fix: parse dual-document pnpm v9 lockfiles (bootstrap + project sections)

[Ayush7614]

Summary

Some pnpm v9 lockfiles contain two YAML documents separated by ---: a bootstrap block (package-manager dependencies like pnpm@11.1.3) and the main project lockfile. CVE Lite currently calls YAML.parse() on pnpm-lock.yaml, which throws:

Error: Source contains multiple documents; please use YAML.parseAllDocuments()

Reproduction

1. Clone apify/apify-mcp-server (or any repo with dual-document pnpm-lock.yaml)
2. Run cve-lite /path/to/apify-mcp-server --json
3. Scan fails before any findings are produced

Example upstream file: pnpm-lock.yaml — bootstrap document ends ~line 198, main project lockfile starts at second ---.

Expected behavior

CVE Lite should select the project lockfile document (the section with root importers[].dependencies / devDependencies and the large snapshots graph) and scan it normally.

Proposed fix

• Try YAML.parse() first (single-document lockfiles unchanged)
• On multi-document error, use YAML.parseAllDocuments() and pick the document with the highest score (dependency count + snapshot/package entries)
• Add regression test with minimal dual-document fixture

Impact

Without this fix, lockfile-only scans fail entirely for affected pnpm projects — no findings, no fix commands, no case-study baseline possible.

---

Opened by @Ayush7614. Local fix + regression test prepared; happy to open PR if maintainers confirm approach.

[sonukapoor]

Good catch - this is a real bug and affects any pnpm v9 project using the bootstrap prefix format. Please go ahead and open the PR.

One suggestion on the fix approach: rather than scoring documents by dependency count, look for the document that contains an importers key - that's always the project lockfile regardless of document order or size:

const docs = YAML.parseAllDocuments(content);
const projectDoc = docs.find(d => d.toJS()?.importers) ?? docs[docs.length - 1];

This is more deterministic and won't break if a future pnpm version changes the relative sizes of the two documents. The fallback to docs[docs.length - 1] covers any edge case where importers isn't present.

Please include a minimal dual-document fixture in examples/ and a regression test that confirms the scan completes and produces findings rather than throwing.