packages (256 CVEs) with known OSV matches
Critical: 18 | High: 70 | Medium: 47 | Low: 10
Direct: 6 | Transitive: 30 | Unknown: 109
5 command groups — 27 of 145 findings with copy-and-run commands

Notable findings:

• Critical sandbox/tooling cluster: @builder.io/qwik, @builder.io/qwik-city, next@13.5.5, handlebars, ejs, form-data, vitest@0.34.6 — mostly e2e / framework compile-test paths
• Six direct esbuild versions (0.12.29–0.23.0) — CVE Lite generates yarn add esbuild@0.28.1 across all direct rows
• Critical direct-adjacent: shell-quote@1.7.3 — within-range lockfile refresh via yarn upgrade shell-quote
• Nx orchestration path: yarn add nx@19.6.1 for critical form-data@4.0.0 via project → nx → axios chain
• High within-range refresh cluster: axios, braces, cross-spawn, flatted, glob, minimatch, picomatch, tmp

yarn npm audit --all (Yarn 4.1.1, same lockfile): 3 vulnerability entries (1 high · 2 moderate) on root workspace direct deps — two esbuild@0.19.10 advisories plus eslint@7.32.0 deprecation. Case study explains full-lockfile parse vs Yarn Berry default audit scope (parallel to Storybook case study).

Validation

• npm run build
• node dist/index.js examples/mitosis --verbose --all --json — 145 findings, 5 command groups, 2,476 packages parsed
• yarn npm audit --all run from examples/mitosis/ — 3 entries documented in case study
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-14T22-34-27.json)
• Full 145-row baseline findings table included
• Docusaurus site builds (CI)

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

Issue #640 preliminary scan (v1.22.0, 2026-06-12) numbers match the verified live scan on 2026-06-14: 145 findings, 6/30/109 relationship split, 5 fix groups, 27/145 first-pass coverage. Baseline only — no fake "after" remediation results.

cc: @sonukapoor

[sonukapoor]

The honest handling of the 109 unknown rows is good - the study doesn't hide the Yarn Berry path-resolution limitation.

Structural fixes needed:

## Lockfile scope and ## Scan verification are not standard sections - please fold ## Lockfile scope into the Summary and move scan verification details into ## Scan command.

The ## Comparison Note heading needs to match the template: ## Comparison Note: CVE Lite CLI vs npm/pnpm audit. The body can explain this project uses yarn npm audit - the heading is a structural marker.

## Remaining risk needs a suffix - use something like ## Remaining risk after baseline scan.

## Want your project reviewed? is missing - please add it as the final section.

Branch is behind main - please rebase with git fetch origin && git rebase origin/main && git push --force-with-lease.

[Ayush7614]

Thanks @sonukapoor — all structural fixes addressed and rebased onto latest main (ahead 2 / behind 0):

1. Lockfile scope — folded into ## Summary (fixture pins root package.json + yarn.lock only).
2. Scan verification — moved into ## Scan command (verification table + reproduce steps live there now).
3. Comparison heading — renamed to ## Comparison Note: CVE Lite CLI vs npm/pnpm audit (body still explains yarn npm audit --all on this Yarn Berry lockfile).
4. Remaining risk — renamed to ## Remaining risk after baseline scan.
5. Closing section — added ## Want your project reviewed? pointing to https://github.com/OWASP/cve-lite-cli/issues.

Ready for another look.

[sonukapoor]

All the structural feedback from the previous pass is addressed - sections are in the right order, the Comparison Note heading matches the template, Remaining risk has the 'after baseline scan' suffix, and 'Want your project reviewed?' is in as the final section. The full 145-row baseline table is complete and the Yarn Berry unknown-relationship caveats are handled honestly. Two things to fix before this merges.

[sonukapoor]

The study generated 5 command groups but none were applied and the table only has the baseline row. Our case study format requires running each group one at a time, rescanning after each, and recording the results as new rows - that comparison is what readers come for. Please apply each command group in a test clone of the Mitosis repo, rescan after each, and add the after-pass rows. The NestJS case study is the reference format. If you hit a real blocker (the repo won't install cleanly from the lockfile fixture), let me know.

[sonukapoor]

The fix hint for next@13.5.5 is 12.3.5 - that's a downgrade from 13 to 12. That's what the scanner returned from OSV data, but without context it reads like a recommended downgrade. Worth adding a short note: the 12.3.5 hint reflects the OSV advisory's recorded safe version, not a recommended downgrade - Next.js maintains separate security fix tracks per major, so maintainers should check the advisory directly.

[Ayush7614]

Thanks @sonukapoor — both review items addressed:

Before vs After remediation comparison — applied the scanner's five root-level command groups cumulatively on a test checkout of Mitosis@a2434f9 (Yarn 4.1.1), rescanned through the committed examples/mitosis lockfile fixture after each pass (CVE Lite v1.22.0 · 2026-06-20). Findings dropped 153 → 124; high 68 → 55; medium 53 → 40. Fix Journey now documents each pass with measured deltas (Analog/NestJS format).

Next.js downgrade note — added a blockquote under the next@13.5.5 row explaining that 12.3.5 ⊘ is the OSV advisory's recorded safe version on a different major track, not a recommended downgrade.

Rebased onto latest main. Ready for another look.