Add Phaser lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world Phaser lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Phaser is a widely used HTML5 2D game framework (~39.7k GitHub stars) for desktop and mobile browsers (Canvas/WebGL). The upstream repo ships a root package-lock.json for its build/tooling graph. A committed lockfile snapshot and documented case study would:

• Add game-dev / creative-coding framework coverage — a distinct ecosystem from UI frameworks and AI SDK monorepos already in-repo
• Show CVE Lite on a lean npm graph (400 resolved packages) with all-transitive findings
• Demonstrate mixed triage outcomes: within-range lockfile refresh (npm update postcss via Vite), ⊘ skipped findings (no confident fix command), and ⚠ no-fix-available (taffydb)
• Provide a side-by-side comparison with npm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.19.2, lockfile-only, 2026-06-08)

Metric	Value
Upstream revision (candidate)	9e67ded934938b018336014813a63d6a1e2c9fe2 (master)
Lockfile	root package-lock.json
Resolved packages	400
Vulnerable packages	5
Severity	0 critical · 2 high · 3 medium · 0 low
Direct vs transitive	0 direct / 5 transitive
CVE count (deduplicated)	6 CVEs across 5 packages
Fix command groups (preliminary)	1 group (npm update postcss) covering 1 of 5 findings

Notable findings (preliminary):

• postcss@8.5.9 — medium — within-range lockfile refresh via npm update postcss (vite@8.0.8 already allows postcss@8.5.15+)
• fast-uri@3.1.0 — high — OSV fix hint present but no auto-generated fix command (⊘)
• taffydb@2.6.2 — high — ⚠ no fix available in OSV/advisory data
• brace-expansion@5.0.5 / uuid@8.3.2 — medium — ⊘ skipped (no confident automatic fix)

npm audit (same lockfile): 8 vulnerabilities (3 high · 5 moderate) — case study should explain deduplication vs CVE Lite’s 5-package view.

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

• Add examples/phaser/ with root package.json and package-lock.json pinned to a specific upstream commit on master
• Add website/docs/case-studies/phaser.md with verified scan results (CVE Lite CLI version, npm audit comparison, reproducible commands)
• Bundle project logo under website/static/img/ (from Phaser branding/assets in-repo — do not rely on external raw URLs that 404)
• Wire the case study into docs sidebar, examples/readme.md, README.md, and CHANGELOG

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• Baseline only — no fake “after” remediation results

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision (master branch)
• Case study highlights within-range postcss fix vs ⊘ / ⚠ no-fix findings
• Comparison note explains CVE Lite vs npm audit (8 entries vs 5 deduplicated packages)
• Baseline findings table matches live scan JSON output
• Logo bundled locally under website/static/img/

---

Claiming this issue — happy to open a PR once maintainers confirm scope. @sonukapoor