Summary
Add a real-world Twenty monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
Twenty is a high-visibility open-source CRM alternative (48k+ GitHub stars) built as a TypeScript Nx + Yarn Berry monorepo (NestJS, React, PostgreSQL). A committed lockfile snapshot and documented case study would:
- Add open-source CRM / business-app coverage beyond AI SDK and framework examples
- Show how CVE Lite CLI performs on a very large Yarn Berry lockfile with broad transitive surface
- Demonstrate all-transitive triage at scale (preliminary: 0 direct findings on lockfile-only snapshot)
- Document verified baseline findings and remaining risk without applying remediation
- Provide a side-by-side comparison with
yarn npm audit / native audit on the same lockfile
Preliminary scan (CVE Lite CLI v1.18.1, lockfile-only, 2026-05-30)
| Metric |
Value |
| Upstream revision (candidate) |
fc90b4ba8bb0a5d7c12c846fe9b2305527a0f7a8 |
| Lockfile |
yarn.lock (Yarn Berry 4.x) |
| Resolved packages |
5,451 |
| Vulnerable packages |
102 |
| Severity |
4 critical · 40 high · 53 medium · 5 low |
| Direct vs transitive |
0 direct / 102 transitive |
| Fix command groups (preliminary) |
0 |
Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study. Yarn Classic path-reconstruction limits are noted in CLI output — frame the case study around parent-tracing and deduplicated package view, not inflated audit row counts.
Proposed changes
- Add
examples/twenty/ with package.json and yarn.lock pinned to a specific upstream commit
- Add
website/docs/case-studies/twenty.md with verified scan results (CVE Lite CLI version, native audit comparison, reproducible commands)
- Bundle Twenty logo under
website/static/img/ (do not rely on external raw URLs)
- Wire the case study into docs sidebar,
examples/readme.md, README.md, and CHANGELOG
Scope
- Documentation and example fixture only
- No changes to scanner source code or existing examples
- All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)
Acceptance criteria
Summary
Add a real-world Twenty monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.
Motivation
Twenty is a high-visibility open-source CRM alternative (48k+ GitHub stars) built as a TypeScript Nx + Yarn Berry monorepo (NestJS, React, PostgreSQL). A committed lockfile snapshot and documented case study would:
yarn npm audit/ native audit on the same lockfilePreliminary scan (CVE Lite CLI v1.18.1, lockfile-only, 2026-05-30)
fc90b4ba8bb0a5d7c12c846fe9b2305527a0f7a8yarn.lock(Yarn Berry 4.x)Proposed changes
examples/twenty/withpackage.jsonandyarn.lockpinned to a specific upstream commitwebsite/docs/case-studies/twenty.mdwith verified scan results (CVE Lite CLI version, native audit comparison, reproducible commands)website/static/img/(do not rely on external raw URLs)examples/readme.md,README.md, andCHANGELOGScope
Acceptance criteria
website/static/img/