Skip to content

docs: add Docusaurus pnpm monorepo case study#766

Open
mohameddhiaabidi3301 wants to merge 1 commit into
OWASP:mainfrom
mohameddhiaabidi3301:case-study/docusaurus-pnpm-monorepo
Open

docs: add Docusaurus pnpm monorepo case study#766
mohameddhiaabidi3301 wants to merge 1 commit into
OWASP:mainfrom
mohameddhiaabidi3301:case-study/docusaurus-pnpm-monorepo

Conversation

@mohameddhiaabidi3301

@mohameddhiaabidi3301 mohameddhiaabidi3301 commented Jun 26, 2026

Copy link
Copy Markdown

Closes #596

What this adds

A verified baseline case study of running CVE Lite CLI v1.25.0 on Docusaurus
— a professionally maintained pnpm monorepo by Meta with 2,590 resolved packages.

Scan summary

  • 14 unique vulnerable packages (0 critical · 6 high · 7 medium · 1 low)
  • 1 direct / 13 transitive
  • 20 CVEs matched
  • 4 fix command groups generated covering 7 of 14 findings
  • Real pnpm audit comparison included (25 reported vs 14 deduplicated)

Reproduction

git clone https://github.com/facebook/docusaurus
cd docusaurus
cve-lite . --verbose --all

Scanned on 2026-06-26 · CLI v1.25.0

@ranimab-tech
docs: add Docusaurus pnpm monorepo case study
3eaae9c 
Signed-off-by: Ranimabidi <ranimabidiranabi@gmail.com>
@luojiyin1987

luojiyin1987 commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Thanks for adding this case study. I think this needs a few fixes before merge:

  1. The Markdown appears to be escaped throughout the file (\#, \##, \-, \*\*, \---). This will render as literal text instead of headings/lists/bold text. Please remove the unnecessary escaping and match the style of the existing case studies.

  2. The PR says Closes #596, but Add Dyad lockfile example and verified case study #596 is specifically about a Dyad lockfile/example case study, while this PR adds Docusaurus. Please change this to Related to #596 or explain why Docusaurus is replacing the Dyad scope.

  3. Please wire the new page into the docs navigation:

    • add case-studies/docusaurus to website/sidebars.ts
    • add Docusaurus to website/docs/case-studies/index.md

  4. The “Remaining risk after fix plan” section says 7 findings remain, but it includes ws@8.20.1 while also saying ws is resolved by the @rsdoctor/rspack-plugin upgrade above. Please either remove ws from the remaining-risk table and change the count to 6, or clarify why it still remains.

  5. For reproducibility, please pin the Docusaurus upstream revision. The current reproduction command clones the moving default branch, so future scans may not match these numbers.

  6. Please consider bundling the Docusaurus logo locally like the existing case studies do, and remove the hidden/bidirectional Unicode characters GitHub is warning about.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor Awaiting requested review from sonukapoor sonukapoor is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Dyad lockfile example and verified case study

3 participants

@mohameddhiaabidi3301 @luojiyin1987 @ranimab-tech