From 072683bc268d60dcf4d0904c9927bb4fb54e25b6 Mon Sep 17 00:00:00 2001 From: Rahul Agarwal Date: Wed, 29 Apr 2026 19:40:35 +0530 Subject: [PATCH] test: add vulnerable lodash@4.17.4 to verify dependency-review action This commit intentionally adds a known-vulnerable dependency (lodash 4.17.4 has multiple high/critical CVEs) to verify that the new dependency-review GitHub Action correctly fails CI. This PR is for verification only and should NOT be merged. Made-with: Cursor --- package-lock.json | 8 ++++++++ package.json | 1 + 2 files changed, 9 insertions(+) diff --git a/package-lock.json b/package-lock.json index 9bbe60a..57122ca 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7,6 +7,7 @@ "": { "name": "spreedly-sdk-sample-app", "version": "0.0.0", + "license": "Apache-2.0", "dependencies": { "@playwright/test": "1.55.1", "@types/cors": "^2.8.19", @@ -19,6 +20,7 @@ "dotenv": "^17.2.1", "express": "^5.2.1", "express-useragent": "^2.0.2", + "lodash": "^4.17.4", "morgan": "^1.10.1", "swagger-jsdoc": "^6.2.8", "swagger-ui-express": "^5.0.1", @@ -2353,6 +2355,12 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/lodash": { + "version": "4.17.4", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz", + "integrity": "sha512-6X37Sq9KCpLSXEh8uM12AKYlviHPNNk4RxiGBn4cmKGJinbXBneWIV7iE/nXkM928O7ytHcHb6+X6Svl0f4hXg==", + "license": "MIT" + }, "node_modules/lodash.get": { "version": "4.4.2", "resolved": "https://registry.npmjs.org/lodash.get/-/lodash.get-4.4.2.tgz", diff --git a/package.json b/package.json index 5a4607d..af93f5a 100644 --- a/package.json +++ b/package.json @@ -47,6 +47,7 @@ "dotenv": "^17.2.1", "express": "^5.2.1", "express-useragent": "^2.0.2", + "lodash": "^4.17.4", "morgan": "^1.10.1", "swagger-jsdoc": "^6.2.8", "swagger-ui-express": "^5.0.1",