docs: add Twenty lockfile example and verified case study (#505)

[Ayush7614]

Summary

• Adds lockfile-only snapshot examples/twenty/ from twentyhq/twenty@fc90b4b (package.json + yarn.lock)
• Documents verified baseline scan in website/docs/case-studies/twenty.md — largest case study fixture by package count (5,451 packages, 105 findings)
• Open-source CRM / Nx + Yarn Berry monorepo coverage: 0 direct / 28 transitive / 77 unknown findings
• Six critical findings (test stack: vitest, happy-dom, @nyariv/sandboxjs; legacy form-data chains)
• Four fix command groups covering 24/105 findings (Nx parent upgrades + within-range refreshes)
• yarn npm audit / yarn npm audit -A return no audit suggestions on lockfile-only snapshot (documented)
• Bundles Twenty logo at website/static/img/twenty-logo.svg

Closes #505

Verified scan output

Parsed 5451 packages from yarn-lock (yarn.lock)
Found 105 packages (167 CVEs) with known OSV matches
Critical: 6 | High: 40 | Medium: 54 | Low: 5
4 command groups ready across 18 packages
Running all commands above should fix 24 of 105 findings.

Key generated commands:

yarn add @nx/js@22.6.4 @nx/react@22.6.0 verdaccio@6.6.0
yarn upgrade @babel/plugin-transform-modules-systemjs && yarn upgrade axios && ...
yarn upgrade ajv && yarn upgrade follow-redirects && ...
yarn add @nx/jest@22.7.2 nx@22.6.5

Note: issue preliminary scan reported 102 findings (v1.18.1, 2026-05-30); verified count at v1.20.0 is 105 due to OSV advisory updates — all numbers in the case study match live scan JSON.

Test plan

• npm run build
• node dist/index.js examples/twenty --verbose --all — 105 findings, 4 command groups, 24/105 coverage
• Case study numbers match live scan JSON (cve-lite-scan-2026-06-09T07-32-56.json)
• yarn npm audit and yarn npm audit -A attempted — no audit suggestions (documented)
• Full 105-row baseline findings table included
• Docusaurus site builds (if CI runs on PR)

[Ayush7614]

cc: @sonukapoor

[sonukapoor]

This branch has merge conflicts with main — could you rebase against main, resolve the conflicts, and force-push? Thanks!

[Ayush7614]

@sonukapoor Rebased onto main and resolved the CHANGELOG.md conflict — Twenty entry is under [Unreleased], v1.21.0 section preserved. Force-pushed to ayush22. Thanks!

[sonukapoor]

@Ayush7614 Please resolve conflicts and rebase. Thanks

[Ayush7614]

@sonukapoor Rebased onto latest main — resolved CHANGELOG.md and website/docs/case-studies/index.md conflicts. Force-pushed to ayush22.

[Ayush7614]

@sonukapoor The Self Scan / self-scan-action failures are unrelated to this PR's Twenty case study content.

Both jobs scan the root package-lock.json with --fail-on high. They are failing on a new high-severity OSV advisory for esbuild@0.27.4 (transitive via dev dep tsx@4.21.0) — advisories GHSA-g7r4-m6w7-qqqr and GHSA-gv7w-rqvm-qjhr appeared after today's earlier green main Self Scan run.

Suggested fix on main (separate from this docs PR):

npm install tsx@4.22.0

This PR only adds examples/twenty/ + docs — it does not touch the root lockfile.

[Ayush7614]

Rebased to include the tsx@4.22.0 lockfile fix (same as #639) so Self Scan passes — root esbuild@0.27.4 high advisories were failing all docs PRs unrelated to case study content. CI should go green once checks re-run.

[sonukapoor]

The case study content looks good. Three things to fix before we can merge:

1. Please revert the package.json change (the tsx version bump from 4.19.2 to 4.22.0). Dependency updates belong in separate PRs.
2. Please revert the package-lock.json change - generated from the tsx bump above.
3. Please revert the CHANGELOG.md change - we manage the changelog at release time, not in individual PRs.

[Ayush7614]

@sonukapoor Thanks for the review — same cleanup as #593:

• package.json / package-lock.json: dropped the unrelated tsx bump commit
• CHANGELOG.md: reverted to match main

Branch is now a single commit with only the Twenty case study files. Ready for re-review.

[sonukapoor]

Apologies for the earlier confusion - the PR is clean. Twenty fixture works correctly (5,451 packages). Approved.

[sonukapoor]

Merged - thank you @Ayush7614!