OWASP · sonukapoor · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/examples/dev-only-finding/package-lock.json b/examples/dev-only-finding/package-lock.json
diff --git a/examples/dev-only-finding/package.json b/examples/dev-only-finding/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "cve-lite-example-dev-only-finding",
+  "version": "1.0.0",
+  "private": true,
+  "description": "Vulnerable package that only appears in devDependencies — scanner should classify it correctly and exclude it from --prod-only scans.",
+  "license": "MIT",
+  "devDependencies": {
+    "axios": "0.21.1"
+  }
+}
diff --git a/examples/readme.md b/examples/readme.md
@@ -29,6 +29,7 @@ Small curated projects committed to the repository. Clone the repo and scan imme
 | `pnpm-workspace` | pnpm (workspace) | pnpm workspace monorepo with workspace-scoped fix commands. |
 | `wrong-parent` | npm | 3-level transitive chain where the immediate parent's range already covers the fix — expects `npm update js-cookie`, not a parent bump. |
 | `no-findings` | npm | Clean project with no known vulnerabilities — demonstrates success output. |
+| `dev-only-finding` | npm | Vulnerable package that only appears in devDependencies — classified as a direct finding in full scans and excluded by `--prod-only`. |
 | `any fixture` + `.cve-lite/baseline.json` | any | Run `cve-lite . --ratchet` on any fixture to establish a baseline. Rescan without the flag to see only new findings. `.cve-lite/` directories should NOT be committed from example fixtures. |
 | `mal-private-registry` | npm | `node-ipc@9.2.3` with `resolved` pointing to a private registry — demonstrates `Unverifiable (private source)` output for MAL- advisories where the artifact origin cannot be confirmed. |
 | `lima-site` | npm | Dev-dependency scanning in a documentation site. |
@@ -167,6 +168,8 @@ node dist/index.js examples/pnpm-aliased-chain --verbose
 node dist/index.js examples/pnpm-workspace --verbose
 node dist/index.js examples/wrong-parent --verbose
 node dist/index.js examples/no-findings
+node dist/index.js examples/dev-only-finding --verbose
+node dist/index.js examples/dev-only-finding --verbose --prod-only
 node dist/index.js examples/lima-site --verbose
 
 # In-repo snapshot: Astro

diff --git a/tests/scanner-cache.test.ts b/tests/scanner-cache.test.ts
@@ -5,6 +5,7 @@ import { jest } from "@jest/globals";
 import type { OsvVuln, PackageRef, ParsedOptions } from "../src/types.js";
 import { LocalAdvisoryDatabase } from "../src/advisory/local-db.js";
 import { clearPackumentCache } from "../src/remediation/npm-registry.js";
+import { removeDir } from "./test-utils.js";
 
 const queryBatchMock = jest.fn();
 const getVulnMock = jest.fn();
@@ -25,10 +26,6 @@ function createTempCacheDir(): string {
   return fs.mkdtempSync(path.join(os.tmpdir(), "cve-lite-scanner-test-"));
 }
 
-function removeDir(dirPath: string) {
-  fs.rmSync(dirPath, { recursive: true, force: true });
-}
-
 function createOptions(cacheDir: string): ParsedOptions {
   return {
     batchSize: "100",