Skip to main content

Builder.io Case Study

Verified baseline scan - CVE Lite CLI v1.22.0 · 2026-06-14

Builder.io logo

Summary

  • Project: Builder.io - visual development / headless CMS platform with drag-and-drop editing, Figma-to-code, and SDKs for React, Vue, Svelte, Qwik, Angular, Next.js, and more
  • Revision: 1219cc4ed49ed657a7ee5e7548ca13aeabafa725
  • Lockfile: root yarn.lock (Yarn Berry 3.6.1 + Nx monorepo, workspaces packages/*, plugins/*, examples/*, etc.)
  • Baseline findings: 315 unique vulnerable packages (32 critical · 164 high · 100 medium · 19 low)
  • OSV advisory matches: 328 CVE/advisory entries deduplicated into 315 packages
  • Direct vs transitive vs unknown: 2 direct / 0 transitive / 313 unknown
  • Validated fix command groups generated: 2
  • First-pass coverage: 2 of 315 findings have confident copy-and-run commands
  • yarn npm audit --all (same lockfile, default workspace scope): 2 vulnerability entries on root direct deps (1 high · 1 moderate)
  • Remediation applied in this study: two root-level direct fix commands applied cumulatively on a test checkout of BuilderIO/builder@1219cc4 (2026-06-22), rescanned through the committed lockfile fixture after each pass

What this case study demonstrates

Builder.io adds visual CMS / page-builder SDK monorepo coverage - distinct from Mitosis (cross-framework compiler) while sharing the Builder.io ecosystem. The upstream repo is a Yarn Berry + Nx monorepo at 5,655 resolved packages, one of the largest Yarn Berry lockfiles in the CVE Lite portfolio.

The 313 unknown relationship rows define this scan: on a lockfile-only snapshot, CVE Lite cannot classify framework examples, plugins, and SDK sandboxes as direct or transitive. Only two root direct findings (octokit and zx) have confident auto-generated fix commands amid massive sandbox noise.

Two confident direct fixes:

Critical sandbox/SDK cluster (unknown relationship): @angular/ssr, @builder.io/qwik, @builder.io/qwik-city, @nguniversal/*, @remix-run/node, next, handlebars, form-data, nuxt, simple-git, vitest - framework example and SDK e2e paths, not Builder npm consumer surface.

Version fragmentation at scale: multiple majors of esbuild, axios, minimatch, semver, rollup, vite, svelte, and lodash across examples and plugins.

This fixture pins the root package.json and yarn.lock only. Builder.io upstream spans packages/*, plugins/*, starters/*, and dozens of framework examples/* workspaces - all resolved into the single root lockfile.


Comparison Note: CVE Lite CLI vs yarn npm audit

Both tools were run against the same yarn.lock on the same machine on 2026-06-14.

Metricyarn npm audit --all (3.6.1, default)CVE Lite CLI v1.22.0
Total reported findings2315
Critical032
High1164
Moderate / Medium1100
Low019
Direct vs transitive breakdown✓ (2 / 0 / 313 unknown)
Full lockfile package parse✗ (root workspace direct deps only)✓ (5,655 packages)
Deduplicated package view
Validated fix targetspartial
Copy-and-run command groups✓ (2 groups)
Skipped findings with reason✓ (313 entries)

Why the totals differ:

By default, yarn npm audit --all on this lockfile-only snapshot checks direct dependencies for the active workspace only: two advisories on [email protected] (high) and [email protected] (moderate).

CVE Lite parses the entire yarn.lock, including React/Vue/Angular/Qwik/Remix/Nuxt examples, plugins, and SDK integration graphs, and reports 315 unique vulnerable package versions.

Fix guidance: CVE Lite generates exactly two validated direct upgrades matching what yarn npm audit surfaces, but also reveals 313 additional vulnerable packages in framework sandboxes that default Yarn audit never reaches.


Before vs After

Remediation results from applying the scanner's two direct fix commands one at a time on a test checkout of BuilderIO/builder@1219cc4, rescanned through the committed examples/builder lockfile fixture after each pass (CVE Lite v1.25.0 · 2026-06-22). The 2026-06-14 baseline recorded 315 findings; OSV advisory updates produce a 336-finding starting count on this remeasurement date.

