Skip to content

docs: add Ghost case study and example lockfiles#372

Merged
sonukapoor merged 2 commits into
mainfrom
docs/issue-365-ghost-case-study
May 19, 2026
Merged

docs: add Ghost case study and example lockfiles#372
sonukapoor merged 2 commits into
mainfrom
docs/issue-365-ghost-case-study

Conversation

@sonukapoor
Copy link
Copy Markdown
Collaborator

@sonukapoor sonukapoor commented May 19, 2026

Adds a full case study for Ghost (TryGhost/Ghost) at revision 359e702, documenting 26 transitive vulnerabilities across 4,447 resolved packages — including a critical XSS in sanitize-html (the library responsible for making user content safe) and critical code execution in babel-traverse@6.26.0 buried six layers deep in the build toolchain.

Key narratives:

  • Every one of the 26 findings is transitive — 0 direct — making this the clearest illustration of why lockfile scanning matters beyond package.json
  • Ghost uses Renovate for automated dependency management; 26 vulnerabilities remain anyway, covering the three structural gaps automation cannot close (no-fix packages, stalled breaking-change PRs, transitive chains outside Renovate's scope)
  • CVE Lite correctly outputs 0 copy-and-run commands — all transitive — which is itself the story: the scanner telling you not to reach for pnpm audit fix
  • Comparison vs pnpm audit: 44 findings (path-counted) vs 26 (package-deduplicated)

Also adds example lockfiles for Ghost (pnpm), Prisma (pnpm), and Strapi (Yarn) to examples/ for local scanning, and updates the sidebar, examples readme, and README real-world validation section.

Closes #365

sonukapoor added 2 commits May 19, 2026 08:30
@sonukapoor
docs: add Ghost case study with prisma and strapi example lockfiles
2629094 
Adds a full case study for Ghost (TryGhost/Ghost) at revision 359e702,
documenting 26 transitive vulnerabilities across 4,447 resolved packages
including a critical XSS in sanitize-html and critical code execution in
babel-traverse@6.26.0 buried six layers deep in the build toolchain.

Also adds example lockfiles for Ghost (pnpm), Prisma (pnpm), and Strapi
(Yarn) to examples/ for local scanning. Updates the sidebar, examples
readme, and README real-world validation section to include Ghost.

Closes #365
@sonukapoor
docs: add Renovate context to Ghost case study
54f80f9 
Notes that Ghost uses Renovate for automated dependency management and
explains the three structural reasons 26 vulnerabilities remain despite
active automation: no-fix packages, stalled breaking-change PRs, and
transitive chains outside Renovate's scope.

Part of #365
@sonukapoor sonukapoor force-pushed the docs/issue-365-ghost-case-study branch from 8c16bce to 54f80f9 Compare May 19, 2026 12:30
@sonukapoor sonukapoor merged commit 41d0cb8 into main May 19, 2026
6 checks passed
@sonukapoor sonukapoor deleted the docs/issue-365-ghost-case-study branch May 19, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: add Ghost case study and example lockfile

1 participant

@sonukapoor