Add Dyad lockfile example and verified case study

[Ayush7614]

Summary

Add a real-world Dyad lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

Dyad is a high-visibility open-source local AI app builder (~20.6k GitHub stars) — positioned as a Lovable / v0 / Bolt alternative running on Electron + Vite + React. A committed lockfile snapshot and documented case study would:

• Extend AI app builder / agent IDE coverage alongside Presenton, CamoFox Browser, OpenAI Agents JS, and VS Code Copilot deps
• Show CVE Lite CLI on a large npm + Electron graph with meaningful direct fix surface (9 direct findings including MCP SDK, Electron, Vitest, happy-dom)
• Document critical test-stack RCE (happy-dom, vitest) and AI-tooling upgrades (@modelcontextprotocol/sdk 1.x → 6.x validated target)
• Demonstrate CVE Lite vs npm audit deduplication (73 audit entries vs 49 unique packages)
• Provide reproducible baseline findings without fake remediation results

Lockfile scope note

Dyad ships four npm lockfiles in upstream:

Path	Notes
Root package-lock.json	Primary scope — Electron app + AI builder toolchain
packages/@dyad-sh/nextjs-webpack-component-tagger/package-lock.json	Nested package
packages/@dyad-sh/react-vite-component-tagger/package-lock.json	Nested package
testing/fake-llm-server/package-lock.json	Test/dev server

The case study should pin and scan the root lockfile as the main fixture (examples/dyad/). Nested lockfiles may be noted in scope docs or added as optional sub-fixtures — but the published baseline table should match the root scan JSON.

Preliminary numbers below are lockfile-only downloads on 2026-06-09 and must be re-verified locally before publishing the case study.

Preliminary scan (CVE Lite CLI v1.20.0, lockfile-only, 2026-06-09)

Metric	Value
Upstream revision (candidate)	31bae4d687abb94e177f5edebd977ebdd3befa1e
Lockfile	package-lock.json (npm)
Resolved packages	1,632
Vulnerable packages	49 (3 critical · 25 high · 20 medium · 1 low)
OSV advisory matches	126 CVE/advisory entries deduplicated into 49 packages
Direct vs transitive	9 direct / 40 transitive
Fix command groups (preliminary)	6
First-pass coverage (preliminary)	39 of 49 findings
npm audit (same lockfile)	73 entries (4 critical · 45 high · 20 moderate · 4 low)

Notable findings (preliminary)

• Critical direct: happy-dom@17.6.3, vitest@3.2.4 — test-stack RCE; CVE Lite generates npm install happy-dom@20.8.9 vitest@4.1.0 (breaking majors flagged)
• Critical transitive: next@15.5.2 — skipped (no lockfile path resolved in MVP)
• High direct: @modelcontextprotocol/sdk@1.18.1 → validated 6.15.0, electron@40.0.0, drizzle-orm@0.41.0, storybook@8.6.15, glob@11.0.3
• Skipped (4): next@15.5.2, esbuild@0.18.20 (via drizzle-kit), postcss@8.4.31, tmp@0.0.33 (via @electron-forge/cli)

Proposed changes

• Add examples/dyad/ with package.json and package-lock.json pinned to a documented upstream commit
• Add website/docs/case-studies/dyad.md with verified scan results (CVE Lite CLI version, npm audit comparison, reproducible commands)
• Bundle Dyad logo under website/static/img/ (e.g. from assets/logo.svg — do not rely on external raw URLs)
• Wire the case study into docs sidebar, examples/readme.md, README.md, CHANGELOG, and website/docs/case-studies/index.md

Scope

• Documentation and example fixture only
• No changes to scanner source code or existing examples
• All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)

Acceptance criteria

• Lockfile snapshot is pinned to a documented upstream revision
• Case study includes scan verification section with reproduce commands
• Comparison note explains CVE Lite vs npm audit count differences (73 vs 49)
• Baseline findings table matches live scan JSON output
• Logo is bundled locally under website/static/img/

---

Opened by @Ayush7614 after preliminary lockfile-only scan. Happy to implement the case study PR once assigned.

[Ayush7614]

cc: @sonukapoor