Add Builder.io lockfile example and verified case study

[Ayush7614]

Document BuilderIO/builder at 1219cc4 (5,655 packages, 315 findings) with Yarn Berry + Nx monorepo lockfile coverage, yarn npm audit --all comparison, and extreme unknown-relationship triage graph.

Fixes #641

Summary

• Adds lockfile-only snapshot examples/builder/ from BuilderIO/builder@1219cc4 (root package.json + yarn.lock)
• Documents verified baseline scan in website/docs/case-studies/builder.md — visual CMS / page-builder SDK monorepo coverage on one of the largest Yarn Berry lockfiles in the portfolio (5,655 packages, 315 findings)
• 32 critical · 164 high · 100 medium · 19 low — extreme triage graph with only 2 direct findings and 313 unknown relationship rows on lockfile-only snapshot
• Side-by-side comparison with yarn npm audit --all on the same lockfile (2 vulnerability entries vs 315 deduplicated packages)
• Bundles Builder.io logo at website/static/img/builder-logo.png

Case-study-only PR — no shared-file edits (index.md, sidebars.ts, README.md, examples/readme.md, CHANGELOG.md, root lockfile) per CONTRIBUTING guidance.

Why this change

Builder.io (~8.7k GitHub stars) is a widely adopted visual development / headless CMS platform — drag-and-drop editing, Figma-to-code, SDKs for React, Vue, Svelte, Qwik, Angular, Next.js, and more. A committed Yarn Berry lockfile snapshot extends CVE Lite coverage into visual CMS / page-builder SDK monorepos — distinct from Mitosis (cross-framework compiler) while sharing the Builder.io ecosystem — and documents how CVE Lite behaves on a 5,655-package yarn.lock vs default yarn npm audit --all scope.

What changed

• examples/builder/package.json + examples/builder/yarn.lock pinned to upstream revision 1219cc4
• website/docs/case-studies/builder.md with verified scan results, yarn npm audit --all comparison, Yarn Berry unknown-relationship caveats at scale, and baseline findings table (all 32 critical + 2 direct + representative high subset; full 315 rows match scan JSON)
• website/static/img/builder-logo.png (bundled locally from examples/next-js-builder-site/public/assets/logo.png)

Verified scan output

Parsed 5655 packages from yarn-lock (yarn.lock)
Found 315 packages (328 CVEs) with known OSV matches
Critical: 32 | High: 164 | Medium: 100 | Low: 19
Direct: 2 | Transitive: 0 | Unknown: 313
2 command groups — 2 of 315 findings with copy-and-run commands

Notable findings:

• Only 2 direct findings: octokit@2.1.0 (high) → yarn add octokit@3.1.2 (breaking), zx@7.2.1 (medium) → yarn add zx@8.8.5 (breaking)
• Critical sandbox/SDK cluster (unknown): @angular/ssr, @builder.io/qwik, @builder.io/qwik-city, @nguniversal/*, @remix-run/node, next, handlebars, form-data, nuxt, simple-git, vitest — framework example paths
• Version fragmentation at scale: multiple majors of esbuild, axios, minimatch, semver, rollup, vite, svelte, lodash across examples/plugins
• 313 skipped findings — overwhelmingly framework-sandbox packages where Yarn Berry path reconstruction is incomplete on lockfile-only MVP

yarn npm audit --all (Yarn 3.6.1, same lockfile): 2 vulnerability entries (1 high · 1 moderate) on root workspace direct deps — octokit@2.1.0 and zx@7.2.1. Case study explains full-lockfile parse vs Yarn Berry default audit scope (parallel to Storybook/Mitosis case studies).

Validation

• npm run build
• node dist/index.js examples/builder --verbose --all --json — 315 findings, 2 command groups, 5,655 packages parsed
• yarn npm audit --all run from examples/builder/ — 2 entries documented in case study
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-14T22-44-44.json)
• Baseline table: all 32 critical + 2 direct + representative high subset (315-row full list in JSON)
• Docusaurus site builds (CI)

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

Issue #641 preliminary scan (v1.22.0, 2026-06-12) numbers match the verified live scan on 2026-06-14: 315 findings, 2/0/313 relationship split, 2 fix groups, 2/315 first-pass coverage. Baseline only — no fake "after" remediation results.

cc: @sonukapoor

[sonukapoor]

Good foundation here - the fixture is solid and the baseline numbers check out. A few things to fix:

Missing final section - the doc ends at ## Baseline findings but every case study needs a ## Want your project reviewed? section as the last section. You can copy it from any of the existing studies (analog.md, nestjs.md etc.).

Extra sections - ## Lockfile scope and ## Scan verification aren't in the required template. The lockfile scope content fits naturally inside ## What this case study demonstrates, and the scan verification content can go inside ## Scan command. Could you fold them in to keep the structure consistent across all studies?

Once those are sorted this is good to go.

[Ayush7614]

Thanks for the review, @sonukapoor — addressed the template feedback in ba8a6df:

• Folded Lockfile scope into What this case study demonstrates
• Merged Scan verification into Scan command (verification table + reproduce commands)
• Added Want your project reviewed? at the end (copied from analog.md)

Ready for another look when you have a moment.

[sonukapoor]

Three things to fix:

The "Want your project reviewed?" closing section links to github.com/sonukapoor/cve-lite-cli/issues - please change this to github.com/OWASP/cve-lite-cli/issues.

The logo is a PNG - all other case study logos in website/static/img/ are SVGs. Please swap for an SVG export from Builder.io's brand assets.

The next fix hints in the critical findings table show version downgrades (e.g. next@15.x to 12.3.5). This reflects the minimum patched version in the OSV advisory data and can confuse readers. Please add a short note near that table explaining that fix hints reflect the earliest patched release in the advisory - developers should verify against the Next.js security page before upgrading.

Branch is also behind main - please rebase with git fetch origin && git rebase origin/main && git push --force-with-lease.