Add tRPC lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world trpc lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

trpc/trpc is a high-visibility project (~38k GitHub stars) — End-to-end typesafe APIs for TypeScript — pnpm monorepo with core packages plus many framework examples (Next.js, Fastify, Nuxt, Cloudflare Workers). A committed lockfile snapshot and documented case study would:

• Add typesafe API framework + multi-example monorepo coverage — distinct from single-app snapshots
• All 16 direct findings have runnable fix commands (vitest, esbuild, next, fastify, wrangler, vite across workspace filters)
• Show how CVE Lite handles example-app proliferation in upstream OSS monorepos

Preliminary scan (CVE Lite CLI v1.22.0, lockfile-only, 2026-06-14)

Metric	Value
Upstream revision (candidate)	3e0e9793eb7f8c4cfbe70a1dccb72f8d355e3c8b
Lockfile	pnpm-lock.yaml (packages/, examples/, www)
Resolved packages	3,845
Vulnerable packages	132
Severity	7 critical · 60 high · 56 medium · 9 low
Direct vs transitive vs unknown	16 direct / 116 transitive / 0 unknown
Fix command groups (preliminary)	9 groups covering 117 packages
First-pass coverage (preliminary)	117 of 132 findings
Direct findings with runnable fix	16

Notable direct findings (preliminary):

• critical direct: vitest@4.0.18 — CVE-2026-47429 → pnpm add --filter ./examples/next-prisma-starter --filter ./packages/tanstack-react-query vitest@4.1.0
• high direct: devalue@5.6.4 — CVE-2026-42570 → pnpm -C examples/nuxt update --no-save devalue
• high direct: esbuild@0.17.10 — advisory → pnpm add --filter ./examples/express-minimal --filter ./examples/express-server --filter ./examples/fastify-server --filter ./examples/lambda-api-gateway --filter ./examples/lambda-url --filter ./examples/openapi-codegen --filter ./examples/standalone-server --filter ./examples/vercel-edge-runtime esbuild@0.28.1
• high direct: fastify@5.8.3 — CVE-2026-33806 → pnpm add --filter ./examples/fastify-server --filter ./packages/server --filter ./packages/tests --filter ./www fastify@5.8.5
• high direct: next@15.5.14 — CVE-2026-44575, CVE-2026-45109, CVE-2026-44573, CVE-2026-44572, CVE-2026-44574, CVE-2026-44578, CVE-2026-44581, CVE-2026-44580, CVE-2026-44577, CVE-2026-44579, CVE-2026-44582, CVE-2026-44576 → pnpm add --filter ./examples/.experimental/next-app-dir --filter ./examples/.test/diagnostics-big-router --filter ./examples/.test/internal-types-export --filter ./examples/.test/ssg --filter ./examples/.test/ssg-infinite-serialization --filter ./examples/next-big-router --filter ./examples/next-edge-runtime --filter ./examples/next-formdata --filter ./examples/next-minimal-starter --filter ./examples/next-prisma-starter --filter ./examples/next-prisma-todomvc --filter ./examples/next-prisma-websockets-starter --filter ./examples/next-sse-chat --filter ./examples/next-websockets-encoder --filter ./packages/next --filter ./packages/react-query --filter ./packages/server --filter ./www --filter ./www/og-image next@15.5.18
• high direct: vite@6.4.1 — CVE-2026-39365, CVE-2026-39363 → pnpm add --filter ./examples/minimal-content-types/client --filter ./examples/minimal-react/client --filter ./examples/next-prisma-starter vite@6.4.2

Native audit comparison: pnpm audit default scope vs CVE Lite full lockfile parse across examples/* sandboxes — to be captured in the case study alongside CVE Lite output.

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/trpc/ with root package.json and pnpm-lock.yaml pinned to a specific upstream commit
• Add website/docs/case-studies/trpc.md with verified scan results (CVE Lite CLI version, native audit comparison, reproducible commands)
• Bundle project logo under website/static/img/
• Wire the case study into docs sidebar, examples/readme.md, README.md, CHANGELOG, and website/docs/case-studies/index.md

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• Baseline only — no fake "after" remediation results

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study documents direct vs transitive vs unknown relationship caveats where applicable
• Comparison note explains CVE Lite vs native audit default scope
• Baseline findings table matches live scan JSON output
• Logo bundled locally under website/static/img/

---

Opened by @Ayush7614 after preliminary lockfile-only scan. Happy to implement the case study PR once maintainers confirm scope.

[sonukapoor]

Thanks for the continued contributions, @Ayush7614 - the case study portfolio has grown significantly with your help and now covers all four major lockfile types: npm, pnpm, Yarn Berry, and Bun.

We're closing new case study issues for now and tightening the bar going forward. A case study proposal is only accepted if it meets at least one of the following:

1. New lockfile type - uses a lockfile type not yet covered in the portfolio (npm, pnpm, Yarn Berry, and Bun are all covered)
2. New sector - covers a sector genuinely not yet represented, such as government, healthcare, finance, or hardware (not just a different kind of AI framework or developer tool)
3. Exceptional gap vs native audit - the scan reveals a meaningful difference compared to the equivalent package manager audit tool (e.g. the native tool returns zero findings and CVE Lite finds something real, or the deduplication difference is dramatic), documented side-by-side in the study

This bar is documented in CONTRIBUTING.md. If you come across a project that meets one of these criteria, feel free to open a new issue and we'll take a look.