docs: add Dyad lockfile example and verified case study

[Ayush7614]

Document dyad-sh/dyad at 31bae4d (1,632 packages, 51 findings) with Electron AI app builder coverage, npm audit comparison, and 39/51 fix coverage.

Closes #596

Summary

• Adds lockfile-only snapshot examples/dyad/ from dyad-sh/dyad@31bae4d (root package.json + package-lock.json)
• Documents verified baseline scan in website/docs/case-studies/dyad.md — local AI app builder coverage on Electron + Vite + React (1,632 packages, 51 findings)
• 4 critical · 29 high · 17 medium · 1 low with strong direct fix surface (9 direct / 42 transitive)
• 7 fix command groups covering 39/51 findings on first pass
• Side-by-side comparison with npm audit on the same lockfile (75 vulnerability entries vs 51 deduplicated packages)
• Bundles Dyad logo at website/static/img/dyad-logo.svg

Case-study-only PR — no shared-file edits (index.md, sidebars.ts, README.md, examples/readme.md, CHANGELOG.md, root lockfile) per updated CONTRIBUTING guidance.

Why this change

Dyad (~21k GitHub stars) is a high-visibility local AI app builder (Lovable / v0 / Bolt alternative) on Electron + MCP + Drizzle ORM. A committed root npm lockfile snapshot extends CVE Lite's AI app builder / agent IDE coverage with realistic triage complexity: breaking direct upgrades, test-stack criticals, and deep transitive chains.

What changed

• examples/dyad/package.json + examples/dyad/package-lock.json pinned to upstream revision 31bae4d (root lockfile only)
• website/docs/case-studies/dyad.md with verified scan results, npm audit comparison, reproducible commands, lockfile scope note, and full 51-row baseline findings table
• website/static/img/dyad-logo.svg (bundled locally from upstream assets/logo.svg)

Verified scan output

Parsed 1632 packages from package-lock (package-lock.json)
Found 51 packages (128 CVEs) with known OSV matches
Critical: 4 | High: 29 | Medium: 17 | Low: 1
7 command groups ready across 33 packages (2 critical, 2 high, 3 medium)
Running all commands above should fix 39 of 51 findings.

Key generated commands:

npm install happy-dom@20.8.9 vitest@4.1.0
npm install @modelcontextprotocol/sdk@6.15.0 drizzle-orm@0.45.2 electron@40.8.5 glob@11.1.0 storybook@8.6.17 vite@8.5.15 @electron-forge/cli@7.11.2
npm update shell-quote && npm update axios && npm update lodash && ...
npm install uuid@11.1.1
npm install @storybook/addon-essentials@8.6.15

Notable findings:

• happy-dom@17.6.3 + vitest@3.2.4 — critical (direct · dev) — test-stack RCE; breaking major bumps
• @modelcontextprotocol/sdk@1.18.1 — high (direct) — validated upgrade to 6.15.0 (breaking)
• electron@40.0.0, drizzle-orm@0.41.0, glob@11.0.3, storybook@8.6.15 — high direct
• next@15.5.2 — critical (transitive) — ⊘ skipped
• Four esbuild versions, four minimatch majors — deduplication vs npm audit paths

npm audit (same lockfile): 75 vulnerabilities (5 critical · 47 high · 19 moderate · 4 low)

Validation

• npm run build
• node dist/index.js examples/dyad --verbose --all — 51 findings, 7 command groups, 39/51 coverage
• npm audit run from examples/dyad/ — counts documented in case study
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-14T22-26-02.json)
• Full 51-row baseline findings table included
• Root lockfile scope documented (nested upstream lockfiles out of scope)
• Docusaurus site builds (CI)

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

Issue #596 preliminary scan (v1.20.0, 2026-06-09) reported 49 findings / 73 npm audit entries. Verified scan at v1.22.0 reports 51 findings / 75 npm audit entries due to OSV advisory updates — all numbers in the case study match live scan JSON.

cc: @sonukapoor

[sonukapoor]

Good work on the baseline - the 51-row findings table is thorough and the npm audit comparison is well-structured. Same issues as #660 though:

Before vs After table needs actual remediation rows. Run each command group against examples/dyad/, rescan after each, and record the results. The baseline-only table doesn't show that the tool made a difference.

Fix version inconsistency - @modelcontextprotocol/sdk shows 1.26.0 ⊘ in the baseline table but 6.15.0 appears in the "What this case study demonstrates" section and the PR description. These can't both be right - please reconcile them to whatever the scanner actually emits.

Missing final section - add ## Want your project reviewed? at the end (copy from any existing study).

[sonukapoor]

Strong fix coverage story here - 39/51 on first pass is worth documenting.

One factual issue to fix before anything else: the narrative says the validated upgrade for @modelcontextprotocol/sdk is 6.15.0, but the baseline findings table shows 1.26.0 ⊘ (skipped). These can't both be right. Please check the actual scan output and reconcile - the table is the source of truth.

Same structural issues as the other studies: ## Lockfile scope and ## Scan verification are non-standard sections that break the required order. Fold ## Lockfile scope content into the Summary bullets and move the scan verification details into ## Scan command.

## Want your project reviewed? is missing - please add it as the final section.

The Before vs After table needs measured after-pass rows, not just the baseline. Run the fix command groups one at a time, rescan, and record each pass.