Builder.io Case Study
Verified baseline scan - CVE Lite CLI v1.22.0 · 2026-06-14
Summary
- Project: Builder.io - visual development / headless CMS platform with drag-and-drop editing, Figma-to-code, and SDKs for React, Vue, Svelte, Qwik, Angular, Next.js, and more
- Revision:
1219cc4ed49ed657a7ee5e7548ca13aeabafa725 - Lockfile: root
yarn.lock(Yarn Berry 3.6.1 + Nx monorepo, workspacespackages/*,plugins/*,examples/*, etc.) - Baseline findings: 315 unique vulnerable packages (32 critical · 164 high · 100 medium · 19 low)
- OSV advisory matches: 328 CVE/advisory entries deduplicated into 315 packages
- Direct vs transitive vs unknown: 2 direct / 0 transitive / 313 unknown
- Validated fix command groups generated: 2
- First-pass coverage: 2 of 315 findings have confident copy-and-run commands
- yarn npm audit --all (same lockfile, default workspace scope): 2 vulnerability entries on root direct deps (1 high · 1 moderate)
- Remediation applied in this study: two root-level direct fix commands applied cumulatively on a test checkout of BuilderIO/builder@1219cc4 (2026-06-22), rescanned through the committed lockfile fixture after each pass
What this case study demonstrates
Builder.io adds visual CMS / page-builder SDK monorepo coverage - distinct from Mitosis (cross-framework compiler) while sharing the Builder.io ecosystem. The upstream repo is a Yarn Berry + Nx monorepo at 5,655 resolved packages, one of the largest Yarn Berry lockfiles in the CVE Lite portfolio.
The 313 unknown relationship rows define this scan: on a lockfile-only snapshot, CVE Lite cannot classify framework examples, plugins, and SDK sandboxes as direct or transitive. Only two root direct findings (octokit and zx) have confident auto-generated fix commands amid massive sandbox noise.
Two confident direct fixes:
[email protected](high, direct · dev) →yarn add [email protected](breaking major flagged)[email protected](medium, direct · dev) →yarn add [email protected](breaking major flagged)
Critical sandbox/SDK cluster (unknown relationship): @angular/ssr, @builder.io/qwik, @builder.io/qwik-city, @nguniversal/*, @remix-run/node, next, handlebars, form-data, nuxt, simple-git, vitest - framework example and SDK e2e paths, not Builder npm consumer surface.
Version fragmentation at scale: multiple majors of esbuild, axios, minimatch, semver, rollup, vite, svelte, and lodash across examples and plugins.
This fixture pins the root package.json and yarn.lock only. Builder.io upstream spans packages/*, plugins/*, starters/*, and dozens of framework examples/* workspaces - all resolved into the single root lockfile.
Comparison Note: CVE Lite CLI vs yarn npm audit
Both tools were run against the same yarn.lock on the same machine on 2026-06-14.
| Metric | yarn npm audit --all (3.6.1, default) | CVE Lite CLI v1.22.0 |
|---|---|---|
| Total reported findings | 2 | 315 |
| Critical | 0 | 32 |
| High | 1 | 164 |
| Moderate / Medium | 1 | 100 |
| Low | 0 | 19 |
| Direct vs transitive breakdown | ✗ | ✓ (2 / 0 / 313 unknown) |
| Full lockfile package parse | ✗ (root workspace direct deps only) | ✓ (5,655 packages) |
| Deduplicated package view | ✗ | ✓ |
| Validated fix targets | partial | ✓ |
| Copy-and-run command groups | ✗ | ✓ (2 groups) |
| Skipped findings with reason | ✗ | ✓ (313 entries) |
Why the totals differ:
By default, yarn npm audit --all on this lockfile-only snapshot checks direct dependencies for the active workspace only: two advisories on [email protected] (high) and [email protected] (moderate).
CVE Lite parses the entire yarn.lock, including React/Vue/Angular/Qwik/Remix/Nuxt examples, plugins, and SDK integration graphs, and reports 315 unique vulnerable package versions.
Fix guidance: CVE Lite generates exactly two validated direct upgrades matching what yarn npm audit surfaces, but also reveals 313 additional vulnerable packages in framework sandboxes that default Yarn audit never reaches.
