Add Svelte lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world Svelte lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Svelte is one of the most widely used UI compilers / frontend frameworks (~87k GitHub stars, 423k+ dependents). The upstream repo is a pnpm workspace monorepo for the compiler and tooling. A committed lockfile snapshot and documented case study would:

• Add major frontend-framework / compiler monorepo coverage (distinct from Astro, Gatsby, Lit snapshots already in-repo)
• Show CVE Lite on a pnpm v9+ lockfile (pnpm-lock.yaml, 501 resolved packages) with all-transitive findings
• Demonstrate mixed remediation output: within-range lockfile refresh (pnpm update form-data), parent upgrades, and ⊘ skipped findings where no confident fix command is generated
• Highlight duplicate vulnerable versions of the same package (minimatch@9.0.5 and minimatch@10.1.2) as separate findings
• Provide a side-by-side comparison with pnpm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.19.2, lockfile-only, 2026-06-08)

Metric	Value
Upstream revision (candidate)	a9f48540e236d326714a1148b9d61cf785c0f98a
Lockfile	pnpm-lock.yaml (pnpm workspace monorepo, packageManager: pnpm@10.4.0)
Resolved packages	501
Vulnerable packages	11
Severity	1 critical · 4 high · 6 medium · 0 low
Direct vs transitive	0 direct / 11 transitive
CVE count (deduplicated)	14 CVEs across 11 packages
Fix command groups (preliminary)	4 groups covering 8 packages

Notable findings (preliminary):

• form-data@4.0.0 — critical — within-range lockfile refresh via pnpm update --no-save form-data
• serialize-javascript@6.0.2 — high — parent upgrade via @rollup/plugin-terser
• minimatch@9.0.5 / minimatch@10.1.2 — high — same advisory class at two installed versions
• flatted@3.2.9 / yaml@1.10.2 — high/medium — OSV fix hints present but no auto-generated fix command (⊘)

pnpm audit (same lockfile): 17 vulnerabilities (1 critical · 9 high · 7 moderate) — case study should explain deduplication vs CVE Lite’s 11-package view.

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/svelte/ with root package.json and pnpm-lock.yaml pinned to a specific upstream commit
• Add website/docs/case-studies/svelte.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
• Bundle project logo under website/static/img/ (from sveltejs/svelte assets/ — do not rely on external raw URLs that 404)
• Wire the case study into docs sidebar, examples/readme.md, README.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• Baseline only — no fake “after” remediation results

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study explains pnpm workspace / partial monorepo modeling caveats where relevant
• Comparison note explains CVE Lite vs pnpm audit (17 entries vs 11 deduplicated packages)
• Baseline findings table matches live scan JSON output
• Logo bundled locally under website/static/img/

---

Claiming this issue — happy to open a PR once maintainers confirm scope. @sonukapoor