Add Mitosis lockfile example and verified case study

[Ayush7614]

Document BuilderIO/mitosis at a2434f9 (2,476 packages, 145 findings) with Yarn Berry + Nx monorepo lockfile coverage, yarn npm audit --all comparison, and unknown-relationship caveats.

Fixes #640

Summary

• Adds lockfile-only snapshot examples/mitosis/ from BuilderIO/mitosis@a2434f9 (root package.json + yarn.lock)
• Documents verified baseline scan in website/docs/case-studies/mitosis.md — cross-framework UI compiler / codegen monorepo coverage on a Yarn Berry + Nx workspace (2,476 packages, 145 findings)
• 18 critical · 70 high · 47 medium · 10 low — large e2e sandbox graph with 109 unknown relationship rows on lockfile-only snapshot (Yarn Berry MVP path limits)
• Side-by-side comparison with yarn npm audit --all on the same lockfile (3 vulnerability entries vs 145 deduplicated packages)
• Bundles Mitosis logo at website/static/img/mitosis-logo.png

Case-study-only PR — no shared-file edits (index.md, sidebars.ts, README.md, examples/readme.md, CHANGELOG.md, root lockfile) per CONTRIBUTING guidance.

Why this change

Mitosis (~13.8k GitHub stars) is Builder.io's cross-framework UI compiler — write components once, compile to React, Vue, Angular, Svelte, Solid, Qwik, Alpine, and more. A committed Yarn Berry lockfile snapshot extends CVE Lite coverage into compiler / codegen monorepos with multi-framework e2e sandboxes — distinct from Storybook (UI tooling), Svelte (pnpm compiler graph), and single-framework snapshots — and documents how CVE Lite behaves on a large yarn.lock vs default yarn npm audit --all scope.

What changed

• examples/mitosis/package.json + examples/mitosis/yarn.lock pinned to upstream revision a2434f9
• website/docs/case-studies/mitosis.md with verified scan results, yarn npm audit --all comparison, Yarn Berry unknown-relationship caveats, and 145-row baseline findings table
• website/static/img/mitosis-logo.png (bundled locally from packages/fiddle/public/mitosis-logo-white.png)

Verified scan output

Parsed 2476 packages from yarn-lock (yarn.lock)
Found 145 packages (256 CVEs) with known OSV matches
Critical: 18 | High: 70 | Medium: 47 | Low: 10
Direct: 6 | Transitive: 30 | Unknown: 109
5 command groups — 27 of 145 findings with copy-and-run commands

Notable findings:

• Critical sandbox/tooling cluster: @builder.io/qwik, @builder.io/qwik-city, next@13.5.5, handlebars, ejs, form-data, vitest@0.34.6 — mostly e2e / framework compile-test paths
• Six direct esbuild versions (0.12.29–0.23.0) — CVE Lite generates yarn add esbuild@0.28.1 across all direct rows
• Critical direct-adjacent: shell-quote@1.7.3 — within-range lockfile refresh via yarn upgrade shell-quote
• Nx orchestration path: yarn add nx@19.6.1 for critical form-data@4.0.0 via project → nx → axios chain
• High within-range refresh cluster: axios, braces, cross-spawn, flatted, glob, minimatch, picomatch, tmp

yarn npm audit --all (Yarn 4.1.1, same lockfile): 3 vulnerability entries (1 high · 2 moderate) on root workspace direct deps — two esbuild@0.19.10 advisories plus eslint@7.32.0 deprecation. Case study explains full-lockfile parse vs Yarn Berry default audit scope (parallel to Storybook case study).

Validation

• npm run build
• node dist/index.js examples/mitosis --verbose --all --json — 145 findings, 5 command groups, 2,476 packages parsed
• yarn npm audit --all run from examples/mitosis/ — 3 entries documented in case study
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-14T22-34-27.json)
• Full 145-row baseline findings table included
• Docusaurus site builds (CI)

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

Issue #640 preliminary scan (v1.22.0, 2026-06-12) numbers match the verified live scan on 2026-06-14: 145 findings, 6/30/109 relationship split, 5 fix groups, 27/145 first-pass coverage. Baseline only — no fake "after" remediation results.

cc: @sonukapoor

[sonukapoor]

The honest handling of the 109 unknown rows is good - the study doesn't hide the Yarn Berry path-resolution limitation.

Structural fixes needed:

## Lockfile scope and ## Scan verification are not standard sections - please fold ## Lockfile scope into the Summary and move scan verification details into ## Scan command.

The ## Comparison Note heading needs to match the template: ## Comparison Note: CVE Lite CLI vs npm/pnpm audit. The body can explain this project uses yarn npm audit - the heading is a structural marker.

## Remaining risk needs a suffix - use something like ## Remaining risk after baseline scan.

## Want your project reviewed? is missing - please add it as the final section.

Branch is behind main - please rebase with git fetch origin && git rebase origin/main && git push --force-with-lease.