Before vs After
Remediation results from applying the scanner's two direct fix commands one at a time on a test checkout of BuilderIO/builder@1219cc4, rescanned through the committed examples/builder lockfile fixture after each pass (CVE Lite v1.25.0 · 2026-06-22). The 2026-06-14 baseline recorded 315 findings; OSV advisory updates produce a 336-finding starting count on this remeasurement date.
| Stage | Findings | Critical | High | Medium | Low | Direct | Transitive | Unknown | Command groups |
|---|---|---|---|---|---|---|---|---|---|
| Baseline (verified) | 336 | 32 | 164 | 111 | 29 | 2 | 21 | 313 | 5 |
After high direct fix ([email protected]) | 332 | 32 | 163 | 108 | 29 | 1 | 17 | 314 | 5 |
After medium direct fix ([email protected]) | 331 | 32 | 163 | 107 | 29 | 0 | 16 | 315 | 4 |
Both direct levers cleared by pass 2. Total findings dropped 336 → 331 across two breaking major bumps. The 315 unknown sandbox rows remain structural; these two commands only address what Builder controls at the root manifest.
The first-pass plan covers 2 of 315 findings at the original 2026-06-14 baseline. The remaining 313 appear in the skipped section: overwhelmingly unknown relationship packages where Yarn Berry path reconstruction is incomplete in this MVP.
Fix Journey
Both commands are breaking major bumps flagged by CVE Lite. They address the only two root direct findings. The 32 critical sandbox rows (Qwik, Next.js, Angular SSR, Remix, Nuxt, simple-git, handlebars) require maintainer triage across framework examples, not direct installs.
Pass 1 - high direct fix:
yarn add [email protected]
Clears the high direct [email protected] row. Findings 336 → 332; direct 2 → 1 (2026-06-22 remeasurement baseline).
Pass 2 - medium direct fix:
yarn add [email protected]
Clears the medium direct [email protected] row. Findings 332 → 331; direct 1 → 0; medium 108 → 107.
After two passes, 331 findings remain - almost entirely unknown sandbox/toolchain rows with no confident first-pass command. Command groups dropped from 5 to 4.
Why this matters
Builder.io maintainers work inside a monorepo whose lockfile encodes SDKs, plugins, and dozens of framework starter examples. Default yarn npm audit --all shows two direct advisories. A lockfile scan reveals 315 vulnerable packages including critical paths across the entire visual-development test matrix.
CVE Lite's value at 5,655-package scale: two copy-and-run commands for what Builder controls directly, 32 critical findings routed to sandbox chains, and 313 skipped entries explaining why the rest are not auto-fixable on a lockfile-only Yarn Berry snapshot.
Scan command
Run from the Builder.io repository root or from the examples/builder directory in this repository:
cve-lite . --verbose --all
The example lockfile reflects Builder.io at revision 1219cc4ed49ed657a7ee5e7548ca13aeabafa725. OSV advisory data changes over time - re-scanning may show different counts on the same revision.
Every number in this case study comes from a live scan of the committed fixture at examples/builder/ in the CVE Lite CLI repository.
| Field | Value |
|---|---|
| Scan date | 2026-06-14 |
| CLI version | v1.22.0 |
| CVE Lite command | node dist/index.js examples/builder --verbose --all --json |
| yarn audit command | yarn npm audit --all (Yarn 3.6.1, default direct-deps scope) |
| Advisory source | OSV (https://api.osv.dev) - online mode |
| Lockfile source | examples/builder/yarn.lock from BuilderIO/builder@1219cc4 |
| Packages parsed (CVE Lite) | 5,655 |
| Unique vulnerable packages (CVE Lite) | 315 |
| Vulnerability entries (yarn npm audit --all) | 2 |
| Fix command groups (CVE Lite) | 2 |
| First-pass covered findings (CVE Lite) | 2 |
| Skipped findings with reason (CVE Lite) | 313 |
Reproduce CVE Lite locally from the repository root:
npm install
npm run build
node dist/index.js examples/builder --verbose --all
Reproduce yarn npm audit from the example directory:
cd examples/builder
yarn npm audit --all
Both tools were run against the same root yarn.lock on the same machine on 2026-06-14.
Remaining risk after baseline scan
At the original baseline scan, all 315 findings were open at the time of this study.
- 32 critical: Angular SSR, Qwik, Remix, Next.js, Nuxt,
handlebars,form-data,simple-git,vitest, crypto tooling - 164 high: version fragmentation across
esbuild,axios,minimatch,rollup, Angular, Remix, SvelteKit - 100 medium · 19 low: sandbox toolchain packages across examples/plugins
313 findings have no first-pass copy-and-run command (see scan skip reasons).
Baseline findings
Verified scan on 2026-06-14 (revision 1219cc4). Given 315 total rows, this case study lists all 32 critical findings, both direct findings, and a representative high subset illustrating version fragmentation. The remaining 134 high, 100 medium, and 19 low rows match the live scan JSON output (cve-lite-scan-2026-06-14T22-44-44.json).
