Add VS Code root lockfile example and verified case study

[Ayush7614]

Pin microsoft/vscode@bc678ca root package-lock.json (1,374 packages, 9 findings) with live CVE Lite v1.18.1 and npm audit comparison. Wire docs sidebar, README, examples readme, CHANGELOG, and docs index. Use bundled VS Code wordmark in the case study header.

Closes #480

Summary

Adds a lockfile-only snapshot of the Visual Studio Code root npm dependency graph and a verified baseline case study documenting CVE Lite CLI findings, fix command groups, and a side-by-side comparison with npm audit on the same lockfile.

Why this change

Issue #480 requested a real-world developer-tool case study for CVE Lite CLI. VS Code is widely recognized and its root package-lock.json provides a realistic npm lockfile example with a mix of direct SDK advisories, legacy gulp toolchain risk, and transitive uuid/postcss findings — useful for demonstrating triage on a lean graph versus inflated native audit counts.

What changed

• Added examples/vscode/ with root package.json and package-lock.json pinned to microsoft/vscode@bc678ca
• Added website/docs/case-studies/vscode.md with verified baseline scan metrics and CVE Lite vs npm audit comparison
• Added bundled VS Code wordmark at website/static/img/vscode-logo.png for the case study header
• Wired the case study into website/sidebars.ts, README.md, examples/readme.md, website/docs/index.md, and CHANGELOG.md under [Unreleased]

Validation

Live scans run locally on 2026-05-28 against the committed fixture:

npx tsx src/index.ts examples/vscode --verbose --all
cd examples/vscode && npm audit

Verified results:

Metric	CVE Lite CLI v1.18.1	npm audit (10.8.2)
Packages parsed	1,374	same lockfile
Vulnerable packages / entries	9	22
Critical	0	0
High	1	5
Medium	8	17
Direct vs transitive	2 / 7	not broken out
Fix command groups	2 (3 of 9 findings)	partial (npm audit fix)

Generated fix commands:

npm install @anthropic-ai/sdk@0.91.1
npm install @vscode/deviceid@0.1.5

Scan scope: root lockfile only — not nested lockfiles under build/, extensions/, or other subfolders.

Logo asset verified at website/static/img/vscode-logo.png in local Docusaurus preview.

User-facing impact

Does this change:

• affect scanning behavior
• affect output formatting
• affect JSON output
• affect docs only

Notes

• Baseline scan only — no remediation was applied; all numbers in the case study match live CLI output.
• npm audit reports more entries (22) because it counts advisory × dependency-path combinations; CVE Lite deduplicates to 9 unique vulnerable package versions.
• The high finding (braces@2.3.2) arrives through legacy gulp tooling; two direct medium findings are @anthropic-ai/sdk versions in Copilot-related dev dependencies.

Made with Cursor

[sonukapoor]

Clean work. The case study is well-structured, all sections are present in the right order, vscode-logo.png is bundled locally the right way, and the verified scan data holds up. The @anthropic-ai/sdk finding as a direct Copilot-related dependency is a particularly good detail - makes the scan story concrete for a technically informed audience.

The 9 vs 22 comparison table is also clear and defensible. The explanation of why the counts differ (advisory × path combinations vs deduplicated package versions) is exactly the right framing.

This is ready to go.