docs: add Docusaurus pnpm monorepo case study

[mohameddhiaabidi3301]

Related to #596

What this adds

A verified baseline case study of running CVE Lite CLI v1.25.0 on Docusaurus
— a professionally maintained pnpm monorepo by Meta with 2,590 resolved packages.

Scan summary

• 14 unique vulnerable packages (0 critical · 6 high · 7 medium · 1 low)
• 1 direct / 13 transitive
• 20 CVEs matched
• 4 fix command groups generated covering 7 of 14 findings
• Real pnpm audit comparison included (25 reported vs 14 deduplicated)

Reproduction

git clone https://github.com/facebook/docusaurus
cd docusaurus
cve-lite . --verbose --all

Scanned on 2026-06-26 · CLI v1.25.0

[luojiyin1987]

Thanks for adding this case study. I think this needs a few fixes before merge:

1. The Markdown appears to be escaped throughout the file (\#, \##, \-, \*\*, \---). This will render as literal text instead of headings/lists/bold text. Please remove the unnecessary escaping and match the style of the existing case studies.

2. The PR says Closes #596, but Add Dyad lockfile example and verified case study #596 is specifically about a Dyad lockfile/example case study, while this PR adds Docusaurus. Please change this to Related to #596 or explain why Docusaurus is replacing the Dyad scope.

3. Please wire the new page into the docs navigation:

   • add case-studies/docusaurus to website/sidebars.ts
   • add Docusaurus to website/docs/case-studies/index.md

4. The “Remaining risk after fix plan” section says 7 findings remain, but it includes ws@8.20.1 while also saying ws is resolved by the @rsdoctor/rspack-plugin upgrade above. Please either remove ws from the remaining-risk table and change the count to 6, or clarify why it still remains.

5. For reproducibility, please pin the Docusaurus upstream revision. The current reproduction command clones the moving default branch, so future scans may not match these numbers.

6. Please consider bundling the Docusaurus logo locally like the existing case studies do, and remove the hidden/bidirectional Unicode characters GitHub is warning about.

[sonukapoor]

The logo needs to be bundled locally rather than hotlinked to docusaurus.io. Download it to website/static/img/docusaurus-logo.png and update the src to /cve-lite-cli/img/docusaurus-logo.png - every existing case study follows this pattern, and an external URL can break if the asset moves.

[sonukapoor]

The section heading should be ## Comparison Note: CVE Lite CLI vs pnpm audit - the word "Note" is part of the required structure and all existing studies use it.

[sonukapoor]

Two required sections are missing here. This should start with ## Before vs After - a table with the baseline row (14 findings) followed by at least one measured row showing the finding count after applying each fix command group. Then ## Fix Journey documents the sequential steps. The format requires you to apply each command group against a local Docusaurus clone, rescan after each pass, and record the new counts. Without those measured rows the study is baseline-only - it doesn't show the remediation actually worked.

[sonukapoor]

## Remaining risk after fix plan is before ## Why this matters here, but the required order is ## Why this matters first, then ## Remaining risk after .... Please swap these two sections.

[sonukapoor]

Thanks for the fixes - the logo, heading, and Before/After table are all looking good now. Two structural things still to address before merge:

1. ## Fix plan is not part of the case study template. The copy-and-run commands should live inside ## Fix Journey rather than as a separate section after it.

2. ## Scan command needs to move up - it should appear before ## Remaining risk after fix plan, not after ## Baseline findings. The required order is: Fix Journey -> Why this matters -> Scan command -> Remaining risk -> Baseline findings -> Want your project reviewed?