Critical (32 packages)
About fix hints: The Fix hint column shows the earliest patched release recorded in the OSV advisory, not necessarily the right upgrade for your installed version line. Because OSV aggregates fixes across all affected ranges, the earliest patched version can appear lower than what you have installed - for example, several
[email protected]/[email protected]rows show a fix hint of12.3.5. That is not a recommendation to downgrade; it is the lowest version the advisory marks as patched. Always verify against the upstream advisory and the project's security page (e.g. the Next.js security advisories) and upgrade forward within your major before relying on these hints. The⊘marker denotes findings with no confident auto-generated fix command.
| Package | Version | Severity | Relationship | Fix hint | Advisory IDs |
|---|---|---|---|---|---|
| @angular/ssr | 17.3.17 | critical | unknown | 19.2.21 ⊘ | CVE-2025-59052, CVE-2026-27739, GHSA-68x2-mx4q-78m7, GHSA-x288-3778-4hhx |
| @angular/ssr | 19.0.6 | critical | unknown | 19.2.25 ⊘ | CVE-2025-59052, CVE-2026-44437, CVE-2025-62427, CVE-2026-27739 |
| @builder.io/qwik | 1.5.1 | critical | unknown | 1.19.1 ⊘ | CVE-2024-41677, CVE-2026-27971, GHSA-2rwj-7xq8-4gx4, GHSA-p9x5-jp3h-96mm |
| @builder.io/qwik | 1.9.1 | critical | unknown | 1.19.1 ⊘ | CVE-2026-27971, GHSA-p9x5-jp3h-96mm |
| @builder.io/qwik-city | 1.9.1 | critical | unknown | 1.19.2 ⊘ | CVE-2026-25149, CVE-2026-25148, CVE-2025-53620, CVE-2026-25151 |
| @nguniversal/common | 16.2.0 | critical | unknown | 18.2.14 ⊘ | CVE-2025-59052, CVE-2026-27739, GHSA-68x2-mx4q-78m7, GHSA-x288-3778-4hhx |
| @nguniversal/express-engine | 16.2.0 | critical | unknown | 19.2.21 ⊘ | CVE-2026-27739, GHSA-x288-3778-4hhx |
| @remix-run/node | 1.19.3 | critical | unknown | 2.17.2 ⊘ | CVE-2025-61686, GHSA-9583-h5hc-x8cw |
| @remix-run/node | 2.15.3 | critical | unknown | 2.17.2 ⊘ | CVE-2025-61686, GHSA-9583-h5hc-x8cw |
| @remix-run/node | 2.16.5 | critical | unknown | 2.17.2 ⊘ | CVE-2025-61686, GHSA-9583-h5hc-x8cw |
| @remix-run/node | 2.9.2 | critical | unknown | 2.17.2 ⊘ | CVE-2025-61686, GHSA-9583-h5hc-x8cw |
| basic-ftp | 5.0.3 | critical | unknown | 5.3.1 ⊘ | CVE-2026-27699, CVE-2026-41324, CVE-2026-44240, GHSA-5rq4-664w-9x2c |
| cipher-base | 1.0.4 | critical | unknown | 1.0.5 ⊘ | CVE-2025-9287, GHSA-cpq7-6gpm-g9rc |
| fast-xml-parser | 4.4.1 | critical | unknown | 5.7.0 ⊘ | CVE-2026-33036, CVE-2026-27942, CVE-2026-41650, CVE-2026-26278 |
| form-data | 2.3.3 | critical | unknown | 2.5.4 ⊘ | CVE-2025-7783, GHSA-fjxv-7rqg-78g4 |
| form-data | 3.0.1 | critical | unknown | 3.0.4 ⊘ | CVE-2025-7783, GHSA-fjxv-7rqg-78g4 |
| form-data | 4.0.0 | critical | unknown | 4.0.4 ⊘ | CVE-2025-7783, GHSA-fjxv-7rqg-78g4 |
| handlebars | 4.7.8 | critical | unknown | 4.7.9 ⊘ | CVE-2026-33916, CVE-2026-33937, CVE-2026-33938, CVE-2026-33939 |
| liquidjs | 10.9.2 | critical | unknown | 10.26.0 ⊘ | CVE-2026-44644, CVE-2026-41311, CVE-2026-35525, CVE-2026-33287 |
| next | 14.0.3 | critical | unknown | 12.3.5 ⊘ | CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980 |
| next | 14.1.1 | critical | unknown | 12.3.5 ⊘ | CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980 |
| next | 14.2.2 | critical | unknown | 12.3.5 ⊘ | CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980 |
| next | 15.0.4 | critical | unknown | 12.3.5 ⊘ | CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980 |
| next | 15.1.2 | critical | unknown | 12.3.5 ⊘ | CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980 |
| nuxt | 3.11.2 | critical | unknown | 3.21.6 ⊘ | CVE-2026-45669, CVE-2026-46342, CVE-2026-47200, CVE-2025-27415 |
| nuxt | 3.8.2 | critical | unknown | 3.21.6 ⊘ | CVE-2026-45669, CVE-2026-46342, CVE-2025-27415, CVE-2025-59414 |
| pbkdf2 | 3.1.2 | critical | unknown | 3.1.3 ⊘ | CVE-2025-6545, CVE-2025-6547, GHSA-h7cp-r72f-jxh6, GHSA-v62p-rq8g-8h59 |
