Skip to content

Lesson 04 – Dependency Review Demo#18

Merged
timothywarner merged 1 commit into
mainfrom
demo/dependency-review-test
Dec 9, 2025
Merged

Lesson 04 – Dependency Review Demo#18
timothywarner merged 1 commit into
mainfrom
demo/dependency-review-test

Conversation

@timothywarner
Copy link
Copy Markdown
Contributor

@timothywarner timothywarner commented Dec 9, 2025

Purpose

This PR adds a vulnerable dependency (lodash@4.17.19) to the NodeGoat package.json to demonstrate GitHub's Dependency Review feature for Lesson 04.

Changes

  • Added lodash version 4.17.19 to vulnerable_repos/NodeGoat/package.json

Expected Outcome

This should trigger Dependency Review to show:

  • A new vulnerable dependency being added
  • Known CVEs associated with lodash 4.17.19 (prototype pollution vulnerabilities)
  • Supply chain risk visibility in the PR

This PR is for demonstration purposes and should be used to show Dependency Review in action during the Lesson 04 demo recording.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 9, 2025

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

vulnerable_repos/NodeGoat/package.json

PackageVersionLicenseIssue Type
lodash^4.17.19NullUnknown License
Denied Licenses: GPL-3.0, AGPL-3.0

OpenSSF Scorecard

PackageVersionScoreDetails
npm/lodash ^4.17.19 🟢 6.7
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 611 out of 17 merged PRs checked by a CI test -- score normalized to 6
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Contributors🟢 10project has 88 contributing companies or organizations
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing🟢 10project is fuzzed
License🟢 9license file detected
Maintained🟢 1017 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
SAST🟢 8SAST tool detected but not run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Vulnerabilities⚠️ 074 existing vulnerabilities detected

Scanned Files

  • vulnerable_repos/NodeGoat/package.json

@timothywarner timothywarner requested a review from Copilot December 9, 2025 17:43
@timothywarner timothywarner self-assigned this Dec 9, 2025
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR intentionally introduces a vulnerable dependency for educational purposes. It adds lodash version 4.17.19 to the NodeGoat application to demonstrate GitHub's Dependency Review feature during Lesson 04.

Key Changes:

  • Added vulnerable lodash dependency (4.17.19) to package.json

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@timothywarner timothywarner merged commit 8bc60c7 into main Dec 9, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@timothywarner timothywarner

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timothywarner