From 3eaae9c24e2a17aa8cabecc9d799552b7243fcc7 Mon Sep 17 00:00:00 2001 From: Ranimabidi Date: Fri, 26 Jun 2026 09:51:55 +0100 Subject: [PATCH 1/3] docs: add Docusaurus pnpm monorepo case study Signed-off-by: Ranimabidi --- website/docs/case-studies/docusaurus.md | 376 ++++++++++++++++++++++++ 1 file changed, 376 insertions(+) create mode 100644 website/docs/case-studies/docusaurus.md diff --git a/website/docs/case-studies/docusaurus.md b/website/docs/case-studies/docusaurus.md new file mode 100644 index 00000000..515f7a3e --- /dev/null +++ b/website/docs/case-studies/docusaurus.md @@ -0,0 +1,376 @@ +\# Docusaurus Case Study + + + +> Verified baseline scan — CVE Lite CLI v1.25.0 · 2026-06-26 + + + +

+ + Docusaurus logo + +

+ + + +\## Summary + + + +\- \*\*Project:\*\* Docusaurus — open-source static-site generator by Meta, widely used for technical documentation + +\- \*\*Repository:\*\* \[github.com/facebook/docusaurus](https://github.com/facebook/docusaurus) + +\- \*\*Lockfile:\*\* `pnpm-lock.yaml` (2,590 resolved packages) + +\- \*\*Package manager:\*\* pnpm (monorepo) + +\- \*\*Baseline findings:\*\* 14 unique vulnerable packages (0 critical · 6 high · 7 medium · 1 low) + +\- \*\*Direct vs transitive:\*\* 1 direct / 13 transitive + +\- \*\*CVEs matched:\*\* 20 + +\- \*\*Fix commands generated:\*\* 4 command groups covering 7 of 14 findings + +\- \*\*Remaining after fix plan:\*\* 7 findings (structural blockers — no fix available or advisory hint only) + + + +\--- + + + +\## What this case study demonstrates + + + +Docusaurus is a professionally maintained pnpm monorepo used by hundreds of thousands of documentation sites worldwide. It has active maintainers and automated dependency tooling — yet CVE Lite CLI surfaced 14 vulnerable packages across 2,590 resolved dependencies, 13 of them transitive and invisible in the root `package.json`. + + + +This case study highlights two things that matter for real-world monorepos: + + + +\*\*1. The direct/transitive split tells you where to start.\*\* Only 1 of 14 findings (`webpack-dev-server`) is a direct dependency the project controls outright. The other 13 require parent-chain decisions. Without that separation, a developer looking at a flat list of findings cannot tell which ones are actionable today. + + + +\*\*2. The `⊘` advisory-hint marker is honest signal, not a gap.\*\* Several packages (`vite`, `tmp`, `js-yaml`, `uuid`, `@tootallnate/once`) show a fixed-version hint from OSV but no validated copy-and-run command. CVE Lite flags these explicitly rather than generating a command it cannot confirm. That distinction matters: a false fix command that silently introduces a breaking change is worse than no command at all. + + + +\--- + + + +\## Comparison: CVE Lite CLI vs pnpm audit + + + +Both tools were run against the same `pnpm-lock.yaml` on the same machine. + + + +| Metric | pnpm audit | CVE Lite CLI v1.25.0 | + +|---|---:|---:| + +| Total reported findings | 25 | 14 | + +| Critical | 0 | 0 | + +| High | 8 | 6 | + +| Medium | 10 | 7 | + +| Low | 7 | 1 | + +| Direct vs transitive breakdown | ✗ | ✔ (1 / 13) | + +| Validated fix targets | ✗ | ✔ | + +| Breaking change awareness | ✗ | ✔ | + +| Advisory-hint-only marker (⊘) | ✗ | ✔ | + +| Specific copy-and-run commands | ✗ | ✔ (4 groups) | + + + +\*\*Why CVE Lite reports fewer findings — and why that is not a coverage gap:\*\* + + + +`pnpm audit` counts vulnerability paths, not packages. A single vulnerable package reached via multiple dependency paths contributes multiple entries. CVE Lite counts each unique vulnerable package once regardless of how many paths reach it. That is why the totals differ: 25 vs 14. + + + +This deduplication is intentional. A developer looking at 25 findings cannot tell how many distinct packages need attention. CVE Lite's 14 is the true exposure surface: 14 packages, each needing exactly one decision. + + + +\--- + + + +\## Fix plan + + + +CVE Lite generated 4 command groups covering 7 of 14 findings. + + + +\### High severity — direct parent upgrade + + + +```bash + +pnpm add @rsdoctor/rspack-plugin@1.5.13 + +``` + + + +Resolves `ws@8.20.1` (high) through the path: + +`@rsdoctor/rspack-plugin → @rsdoctor/sdk → socket.io → engine.io → ws` + + + +\### High severity — within-range parent updates + + + +```bash + +pnpm update --no-save form-data \&\& pnpm update --recursive --no-save undici + +``` + + + +Both `form-data@4.0.5` and `undici@6.26.0 / 7.26.0` can be refreshed without a parent upgrade — the current declared ranges already permit safe versions. + + + +\### Medium severity — direct fix + + + +```bash + +pnpm add --filter ./packages/docusaurus webpack-dev-server@5.2.5 + +``` + + + +`webpack-dev-server` is the only direct dependency in the findings. Upgrading from `5.2.4` to `5.2.5` (published 2026-06-12) clears `GHSA-mx8g-39q3-5c79`. CVE Lite validated the target version as non-vulnerable before generating this command. + + + +\### Medium severity — within-range parent updates + + + +```bash + +pnpm -C packages/docusaurus-theme-mermaid update --no-save dompurify \&\& pnpm -C packages/docusaurus update --no-save http-proxy-middleware \&\& pnpm -C packages/docusaurus update --no-save launch-editor + +``` + + + +Three medium-severity transitive packages (`dompurify`, `http-proxy-middleware`, `launch-editor`) can be refreshed within their current parent ranges. + + + +\--- + + + +\## Remaining risk after fix plan + + + +7 findings remain after applying all 4 command groups: + + + +| Package | Version | Severity | Type | Note | + +|---|---|---|---|---| + +| tmp | 0.2.6 | high | transitive · dev | ⊘ advisory hint only — no validated fix command | + +| vite | 8.0.14 | high | transitive · dev | ⊘ advisory hint only — no validated fix command | + +| js-yaml | 3.14.2 | medium | transitive · dev | ⊘ major version jump (3 → 4), breaking change | + +| js-yaml | 4.1.1 | medium | transitive · dev | ⊘ advisory hint only — no validated fix command | + +| uuid | 8.3.2 | medium | transitive | ⊘ major version jump (8 → 11), breaking change | + +| @tootallnate/once | 1.1.2 | low | transitive · dev | ⊘ advisory hint only — no validated fix command | + +| ws | 8.20.1 | high | transitive | resolved by @rsdoctor/rspack-plugin upgrade above | + + + +All 7 remaining findings are either dev-only transitive packages or advisory-hint-only cases where no automated fix could be validated. None have a confident first-pass fix command — meaning the remediation work here requires tracking upstream releases rather than running a local install command today. + + + +\--- + + + +\## Why this matters + + + +Docusaurus is not a neglected project. It is actively maintained, widely deployed, and has automated tooling. Yet 13 of 14 vulnerable packages are invisible to anyone reading the root `package.json` — they only appear in the fully resolved lockfile. + + + +This is the normal state of a healthy pnpm monorepo: the surface that matters for security is not the manifest a developer edits, but the 2,590-package graph the lockfile resolves. CVE Lite reads that graph directly and separates what a developer can act on today from what requires upstream decisions. + + + +For a project of this scale, the operational value is not just finding vulnerabilities — it is knowing which of the 14 findings produce a copy-and-run command, which require a parent-chain decision, and which are blocked on upstream releases. That triage happens in seconds rather than hours. + + + +\--- + + + +\## Baseline findings + + + +Full vulnerable package list at scan time: + + + +| Package | Version | Severity | Relationship | Fixed | Advisory IDs | + +|---|---|---|---|---|---| + +| form-data | 4.0.5 | high | transitive | 4.0.6 | GHSA-hmw2-7cc7-3qxx | + +| tmp | 0.2.6 | high | transitive · dev | 0.2.7 ⊘ | GHSA-7c78-jf6q-g5cm | + +| undici | 6.26.0 | high | transitive · dev | 6.27.0 | GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7… | + +| undici | 7.26.0 | high | transitive | 7.28.0 | GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7… | + +| vite | 8.0.14 | high | transitive · dev | 8.0.16 ⊘ | GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3 | + +| ws | 8.20.1 | high | transitive | 8.21.0 | GHSA-96hv-2xvq-fx4p | + +| webpack-dev-server | 5.2.4 | medium | direct | 5.2.5 | GHSA-mx8g-39q3-5c79 | + +| dompurify | 3.4.7 | medium | transitive | 3.4.11 | GHSA-cmwh-pvxp-8882, GHSA-gvmj-g25r-r7w… | + +| http-proxy-middleware | 2.0.9 | medium | transitive | 2.0.10 | GHSA-64mm-vxmg-q3vj | + +| js-yaml | 3.14.2 | medium | transitive · dev | 4.2.0 ⊘ | GHSA-h67p-54hq-rp68 | + +| js-yaml | 4.1.1 | medium | transitive · dev | 4.2.0 ⊘ | GHSA-h67p-54hq-rp68 | + +| launch-editor | 2.13.2 | medium | transitive | 2.14.1 | GHSA-v6wh-96g9-6wx3 | + +| uuid | 8.3.2 | medium | transitive | 11.1.1 ⊘ | GHSA-w5hq-g745-h8pq | + +| @tootallnate/once | 1.1.2 | low | transitive · dev | 2.0.1 ⊘ | GHSA-vpq2-c234-7xj6 | + + + +⊘ Advisory hint only — no automated fix command could be generated. + + + +\--- + + + +\## Scan command + + + +```bash + +cve-lite . --verbose --all + +``` + + + +| Field | Value | + +|---|---| + +| Scan date | 2026-06-26 | + +| CLI version | v1.25.0 | + +| Lockfile | pnpm-lock.yaml | + +| Resolved packages | 2,590 | + +| Findings | 14 | + +| CVEs matched | 20 | + +| Fix commands generated | 4 groups (7 of 14 findings) | + + + +Reproduce from a local clone: + + + +```bash + +git clone https://github.com/facebook/docusaurus + +cd docusaurus + +cve-lite . --verbose --all + +``` + + + +\--- + + + +\## Want your project reviewed? + + + +If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the \[CVE Lite CLI repository](https://github.com/OWASP/cve-lite-cli/issues). + + + +Please include: + + + +\- the repository link + +\- why the project would make a useful case study + +\- whether the dependency graph is publicly reproducible + + + +Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows. + From 12673acceb041c0bad9e527ba90c436237175285 Mon Sep 17 00:00:00 2001 From: Ranimabidi Date: Sat, 27 Jun 2026 23:47:36 +0100 Subject: [PATCH 2/3] docs: fix case study format, add logo, pin revision, add Before vs After Signed-off-by: Ranimabidi --- website/docs/case-studies/docusaurus.md | 293 +++++------------------- website/static/img/docusaurus-logo.png | Bin 0 -> 5142 bytes 2 files changed, 63 insertions(+), 230 deletions(-) create mode 100644 website/static/img/docusaurus-logo.png diff --git a/website/docs/case-studies/docusaurus.md b/website/docs/case-studies/docusaurus.md index 515f7a3e..60a31ffa 100644 --- a/website/docs/case-studies/docusaurus.md +++ b/website/docs/case-studies/docusaurus.md @@ -1,376 +1,209 @@ -\# Docusaurus Case Study - - +# Docusaurus Case Study > Verified baseline scan — CVE Lite CLI v1.25.0 · 2026-06-26 - -

- - Docusaurus logo - + Docusaurus logo

+## Summary +- **Project:** Docusaurus — open-source static-site generator by Meta, widely used for technical documentation +- **Repository:** [github.com/facebook/docusaurus](https://github.com/facebook/docusaurus) +- **Revision:** `5d162a4654b105aa9cc66dc38ddbc367d81be230` +- **Lockfile:** `pnpm-lock.yaml` (2,590 resolved packages) +- **Package manager:** pnpm (monorepo) +- **Baseline findings:** 14 unique vulnerable packages (0 critical · 6 high · 7 medium · 1 low) +- **Direct vs transitive:** 1 direct / 13 transitive +- **CVEs matched:** 20 +- **Fix commands generated:** 4 command groups covering 7 of 14 findings +- **Remaining after fix plan:** 7 findings (structural blockers — no fix available or advisory hint only) -\## Summary - - - -\- \*\*Project:\*\* Docusaurus — open-source static-site generator by Meta, widely used for technical documentation - -\- \*\*Repository:\*\* \[github.com/facebook/docusaurus](https://github.com/facebook/docusaurus) - -\- \*\*Lockfile:\*\* `pnpm-lock.yaml` (2,590 resolved packages) - -\- \*\*Package manager:\*\* pnpm (monorepo) - -\- \*\*Baseline findings:\*\* 14 unique vulnerable packages (0 critical · 6 high · 7 medium · 1 low) - -\- \*\*Direct vs transitive:\*\* 1 direct / 13 transitive - -\- \*\*CVEs matched:\*\* 20 - -\- \*\*Fix commands generated:\*\* 4 command groups covering 7 of 14 findings - -\- \*\*Remaining after fix plan:\*\* 7 findings (structural blockers — no fix available or advisory hint only) - - - -\--- - - - -\## What this case study demonstrates - +--- +## What this case study demonstrates Docusaurus is a professionally maintained pnpm monorepo used by hundreds of thousands of documentation sites worldwide. It has active maintainers and automated dependency tooling — yet CVE Lite CLI surfaced 14 vulnerable packages across 2,590 resolved dependencies, 13 of them transitive and invisible in the root `package.json`. - - This case study highlights two things that matter for real-world monorepos: +**1. The direct/transitive split tells you where to start.** Only 1 of 14 findings (`webpack-dev-server`) is a direct dependency the project controls outright. The other 13 require parent-chain decisions. Without that separation, a developer looking at a flat list of findings cannot tell which ones are actionable today. +**2. The `⊘` advisory-hint marker is honest signal, not a gap.** Several packages (`vite`, `tmp`, `js-yaml`, `uuid`, `@tootallnate/once`) show a fixed-version hint from OSV but no validated copy-and-run command. CVE Lite flags these explicitly rather than generating a command it cannot confirm. That distinction matters: a false fix command that silently introduces a breaking change is worse than no command at all. -\*\*1. The direct/transitive split tells you where to start.\*\* Only 1 of 14 findings (`webpack-dev-server`) is a direct dependency the project controls outright. The other 13 require parent-chain decisions. Without that separation, a developer looking at a flat list of findings cannot tell which ones are actionable today. - - - -\*\*2. The `⊘` advisory-hint marker is honest signal, not a gap.\*\* Several packages (`vite`, `tmp`, `js-yaml`, `uuid`, `@tootallnate/once`) show a fixed-version hint from OSV but no validated copy-and-run command. CVE Lite flags these explicitly rather than generating a command it cannot confirm. That distinction matters: a false fix command that silently introduces a breaking change is worse than no command at all. - - - -\--- - - - -\## Comparison: CVE Lite CLI vs pnpm audit - +--- +## Comparison Note: CVE Lite CLI vs pnpm audit Both tools were run against the same `pnpm-lock.yaml` on the same machine. - - | Metric | pnpm audit | CVE Lite CLI v1.25.0 | - |---|---:|---:| - | Total reported findings | 25 | 14 | - | Critical | 0 | 0 | - | High | 8 | 6 | - | Medium | 10 | 7 | - | Low | 7 | 1 | - | Direct vs transitive breakdown | ✗ | ✔ (1 / 13) | - | Validated fix targets | ✗ | ✔ | - | Breaking change awareness | ✗ | ✔ | - | Advisory-hint-only marker (⊘) | ✗ | ✔ | - | Specific copy-and-run commands | ✗ | ✔ (4 groups) | - - -\*\*Why CVE Lite reports fewer findings — and why that is not a coverage gap:\*\* - - +**Why CVE Lite reports fewer findings — and why that is not a coverage gap:** `pnpm audit` counts vulnerability paths, not packages. A single vulnerable package reached via multiple dependency paths contributes multiple entries. CVE Lite counts each unique vulnerable package once regardless of how many paths reach it. That is why the totals differ: 25 vs 14. - - This deduplication is intentional. A developer looking at 25 findings cannot tell how many distinct packages need attention. CVE Lite's 14 is the true exposure surface: 14 packages, each needing exactly one decision. +--- +## Before vs After -\--- - +| Stage | Findings | Critical | High | Medium | Low | Direct | Transitive | Command groups | +|---|---:|---:|---:|---:|---:|---:|---:|---:| +| Baseline | 14 | 0 | 6 | 7 | 1 | 1 | 13 | 0 | +| After all fix commands | 7 | 0 | 2 | 4 | 1 | 0 | 7 | 4 | +--- -\## Fix plan +## Fix Journey +CVE Lite generated 4 command groups covering 7 of 14 findings in a single pass. +The only direct dependency in the findings is `webpack-dev-server` — one command clears it. The remaining fixable findings are transitive: `ws` is reached through `@rsdoctor/rspack-plugin`, while `form-data`, `undici`, `dompurify`, `http-proxy-middleware`, and `launch-editor` can all be refreshed within their current parent ranges without a version bump to the declaring package. -CVE Lite generated 4 command groups covering 7 of 14 findings. - +The 7 remaining findings after the fix pass are all structural blockers: `tmp`, `vite`, `js-yaml`, and `@tootallnate/once` have advisory hints only with no validated fix target; `uuid` and `js-yaml` require major version jumps with breaking changes; these require tracking upstream releases rather than a local install command today. +--- -\### High severity — direct parent upgrade +## Fix plan +CVE Lite generated 4 command groups covering 7 of 14 findings. +### High severity — direct parent upgrade ```bash - pnpm add @rsdoctor/rspack-plugin@1.5.13 - ``` - - Resolves `ws@8.20.1` (high) through the path: - `@rsdoctor/rspack-plugin → @rsdoctor/sdk → socket.io → engine.io → ws` - - -\### High severity — within-range parent updates - - +### High severity — within-range parent updates ```bash - -pnpm update --no-save form-data \&\& pnpm update --recursive --no-save undici - +pnpm update --no-save form-data && pnpm update --recursive --no-save undici ``` - - Both `form-data@4.0.5` and `undici@6.26.0 / 7.26.0` can be refreshed without a parent upgrade — the current declared ranges already permit safe versions. - - -\### Medium severity — direct fix - - +### Medium severity — direct fix ```bash - pnpm add --filter ./packages/docusaurus webpack-dev-server@5.2.5 - ``` - - `webpack-dev-server` is the only direct dependency in the findings. Upgrading from `5.2.4` to `5.2.5` (published 2026-06-12) clears `GHSA-mx8g-39q3-5c79`. CVE Lite validated the target version as non-vulnerable before generating this command. - - -\### Medium severity — within-range parent updates - - +### Medium severity — within-range parent updates ```bash - -pnpm -C packages/docusaurus-theme-mermaid update --no-save dompurify \&\& pnpm -C packages/docusaurus update --no-save http-proxy-middleware \&\& pnpm -C packages/docusaurus update --no-save launch-editor - +pnpm -C packages/docusaurus-theme-mermaid update --no-save dompurify && pnpm -C packages/docusaurus update --no-save http-proxy-middleware && pnpm -C packages/docusaurus update --no-save launch-editor ``` - - Three medium-severity transitive packages (`dompurify`, `http-proxy-middleware`, `launch-editor`) can be refreshed within their current parent ranges. +--- +## Why this matters -\--- - - - -\## Remaining risk after fix plan +Docusaurus is not a neglected project. It is actively maintained, widely deployed, and has automated tooling. Yet 13 of 14 vulnerable packages are invisible to anyone reading the root `package.json` — they only appear in the fully resolved lockfile. +This is the normal state of a healthy pnpm monorepo: the surface that matters for security is not the manifest a developer edits, but the 2,590-package graph the lockfile resolves. CVE Lite reads that graph directly and separates what a developer can act on today from what requires upstream decisions. +For a project of this scale, the operational value is not just finding vulnerabilities — it is knowing which of the 14 findings produce a copy-and-run command, which require a parent-chain decision, and which are blocked on upstream releases. That triage happens in seconds rather than hours. -7 findings remain after applying all 4 command groups: +--- +## Remaining risk after fix plan +6 findings remain after applying all 4 command groups: | Package | Version | Severity | Type | Note | - |---|---|---|---|---| - | tmp | 0.2.6 | high | transitive · dev | ⊘ advisory hint only — no validated fix command | - | vite | 8.0.14 | high | transitive · dev | ⊘ advisory hint only — no validated fix command | - | js-yaml | 3.14.2 | medium | transitive · dev | ⊘ major version jump (3 → 4), breaking change | - | js-yaml | 4.1.1 | medium | transitive · dev | ⊘ advisory hint only — no validated fix command | - | uuid | 8.3.2 | medium | transitive | ⊘ major version jump (8 → 11), breaking change | - | @tootallnate/once | 1.1.2 | low | transitive · dev | ⊘ advisory hint only — no validated fix command | -| ws | 8.20.1 | high | transitive | resolved by @rsdoctor/rspack-plugin upgrade above | - - - -All 7 remaining findings are either dev-only transitive packages or advisory-hint-only cases where no automated fix could be validated. None have a confident first-pass fix command — meaning the remediation work here requires tracking upstream releases rather than running a local install command today. - - - -\--- - - - -\## Why this matters - - - -Docusaurus is not a neglected project. It is actively maintained, widely deployed, and has automated tooling. Yet 13 of 14 vulnerable packages are invisible to anyone reading the root `package.json` — they only appear in the fully resolved lockfile. - - - -This is the normal state of a healthy pnpm monorepo: the surface that matters for security is not the manifest a developer edits, but the 2,590-package graph the lockfile resolves. CVE Lite reads that graph directly and separates what a developer can act on today from what requires upstream decisions. - - - -For a project of this scale, the operational value is not just finding vulnerabilities — it is knowing which of the 14 findings produce a copy-and-run command, which require a parent-chain decision, and which are blocked on upstream releases. That triage happens in seconds rather than hours. - - - -\--- - - - -\## Baseline findings +All 6 remaining findings are either dev-only transitive packages or advisory-hint-only cases where no automated fix could be validated. +--- +## Baseline findings Full vulnerable package list at scan time: - - | Package | Version | Severity | Relationship | Fixed | Advisory IDs | - |---|---|---|---|---|---| - | form-data | 4.0.5 | high | transitive | 4.0.6 | GHSA-hmw2-7cc7-3qxx | - | tmp | 0.2.6 | high | transitive · dev | 0.2.7 ⊘ | GHSA-7c78-jf6q-g5cm | - | undici | 6.26.0 | high | transitive · dev | 6.27.0 | GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7… | - | undici | 7.26.0 | high | transitive | 7.28.0 | GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7… | - | vite | 8.0.14 | high | transitive · dev | 8.0.16 ⊘ | GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3 | - | ws | 8.20.1 | high | transitive | 8.21.0 | GHSA-96hv-2xvq-fx4p | - | webpack-dev-server | 5.2.4 | medium | direct | 5.2.5 | GHSA-mx8g-39q3-5c79 | - | dompurify | 3.4.7 | medium | transitive | 3.4.11 | GHSA-cmwh-pvxp-8882, GHSA-gvmj-g25r-r7w… | - | http-proxy-middleware | 2.0.9 | medium | transitive | 2.0.10 | GHSA-64mm-vxmg-q3vj | - | js-yaml | 3.14.2 | medium | transitive · dev | 4.2.0 ⊘ | GHSA-h67p-54hq-rp68 | - | js-yaml | 4.1.1 | medium | transitive · dev | 4.2.0 ⊘ | GHSA-h67p-54hq-rp68 | - | launch-editor | 2.13.2 | medium | transitive | 2.14.1 | GHSA-v6wh-96g9-6wx3 | - | uuid | 8.3.2 | medium | transitive | 11.1.1 ⊘ | GHSA-w5hq-g745-h8pq | - | @tootallnate/once | 1.1.2 | low | transitive · dev | 2.0.1 ⊘ | GHSA-vpq2-c234-7xj6 | - - ⊘ Advisory hint only — no automated fix command could be generated. +--- - -\--- - - - -\## Scan command - - +## Scan command ```bash - cve-lite . --verbose --all - ``` - - | Field | Value | - |---|---| - | Scan date | 2026-06-26 | - | CLI version | v1.25.0 | - +| Revision | `5d162a4654b105aa9cc66dc38ddbc367d81be230` | | Lockfile | pnpm-lock.yaml | - | Resolved packages | 2,590 | - | Findings | 14 | - | CVEs matched | 20 | - | Fix commands generated | 4 groups (7 of 14 findings) | - - -Reproduce from a local clone: - - +Reproduce from a local clone at the pinned revision: ```bash - git clone https://github.com/facebook/docusaurus - cd docusaurus - +git checkout 5d162a4654b105aa9cc66dc38ddbc367d81be230 cve-lite . --verbose --all - ``` +--- +## Want your project reviewed? -\--- - - - -\## Want your project reviewed? - - - -If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the \[CVE Lite CLI repository](https://github.com/OWASP/cve-lite-cli/issues). - - +If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the [CVE Lite CLI repository](https://github.com/OWASP/cve-lite-cli/issues). Please include: +- the repository link +- why the project would make a useful case study +- whether the dependency graph is publicly reproducible - -\- the repository link - -\- why the project would make a useful case study - -\- whether the dependency graph is publicly reproducible - - - -Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows. - +Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows. \ No newline at end of file diff --git a/website/static/img/docusaurus-logo.png b/website/static/img/docusaurus-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..f458149e3c8f53335f28fbc162ae67f55575c881 GIT binary patch literal 5142 zcma)=cTf{R(}xj7f`AaDml%oxrAm_`5IRVc-jPtHML-0kDIiip57LWD@4bW~(nB|) z34|^sbOZqj<;8ct`Tl-)=Jw`pZtiw=e$UR_Mn2b8rM$y@hlq%XQe90+?|Mf68-Ux_ zzTBiDn~3P%oVt>{f$z+YC7A)8ak`PktoIXDkpXod+*gQW4fxTWh!EyR9`L|fi4YlH z{IyM;2-~t3s~J-KF~r-Z)FWquQCfG*TQy6w*9#k2zUWV-+tCNvjrtl9(o}V>-)N!) ziZgEgV>EG+b(j@ex!dx5@@nGZim*UfFe<+e;(xL|j-Pxg(PCsTL~f^br)4{n5?OU@ z*pjt{4tG{qBcDSa3;yKlopENd6Yth=+h9)*lkjQ0NwgOOP+5Xf?SEh$x6@l@ZoHoYGc5~d2>pO43s3R|*yZw9yX^kEyUV2Zw1%J4o`X!BX>CwJ zI8rh1-NLH^x1LnaPGki_t#4PEz$ad+hO^$MZ2 ziwt&AR}7_yq-9Pfn}k3`k~dKCbOsHjvWjnLsP1{)rzE8ERxayy?~{Qz zHneZ2gWT3P|H)fmp>vA78a{0&2kk3H1j|n59y{z@$?jmk9yptqCO%* zD2!3GHNEgPX=&Ibw?oU1>RSxw3;hhbOV77-BiL%qQb1(4J|k=Y{dani#g>=Mr?Uyd z)1v~ZXO_LT-*RcG%;i|Wy)MvnBrshlQoPxoO*82pKnFSGNKWrb?$S$4x+24tUdpb= zr$c3K25wQNUku5VG@A=`$K7%?N*K+NUJ(%%)m0Vhwis*iokN#atyu(BbK?+J+=H z!kaHkFGk+qz`uVgAc600d#i}WSs|mtlkuwPvFp) z1{Z%nt|NwDEKj1(dhQ}GRvIj4W?ipD76jZI!PGjd&~AXwLK*98QMwN&+dQN1ML(6< z@+{1`=aIc z9Buqm97vy3RML|NsM@A>Nw2=sY_3Ckk|s;tdn>rf-@Ke1m!%F(9(3>V%L?w#O&>yn z(*VIm;%bgezYB;xRq4?rY})aTRm>+RL&*%2-B%m; zLtxLTBS=G!bC$q;FQ|K3{nrj1fUp`43Qs&V!b%rTVfxlDGsIt3}n4p;1%Llj5ePpI^R} zl$Jhx@E}aetLO!;q+JH@hmelqg-f}8U=XnQ+~$9RHGUDOoR*fR{io*)KtYig%OR|08ygwX%UqtW81b@z0*`csGluzh_lBP=ls#1bwW4^BTl)hd|IIfa zhg|*M%$yt@AP{JD8y!7kCtTmu{`YWw7T1}Xlr;YJTU1mOdaAMD172T8Mw#UaJa1>V zQ6CD0wy9NEwUsor-+y)yc|Vv|H^WENyoa^fWWX zwJz@xTHtfdhF5>*T70(VFGX#8DU<^Z4Gez7vn&4E<1=rdNb_pj@0?Qz?}k;I6qz@| zYdWfcA4tmI@bL5JcXuoOWp?ROVe*&o-T!><4Ie9@ypDc!^X&41u(dFc$K$;Tv$c*o zT1#8mGWI8xj|Hq+)#h5JToW#jXJ73cpG-UE^tsRf4gKw>&%Z9A>q8eFGC zG@Iv(?40^HFuC_-%@u`HLx@*ReU5KC9NZ)bkS|ZWVy|_{BOnlK)(Gc+eYiFpMX>!# zG08xle)tntYZ9b!J8|4H&jaV3oO(-iFqB=d}hGKk0 z%j)johTZhTBE|B-xdinS&8MD=XE2ktMUX8z#eaqyU?jL~PXEKv!^) zeJ~h#R{@O93#A4KC`8@k8N$T3H8EV^E2 z+FWxb6opZnX-av5ojt@`l3TvSZtYLQqjps{v;ig5fDo^}{VP=L0|uiRB@4ww$Eh!CC;75L%7|4}xN+E)3K&^qwJizphcnn=#f<&Np$`Ny%S)1*YJ`#@b_n4q zi%3iZw8(I)Dzp0yY}&?<-`CzYM5Rp+@AZg?cn00DGhf=4|dBF8BO~2`M_My>pGtJwNt4OuQm+dkEVP4 z_f*)ZaG6@t4-!}fViGNd%E|2%ylnzr#x@C!CrZSitkHQ}?_;BKAIk|uW4Zv?_npjk z*f)ztC$Cj6O<_{K=dPwO)Z{I=o9z*lp?~wmeTTP^DMP*=<-CS z2FjPA5KC!wh2A)UzD-^v95}^^tT<4DG17#wa^C^Q`@f@=jLL_c3y8@>vXDJd6~KP( zurtqU1^(rnc=f5s($#IxlkpnU=ATr0jW`)TBlF5$sEwHLR_5VPTGiO?rSW9*ND`bYN*OX&?=>!@61{Z4)@E;VI9 zvz%NmR*tl>p-`xSPx$}4YcdRc{_9k)>4Jh&*TSISYu+Y!so!0JaFENVY3l1n*Fe3_ zRyPJ(CaQ-cNP^!3u-X6j&W5|vC1KU!-*8qCcT_rQN^&yqJ{C(T*`(!A=))=n%*-zp_ewRvYQoJBS7b~ zQlpFPqZXKCXUY3RT{%UFB`I-nJcW0M>1^*+v)AxD13~5#kfSkpWys^#*hu)tcd|VW zEbVTi`dbaM&U485c)8QG#2I#E#h)4Dz8zy8CLaq^W#kXdo0LH=ALhK{m_8N@Bj=Um zTmQOO*ID(;Xm}0kk`5nCInvbW9rs0pEw>zlO`ZzIGkB7e1Afs9<0Z(uS2g*BUMhp> z?XdMh^k}k<72>}p`Gxal3y7-QX&L{&Gf6-TKsE35Pv%1 z;bJcxPO+A9rPGsUs=rX(9^vydg2q`rU~otOJ37zb{Z{|)bAS!v3PQ5?l$+LkpGNJq zzXDLcS$vMy|9sIidXq$NE6A-^v@)Gs_x_3wYxF%y*_e{B6FvN-enGst&nq0z8Hl0< z*p6ZXC*su`M{y|Fv(Vih_F|83=)A6ay-v_&ph1Fqqcro{oeu99Y0*FVvRFmbFa@gs zJ*g%Gik{Sb+_zNNf?Qy7PTf@S*dTGt#O%a9WN1KVNj`q$1Qoiwd|y&_v?}bR#>fdP zSlMy2#KzRq4%?ywXh1w;U&=gKH%L~*m-l%D4Cl?*riF2~r*}ic9_{JYMAwcczTE`!Z z^KfriRf|_YcQ4b8NKi?9N7<4;PvvQQ}*4YxemKK3U-7i}ap8{T7=7`e>PN7BG-Ej;Uti2$o=4T#VPb zm1kISgGzj*b?Q^MSiLxj26ypcLY#RmTPp+1>9zDth7O?w9)onA%xqpXoKA-`Jh8cZ zGE(7763S3qHTKNOtXAUA$H;uhGv75UuBkyyD;eZxzIn6;Ye7JpRQ{-6>)ioiXj4Mr zUzfB1KxvI{ZsNj&UA`+|)~n}96q%_xKV~rs?k=#*r*7%Xs^Hm*0~x>VhuOJh<2tcb zKbO9e-w3zbekha5!N@JhQm7;_X+J!|P?WhssrMv5fnQh$v*986uWGGtS}^szWaJ*W z6fLVt?OpPMD+-_(3x8Ra^sX~PT1t5S6bfk@Jb~f-V)jHRul#Hqu;0(+ER7Z(Z4MTR z+iG>bu+BW2SNh|RAGR2-mN5D1sTcb-rLTha*@1@>P~u;|#2N{^AC1hxMQ|(sp3gTa zDO-E8Yn@S7u=a?iZ!