| sha.js | 2.4.11 | critical | unknown | 2.4.12 ⊘ | CVE-2025-9288, GHSA-95m3-7q98-8xr5 |
| shell-quote | 1.8.1 | critical | unknown | 1.8.4 ⊘ | CVE-2026-9277, GHSA-w7jw-789q-3m8p |
| simple-git | 3.19.1 | critical | unknown | 3.36.0 ⊘ | CVE-2026-6951, CVE-2026-28291, CVE-2026-28292, GHSA-hffm-xvc3-vprc |
| simple-git | 3.27.0 | critical | unknown | 3.36.0 ⊘ | CVE-2026-6951, CVE-2026-28291, CVE-2026-28292, GHSA-hffm-xvc3-vprc |
| vitest | 0.33.0 | critical | unknown | 4.1.0 ⊘ | CVE-2026-47429, GHSA-5xrq-8626-4rwp |
Direct findings (2 packages)
| Package | Version | Severity | Relationship | Fix hint | Advisory IDs |
|---|---|---|---|---|---|
| octokit | 2.1.0 | high | direct · dev | 3.1.2 | CVE-2023-50728, GHSA-pwfr-8pq7-x9qv |
| zx | 7.2.1 | medium | direct · dev | 8.8.5 | CVE-2025-13437, GHSA-w87r-vg9q-crqm |
Representative high findings (version fragmentation)
| Package | Version | Severity | Relationship | Fix hint | Advisory IDs |
|---|---|---|---|---|---|
| axios | 0.21.4 | high | unknown | 0.32.0 ⊘ | CVE-2026-44495, CVE-2025-62718, CVE-2026-25639, CVE-2026-42034 |
| axios | 0.25.0 | high | unknown | 0.32.0 ⊘ | CVE-2026-44495, CVE-2025-62718, CVE-2026-25639, CVE-2026-42034 |
| axios | 1.6.2 | high | unknown | 1.16.0 ⊘ | CVE-2026-44494, CVE-2026-44495, CVE-2025-62718, CVE-2026-42044 |
| axios | 1.7.7 | high | unknown | 1.16.0 ⊘ | CVE-2026-44494, CVE-2026-44495, CVE-2025-62718, CVE-2026-42044 |
| esbuild | 0.17.19 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.17.6 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.18.17 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.18.20 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.19.12 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.19.8 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.20.1 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.20.2 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.21.5 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.24.0 | high | unknown | 0.28.1 ⊘ | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr |
| esbuild | 0.25.4 | high | unknown | 0.28.1 ⊘ | GHSA-gv7w-rqvm-qjhr |
| lodash | 4.17.21 | high | unknown | 4.18.0 ⊘ | CVE-2026-2950, CVE-2026-4800, CVE-2025-13465, GHSA-f23m-r3pf-42rh |
| minimatch | 10.0.1 | high | unknown | 10.2.3 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 3.1.2 | high | unknown | 3.1.4 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 4.2.3 | high | unknown | 4.2.5 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 5.1.2 | high | unknown | 5.1.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 5.1.6 | high | unknown | 5.1.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 7.4.6 | high | unknown | 7.4.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 9.0.1 | high | unknown | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 9.0.3 | high | unknown | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 9.0.4 | high | unknown | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| minimatch | 9.0.5 | high | unknown | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 |
| rollup | 0.63.5 | high | unknown | 2.80.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc |
| rollup | 2.79.1 | high | unknown | 2.80.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc |
| rollup | 2.79.2 | high | unknown | 2.80.0 ⊘ | CVE-2026-27606, GHSA-mw96-cpmx-2vgc |
| rollup | 3.29.4 | high | unknown | 3.30.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc |
134 additional high, 100 medium, and 19 low findings are omitted from this table for readability; counts and severities match the verified scan JSON.
Want your project reviewed?
If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the CVE Lite CLI repository.
Please include:
- the repository link
- why the project would make a useful case study
- whether the dependency graph is publicly reproducible
Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows.