diff --git a/examples/dev-only-finding/package-lock.json b/examples/dev-only-finding/package-lock.json
new file mode 100644
index 00000000..908dca57
--- /dev/null
+++ b/examples/dev-only-finding/package-lock.json
@@ -0,0 +1,47 @@
+{
+  "name": "cve-lite-example-dev-only-finding",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "cve-lite-example-dev-only-finding",
+      "version": "1.0.0",
+      "license": "MIT",
+      "devDependencies": {
+        "axios": "0.21.1"
+      }
+    },
+    "node_modules/axios": {
+      "version": "0.21.1",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz",
+      "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "follow-redirects": "^1.10.0"
+      }
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    }
+  }
+}
diff --git a/examples/dev-only-finding/package.json b/examples/dev-only-finding/package.json
new file mode 100644
index 00000000..4407f1a6
--- /dev/null
+++ b/examples/dev-only-finding/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "cve-lite-example-dev-only-finding",
+  "version": "1.0.0",
+  "private": true,
+  "description": "Vulnerable package that only appears in devDependencies — scanner should classify it correctly and exclude it from --prod-only scans.",
+  "license": "MIT",
+  "devDependencies": {
+    "axios": "0.21.1"
+  }
+}
diff --git a/examples/readme.md b/examples/readme.md
index e32f704d..c8810edc 100644
--- a/examples/readme.md
+++ b/examples/readme.md
@@ -29,6 +29,7 @@ Small curated projects committed to the repository. Clone the repo and scan imme
 | `pnpm-workspace` | pnpm (workspace) | pnpm workspace monorepo with workspace-scoped fix commands. |
 | `wrong-parent` | npm | 3-level transitive chain where the immediate parent's range already covers the fix — expects `npm update js-cookie`, not a parent bump. |
 | `no-findings` | npm | Clean project with no known vulnerabilities — demonstrates success output. |
+| `dev-only-finding` | npm | Vulnerable package that only appears in devDependencies — classified as a direct finding in full scans and excluded by `--prod-only`. |
 | `any fixture` + `.cve-lite/baseline.json` | any | Run `cve-lite . --ratchet` on any fixture to establish a baseline. Rescan without the flag to see only new findings. `.cve-lite/` directories should NOT be committed from example fixtures. |
 | `mal-private-registry` | npm | `node-ipc@9.2.3` with `resolved` pointing to a private registry — demonstrates `Unverifiable (private source)` output for MAL- advisories where the artifact origin cannot be confirmed. |
 | `lima-site` | npm | Dev-dependency scanning in a documentation site. |
@@ -167,6 +168,8 @@ node dist/index.js examples/pnpm-aliased-chain --verbose
 node dist/index.js examples/pnpm-workspace --verbose
 node dist/index.js examples/wrong-parent --verbose
 node dist/index.js examples/no-findings
+node dist/index.js examples/dev-only-finding --verbose
+node dist/index.js examples/dev-only-finding --verbose --prod-only
 node dist/index.js examples/lima-site --verbose
 
 # In-repo snapshot: Astro
diff --git a/tests/scanner-cache.test.ts b/tests/scanner-cache.test.ts
index 1017e377..3da2ba6a 100644
--- a/tests/scanner-cache.test.ts
+++ b/tests/scanner-cache.test.ts
@@ -5,6 +5,7 @@ import { jest } from "@jest/globals";
 import type { OsvVuln, PackageRef, ParsedOptions } from "../src/types.js";
 import { LocalAdvisoryDatabase } from "../src/advisory/local-db.js";
 import { clearPackumentCache } from "../src/remediation/npm-registry.js";
+import { removeDir } from "./test-utils.js";
 
 const queryBatchMock = jest.fn();
 const getVulnMock = jest.fn();
@@ -25,10 +26,6 @@ function createTempCacheDir(): string {
   return fs.mkdtempSync(path.join(os.tmpdir(), "cve-lite-scanner-test-"));
 }
 
-function removeDir(dirPath: string) {
-  fs.rmSync(dirPath, { recursive: true, force: true });
-}
-
 function createOptions(cacheDir: string): ParsedOptions {
   return {
     batchSize: "100",