&&Qf2KKKk7IT`HjO`U*j1~Df9Uxz$~@otSCK;)lbLSmBuIj% zPl&YEoRwsk$8~Az>>djrdtp`PX z`Pu#IITS7lw07vx>YE<4pQ!&Z^7L?{Uox`CJnGjYLh1XN^tt#zY*0}tA*a=V)rf=&-kLgD|;t1D|ORVY}8 F{0H{b<4^zq literal 0 HcmV?d00001 From 445552b132eaaef51b8e7da4b2579bd40608b669 Mon Sep 17 00:00:00 2001 From: Ranimabidi Date: Sun, 28 Jun 2026 14:36:17 +0100 Subject: [PATCH 3/3] docs: fix section order, merge Fix plan into Fix Journey Signed-off-by: Ranimabidi --- website/docs/case-studies/docusaurus.md | 66 +++++++++++-------------- 1 file changed, 30 insertions(+), 36 deletions(-) diff --git a/website/docs/case-studies/docusaurus.md b/website/docs/case-studies/docusaurus.md index 60a31ffa..1006eea7 100644 --- a/website/docs/case-studies/docusaurus.md +++ b/website/docs/case-studies/docusaurus.md @@ -17,7 +17,7 @@ - **Direct vs transitive:** 1 direct / 13 transitive - **CVEs matched:** 20 - **Fix commands generated:** 4 command groups covering 7 of 14 findings -- **Remaining after fix plan:** 7 findings (structural blockers — no fix available or advisory hint only) +- **Remaining after fix plan:** 6 findings (structural blockers — no fix available or advisory hint only) --- @@ -73,13 +73,7 @@ CVE Lite generated 4 command groups covering 7 of 14 findings in a single pass. The only direct dependency in the findings is `webpack-dev-server` — one command clears it. The remaining fixable findings are transitive: `ws` is reached through `@rsdoctor/rspack-plugin`, while `form-data`, `undici`, `dompurify`, `http-proxy-middleware`, and `launch-editor` can all be refreshed within their current parent ranges without a version bump to the declaring package. -The 7 remaining findings after the fix pass are all structural blockers: `tmp`, `vite`, `js-yaml`, and `@tootallnate/once` have advisory hints only with no validated fix target; `uuid` and `js-yaml` require major version jumps with breaking changes; these require tracking upstream releases rather than a local install command today. - ---- - -## Fix plan - -CVE Lite generated 4 command groups covering 7 of 14 findings. +The 6 remaining findings after the fix pass are all structural blockers: `tmp`, `vite`, `js-yaml`, and `@tootallnate/once` have advisory hints only with no validated fix target; `uuid` and `js-yaml` require major version jumps with breaking changes; these require tracking upstream releases rather than a local install command today. ### High severity — direct parent upgrade @@ -126,6 +120,34 @@ For a project of this scale, the operational value is not just finding vulnerabi --- +## Scan command + +```bash +cve-lite . --verbose --all +``` + +| Field | Value | +|---|---| +| Scan date | 2026-06-26 | +| CLI version | v1.25.0 | +| Revision | `5d162a4654b105aa9cc66dc38ddbc367d81be230` | +| Lockfile | pnpm-lock.yaml | +| Resolved packages | 2,590 | +| Findings | 14 | +| CVEs matched | 20 | +| Fix commands generated | 4 groups (7 of 14 findings) | + +Reproduce from a local clone at the pinned revision: + +```bash +git clone https://github.com/facebook/docusaurus +cd docusaurus +git checkout 5d162a4654b105aa9cc66dc38ddbc367d81be230 +cve-lite . --verbose --all +``` + +--- + ## Remaining risk after fix plan 6 findings remain after applying all 4 command groups: @@ -168,34 +190,6 @@ Full vulnerable package list at scan time: --- -## Scan command - -```bash -cve-lite . --verbose --all -``` - -| Field | Value | -|---|---| -| Scan date | 2026-06-26 | -| CLI version | v1.25.0 | -| Revision | `5d162a4654b105aa9cc66dc38ddbc367d81be230` | -| Lockfile | pnpm-lock.yaml | -| Resolved packages | 2,590 | -| Findings | 14 | -| CVEs matched | 20 | -| Fix commands generated | 4 groups (7 of 14 findings) | - -Reproduce from a local clone at the pinned revision: - -```bash -git clone https://github.com/facebook/docusaurus -cd docusaurus -git checkout 5d162a4654b105aa9cc66dc38ddbc367d81be230 -cve-lite . --verbose --all -``` - ---- - ## Want your project reviewed? If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the [CVE Lite CLI repository](https://github.com/OWASP/cve-lite-cli/issues).