Case Studies
Each study is a real scan of a popular open source project - baseline findings recorded, fix commands run, results rescanned and measured. No estimated numbers.
These studies demonstrate CVE Lite CLI across different package managers, lockfile shapes, and project types: monorepos, transitive-heavy graphs, projects with no direct findings, and projects where the most interesting vulnerability is one npm audit would omit.
CVE Lite CLI is an OWASP Incubator Project.
| Project | Lockfile | Key finding |
|---|---|---|
| OWASP Juice Shop | npm | Multiple critical/high direct findings with copy-and-run fix commands |
| NestJS | npm | 26 findings, 25 transitive - CVE Lite surfaces the one actionable direct fix |
| Analog | pnpm | Angular meta-framework monorepo, pnpm workspace scanning |
| lint-staged | npm | [email protected] direct high dep hidden by npm audit --omit=dev |
| Ghost | npm | CMS platform, transitive chain analysis |
| Astro | pnpm | Large pnpm monorepo with verified baseline scan documentation |
| Turborepo | pnpm | Monorepo build tooling, pnpm lockfile |
| VS Code | npm | @anthropic-ai/[email protected]/0.82 as direct Copilot dependencies |
| Gatsby | Yarn Classic | Large Yarn v1 monorepo — 3,568 packages, 128 findings, 5 direct |
| Vercel AI SDK | pnpm | AI SDK monorepo — 3 direct findings, 5 workspace-scoped fix command groups |
| Mastra | pnpm | AI agent framework — 4,555 packages, 4 direct findings, workspace-scoped pnpm add |
| Lit | npm | Web components reference implementation — 2,059 packages, 3 direct rollup findings with workspace-scoped fix commands, 5 critical transitive |
| LangChain.js | pnpm | LLM application framework monorepo — 2,174 packages, lean graph, 3 high with validated targets, malicious-package advisory on OpenSearch integration paths |
| OpenAI Agents SDK (JS) | pnpm | AI agent monorepo — 1,683 packages, 0 direct findings, 31 transitive, one verdaccio parent-upgrade command |
| n8n | pnpm | Workflow automation monorepo — 3,746 packages, 1 direct turbo fix, 4 command groups, 31 transitive |
| Storybook | npm | Frontend tooling, large dependency graph |