StageFindingsCriticalHighMediumLowDirectTransitiveUnknownCommand groups
Baseline (verified)33632164111292213135
After high direct fix ([email protected])33232163108291173145
After medium direct fix ([email protected])33132163107290163154

Both direct levers cleared by pass 2. Total findings dropped 336 → 331 across two breaking major bumps. The 315 unknown sandbox rows remain structural; these two commands only address what Builder controls at the root manifest.

The first-pass plan covers 2 of 315 findings at the original 2026-06-14 baseline. The remaining 313 appear in the skipped section: overwhelmingly unknown relationship packages where Yarn Berry path reconstruction is incomplete in this MVP.


Fix Journey

Both commands are breaking major bumps flagged by CVE Lite. They address the only two root direct findings. The 32 critical sandbox rows (Qwik, Next.js, Angular SSR, Remix, Nuxt, simple-git, handlebars) require maintainer triage across framework examples, not direct installs.

Pass 1 - high direct fix:

Clears the high direct [email protected] row. Findings 336 → 332; direct 2 → 1 (2026-06-22 remeasurement baseline).

Pass 2 - medium direct fix:

Clears the medium direct [email protected] row. Findings 332 → 331; direct 1 → 0; medium 108 → 107.

After two passes, 331 findings remain - almost entirely unknown sandbox/toolchain rows with no confident first-pass command. Command groups dropped from 5 to 4.


Why this matters

Builder.io maintainers work inside a monorepo whose lockfile encodes SDKs, plugins, and dozens of framework starter examples. Default yarn npm audit --all shows two direct advisories. A lockfile scan reveals 315 vulnerable packages including critical paths across the entire visual-development test matrix.

CVE Lite's value at 5,655-package scale: two copy-and-run commands for what Builder controls directly, 32 critical findings routed to sandbox chains, and 313 skipped entries explaining why the rest are not auto-fixable on a lockfile-only Yarn Berry snapshot.


Scan command

Run from the Builder.io repository root or from the examples/builder directory in this repository:

cve-lite . --verbose --all

The example lockfile reflects Builder.io at revision 1219cc4ed49ed657a7ee5e7548ca13aeabafa725. OSV advisory data changes over time - re-scanning may show different counts on the same revision.

Every number in this case study comes from a live scan of the committed fixture at examples/builder/ in the CVE Lite CLI repository.

FieldValue
Scan date2026-06-14
CLI versionv1.22.0
CVE Lite commandnode dist/index.js examples/builder --verbose --all --json
yarn audit commandyarn npm audit --all (Yarn 3.6.1, default direct-deps scope)
Advisory sourceOSV (https://api.osv.dev) - online mode
Lockfile sourceexamples/builder/yarn.lock from BuilderIO/builder@1219cc4
Packages parsed (CVE Lite)5,655
Unique vulnerable packages (CVE Lite)315
Vulnerability entries (yarn npm audit --all)2
Fix command groups (CVE Lite)2
First-pass covered findings (CVE Lite)2
Skipped findings with reason (CVE Lite)313

Reproduce CVE Lite locally from the repository root:

npm install
npm run build
node dist/index.js examples/builder --verbose --all

Reproduce yarn npm audit from the example directory:

cd examples/builder
yarn npm audit --all

Both tools were run against the same root yarn.lock on the same machine on 2026-06-14.


Remaining risk after baseline scan

At the original baseline scan, all 315 findings were open at the time of this study.

  • 32 critical: Angular SSR, Qwik, Remix, Next.js, Nuxt, handlebars, form-data, simple-git, vitest, crypto tooling
  • 164 high: version fragmentation across esbuild, axios, minimatch, rollup, Angular, Remix, SvelteKit
  • 100 medium · 19 low: sandbox toolchain packages across examples/plugins

313 findings have no first-pass copy-and-run command (see scan skip reasons).


