docs: add Strapi case study (#373)

CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to CVE Lite CLI will be documented in this file.
 
 ## [Unreleased]
 
+### Docs
+- Strapi case study added with verified baseline scan of a Yarn Berry lockfile snapshot (`examples/strapi/`, 2,887 packages, 29 findings at revision `e666ee2`), including CMS parallel with Ghost on `html-minifier`, direct vs transitive remediation split, and CVE Lite CLI vs `yarn npm audit` comparison.
+
 ## [1.21.0] - 2026-06-09
 
 ### Added

README.md

@@ -226,8 +226,9 @@ CVE Lite CLI has been evaluated against real open-source projects to verify that
 - [n8n](https://owasp.org/cve-lite-cli/docs/case-studies/n8n) — verified baseline scan of a workflow automation pnpm monorepo (3,746 packages, 32 findings at revision `e2e0394`) with one direct `turbo` fix, four command groups, and email/editor transitive clusters
 - [CamoFox Browser](https://owasp.org/cve-lite-cli/docs/case-studies/camofox-browser) — verified baseline scan of an AI agent browser automation npm graph (435 packages, 2 findings at revision `ce3a3b0`) with dual `qs` fix strategies — within-range `npm update qs` and parent `npm install express@4.22.2`
 - [Storybook](https://owasp.org/cve-lite-cli/docs/case-studies/storybook) — verified baseline scan of a Yarn Berry monorepo (3,008 packages, 92 findings at revision `cc19ae1`) spanning cross-framework sandbox templates, five critical transitive chains, and one direct vite fix command
+- [Strapi](https://owasp.org/cve-lite-cli/docs/case-studies/strapi) — verified baseline scan of a Yarn Berry headless CMS monorepo (2,887 packages, 29 findings at revision `e666ee2`) with direct lodash/qs fixes, critical handlebars chain, and html-minifier no-fix parallel with Ghost
 
-In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n, CamoFox Browser, and Storybook live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
+In-repo lockfile fixtures for Astro, Turborepo, Visual Studio Code, Gatsby, Vercel AI SDK, Mastra, Lit, LangChain.js, OpenAI Agents JS, n8n, CamoFox Browser, Storybook, and Strapi live under [`examples/`](examples/readme.md) — clone the repo and scan immediately without downloading full upstream checkouts.
 
 These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
 

examples/readme.md

@@ -130,6 +130,14 @@ Lockfile-only snapshot from [storybookjs/storybook](https://github.com/storybook
 |---|---|---|---|
 | `storybook` | Yarn Berry | https://github.com/storybookjs/storybook | Cross-framework UI tooling monorepo — 3,008 packages, 92 findings. |
 
+## In-repo snapshot: Strapi
+
+Lockfile-only snapshot from [strapi/strapi](https://github.com/strapi/strapi) at revision `e666ee26ae8e8c1758a048d6385afe1a62790a84`. Commits `package.json` and `yarn.lock` only — no application source. [Case study](../website/docs/case-studies/strapi.md).
+
+| Folder | Package Manager | Source | Purpose |
+|---|---|---|---|
+| `strapi` | Yarn Berry | https://github.com/strapi/strapi | Headless CMS monorepo — 2,887 packages, 29 findings (2 direct). |
+
 ## Local-only examples
 
 Full project clones used for real-world testing. Not committed to this repo — clone each separately into `examples/` for local use.
@@ -142,7 +150,6 @@ Full project clones used for real-world testing. Not committed to this repo —
 | `juice-shop` | npm | https://github.com/juice-shop/juice-shop | Large real-world project (OWASP Juice Shop) with broad vulnerability surface. |
 | `ghost` | pnpm | https://github.com/TryGhost/Ghost | Professional publishing platform — 26 transitive vulnerabilities in 4,447 packages including critical XSS in sanitize-html. |
 | `prisma` | pnpm | https://github.com/prisma/prisma | TypeScript ORM — real-world pnpm monorepo scan. |
-| `strapi` | yarn | https://github.com/strapi/strapi | Headless CMS — real-world Yarn lockfile scan. |
 
 ## Usage
 
@@ -208,6 +215,9 @@ node dist/index.js examples/camofox-browser --verbose --all
 # In-repo snapshot: Storybook
 node dist/index.js examples/storybook --verbose --all
 
+# In-repo snapshot: Strapi
+node dist/index.js examples/strapi --verbose --all
+
 # Local-only (clone first)
 node dist/index.js examples/analog --verbose
 node dist/index.js examples/nest --verbose

examples/strapi/package.json

@@ -94,6 +94,14 @@
     "test:unit:vitest:watch": "vitest --watch"
   },
   "resolutions": {
+    "ajv@^8.0.0": "8.20.0",
+    "ajv@^8.6.3": "8.20.0",
+    "ajv@^8.9.0": "8.20.0",
+    "ajv@^8.11.0": "8.20.0",
+    "ajv@^8.17.1": "8.20.0",
+    "ajv@~8.13.0": "8.20.0",
+    "ajv@~8.18.0": "8.20.0",
+    "webpack": "5.106.2",
     "@types/koa": "2.13.4",
     "@babel/core": "7.29.0",
     "@babel/runtime": "7.29.2",
@@ -171,7 +179,7 @@
     "plop": "4.0.5",
     "prettier": "3.3.3",
     "prettier-2": "npm:prettier@^2",
-    "qs": "6.15.0",
+    "qs": "6.15.2",
     "rimraf": "6.1.3",
     "rollup": "4.59.0",
     "rollup-plugin-html": "0.2.1",