docs: Refresh NestJS case study with measured remediation structure

[sonukapoor]

Summary

Refresh the NestJS case study so it follows the stronger measured-remediation structure used in the updated Juice Shop study.

Why

The current NestJS write-up has useful evidence, but it needs a clearer publication-grade structure built around measured remediation results.

The updated version should:

• include a strong top-line before/after table near the top
• document the exact NestJS revision used
• show the baseline scan and each remediation pass with real numbers
• explain what dropped out after the first pass and what remained for the second pass
• preserve honest remaining-risk discussion instead of forcing a zero-CVE framing
• make the narrative more useful for developers, OWASP reviewers, and outreach

Scope

Update docs/case-studies/nestjs.md to:

• rerun the case study against the reset local NestJS checkout
• capture a fresh baseline and measured follow-up scan results
• restructure the write-up to mirror the strongest parts of the Juice Shop study
• keep the claims factual, reproducible, and tied to the documented revision

Notes

This should remain a practical remediation narrative, not marketing copy.

[Ayush7614]

Hi @sonukapoor — I'd like to pick this up and get assigned.

I reviewed the current website/docs/case-studies/nestjs.md against the stronger measured-remediation structure in owasp-juice-shop.md. The NestJS write-up has useful evidence, but it needs a full refresh to match publication-grade expectations:

Current gaps

• CLI version is stale (v1.6.0 / v1.5.2 scan) — should rerun on current main (v1.20.0+)
• Summary vs Before/After numbers are inconsistent (26 baseline in summary, 24 in the table)
• Only one measured pass documented (24 → 21); Juice Shop shows two passes with what dropped at each stage
• Missing Scan verification block (scan date, exact command, revision pin, reproducible steps) used in newer case studies (Strapi, n8n, Storybook, etc.)
• NestJS remains a local-only fixture (examples/nest/ in .gitignore) — refresh will rerun against a clean nestjs/nest checkout at a pinned revision

Proposed approach

1. Clone/reset nestjs/nest locally and pin an exact commit in the write-up
2. Baseline scan with CVE Lite v1.20.0 + npm audit on the same package-lock.json
3. Run pass 1 (direct fixes / first command group — e.g. fastify) → rescan → record numbers
4. Run pass 2 (parent upgrade — e.g. mocha with --legacy-peer-deps if needed) → rescan → record numbers
5. Restructure nestjs.md to mirror Juice Shop:
   • strong top-line Before/After table near the top (baseline → pass 1 → pass 2)
   • Fix Journey explaining what dropped after each pass and what remained
   • honest Remaining risk section (no zero-CVE framing)
   • Scan verification table with reproducible commands
6. Update CLI version badge, comparison table, and baseline findings table to match live scan output

Happy to open a PR once assigned. Let me know if you have a preferred NestJS revision pin or want an in-repo lockfile snapshot added alongside the local remediation walkthrough.

— @Ayush7614

[sonukapoor]

@Ayush7614 Please go ahead.

[Ayush7614]

Opened PR with the measured two-pass remediation refresh: #749

Remeasurement on revision cee51af with CVE Lite v1.25.0 (2026-06-24):

• Lockfile baseline: 51 findings (8 direct / 43 transitive)
• Pass 1 (fastify@5.8.5): 51 → 50
• Pass 2 (mocha@12.0.0-beta-4): 50 → 47
• --only-used triage: 51 → 10

The write-up now mirrors the Juice Shop structure (Before vs After table, two-pass Fix Journey, scan verification metadata, honest remaining-risk section). Ready for review.