Baseline findings

Verified scan on 2026-06-14 (revision 1219cc4). Given 315 total rows, this case study lists all 32 critical findings, both direct findings, and a representative high subset illustrating version fragmentation. The remaining 134 high, 100 medium, and 19 low rows match the live scan JSON output (cve-lite-scan-2026-06-14T22-44-44.json).

Critical (32 packages)

About fix hints: The Fix hint column shows the earliest patched release recorded in the OSV advisory, not necessarily the right upgrade for your installed version line. Because OSV aggregates fixes across all affected ranges, the earliest patched version can appear lower than what you have installed - for example, several [email protected]/[email protected] rows show a fix hint of 12.3.5. That is not a recommendation to downgrade; it is the lowest version the advisory marks as patched. Always verify against the upstream advisory and the project's security page (e.g. the Next.js security advisories) and upgrade forward within your major before relying on these hints. The marker denotes findings with no confident auto-generated fix command.

PackageVersionSeverityRelationshipFix hintAdvisory IDs
@angular/ssr17.3.17criticalunknown19.2.21 ⊘CVE-2025-59052, CVE-2026-27739, GHSA-68x2-mx4q-78m7, GHSA-x288-3778-4hhx
@angular/ssr19.0.6criticalunknown19.2.25 ⊘CVE-2025-59052, CVE-2026-44437, CVE-2025-62427, CVE-2026-27739
@builder.io/qwik1.5.1criticalunknown1.19.1 ⊘CVE-2024-41677, CVE-2026-27971, GHSA-2rwj-7xq8-4gx4, GHSA-p9x5-jp3h-96mm
@builder.io/qwik1.9.1criticalunknown1.19.1 ⊘CVE-2026-27971, GHSA-p9x5-jp3h-96mm
@builder.io/qwik-city1.9.1criticalunknown1.19.2 ⊘CVE-2026-25149, CVE-2026-25148, CVE-2025-53620, CVE-2026-25151
@nguniversal/common16.2.0criticalunknown18.2.14 ⊘CVE-2025-59052, CVE-2026-27739, GHSA-68x2-mx4q-78m7, GHSA-x288-3778-4hhx
@nguniversal/express-engine16.2.0criticalunknown19.2.21 ⊘CVE-2026-27739, GHSA-x288-3778-4hhx
@remix-run/node1.19.3criticalunknown2.17.2 ⊘CVE-2025-61686, GHSA-9583-h5hc-x8cw
@remix-run/node2.15.3criticalunknown2.17.2 ⊘CVE-2025-61686, GHSA-9583-h5hc-x8cw
@remix-run/node2.16.5criticalunknown2.17.2 ⊘CVE-2025-61686, GHSA-9583-h5hc-x8cw
@remix-run/node2.9.2criticalunknown2.17.2 ⊘CVE-2025-61686, GHSA-9583-h5hc-x8cw
basic-ftp5.0.3criticalunknown5.3.1 ⊘CVE-2026-27699, CVE-2026-41324, CVE-2026-44240, GHSA-5rq4-664w-9x2c
cipher-base1.0.4criticalunknown1.0.5 ⊘CVE-2025-9287, GHSA-cpq7-6gpm-g9rc
fast-xml-parser4.4.1criticalunknown5.7.0 ⊘CVE-2026-33036, CVE-2026-27942, CVE-2026-41650, CVE-2026-26278
form-data2.3.3criticalunknown2.5.4 ⊘CVE-2025-7783, GHSA-fjxv-7rqg-78g4
form-data3.0.1criticalunknown3.0.4 ⊘CVE-2025-7783, GHSA-fjxv-7rqg-78g4
form-data4.0.0criticalunknown4.0.4 ⊘CVE-2025-7783, GHSA-fjxv-7rqg-78g4
handlebars4.7.8criticalunknown4.7.9 ⊘CVE-2026-33916, CVE-2026-33937, CVE-2026-33938, CVE-2026-33939
liquidjs10.9.2criticalunknown10.26.0 ⊘CVE-2026-44644, CVE-2026-41311, CVE-2026-35525, CVE-2026-33287
next14.0.3criticalunknown12.3.5 ⊘CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980
next14.1.1criticalunknown12.3.5 ⊘CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980
next14.2.2criticalunknown12.3.5 ⊘CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980
next15.0.4criticalunknown12.3.5 ⊘CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980
next15.1.2criticalunknown12.3.5 ⊘CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980
nuxt3.11.2criticalunknown3.21.6 ⊘CVE-2026-45669, CVE-2026-46342, CVE-2026-47200, CVE-2025-27415
nuxt3.8.2criticalunknown3.21.6 ⊘CVE-2026-45669, CVE-2026-46342, CVE-2025-27415, CVE-2025-59414
pbkdf23.1.2criticalunknown3.1.3 ⊘CVE-2025-6545, CVE-2025-6547, GHSA-h7cp-r72f-jxh6, GHSA-v62p-rq8g-8h59
sha.js2.4.11criticalunknown2.4.12 ⊘CVE-2025-9288, GHSA-95m3-7q98-8xr5
shell-quote1.8.1criticalunknown1.8.4 ⊘CVE-2026-9277, GHSA-w7jw-789q-3m8p
simple-git3.19.1criticalunknown3.36.0 ⊘CVE-2026-6951, CVE-2026-28291, CVE-2026-28292, GHSA-hffm-xvc3-vprc
simple-git3.27.0criticalunknown3.36.0 ⊘CVE-2026-6951, CVE-2026-28291, CVE-2026-28292, GHSA-hffm-xvc3-vprc
vitest0.33.0criticalunknown4.1.0 ⊘CVE-2026-47429, GHSA-5xrq-8626-4rwp

Direct findings (2 packages)

PackageVersionSeverityRelationshipFix hintAdvisory IDs
octokit2.1.0highdirect · dev3.1.2CVE-2023-50728, GHSA-pwfr-8pq7-x9qv
zx7.2.1mediumdirect · dev8.8.5CVE-2025-13437, GHSA-w87r-vg9q-crqm

Representative high findings (version fragmentation)

PackageVersionSeverityRelationshipFix hintAdvisory IDs
axios0.21.4highunknown0.32.0 ⊘CVE-2026-44495, CVE-2025-62718, CVE-2026-25639, CVE-2026-42034
axios0.25.0highunknown0.32.0 ⊘CVE-2026-44495, CVE-2025-62718, CVE-2026-25639, CVE-2026-42034
axios1.6.2highunknown1.16.0 ⊘CVE-2026-44494, CVE-2026-44495, CVE-2025-62718, CVE-2026-42044
axios1.7.7highunknown1.16.0 ⊘CVE-2026-44494, CVE-2026-44495, CVE-2025-62718, CVE-2026-42044
esbuild0.17.19highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.17.6highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.18.17highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.18.20highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.19.12highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.19.8highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.20.1highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.20.2highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.21.5highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.24.0highunknown0.28.1 ⊘GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr
esbuild0.25.4highunknown0.28.1 ⊘GHSA-gv7w-rqvm-qjhr
lodash4.17.21highunknown4.18.0 ⊘CVE-2026-2950, CVE-2026-4800, CVE-2025-13465, GHSA-f23m-r3pf-42rh
minimatch10.0.1highunknown10.2.3 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch3.1.2highunknown3.1.4 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch4.2.3highunknown4.2.5 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch5.1.2highunknown5.1.8 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch5.1.6highunknown5.1.8 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch7.4.6highunknown7.4.8 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch9.0.1highunknown9.0.7 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch9.0.3highunknown9.0.7 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch9.0.4highunknown9.0.7 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
minimatch9.0.5highunknown9.0.7 ⊘CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74
rollup0.63.5highunknown2.80.0 ⊘CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc
rollup2.79.1highunknown2.80.0 ⊘CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc
rollup2.79.2highunknown2.80.0 ⊘CVE-2026-27606, GHSA-mw96-cpmx-2vgc
rollup3.29.4highunknown3.30.0 ⊘CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc

134 additional high, 100 medium, and 19 low findings are omitted from this table for readability; counts and severities match the verified scan JSON.


Want your project reviewed?

If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the CVE Lite CLI repository.

Please include:

  • the repository link
  • why the project would make a useful case study
  • whether the dependency graph is publicly reproducible

Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows.