This repository intentionally contains vulnerable dependencies for educational purposes. It is a teaching artifact for GH-500 (GitHub Advanced Security) certification preparation.
The following packages are pinned to vulnerable versions to demonstrate GHAS features:
| Package | Version | Purpose |
|---|---|---|
| lodash | 4.17.20 | Demonstrate Dependabot alerts |
| axios | 0.21.1 | Demonstrate severity levels |
| node-fetch | 2.6.1 | Demonstrate transitive dependencies |
| minimist | 1.2.5 | Demonstrate critical CVEs |
| tar | 4.4.13 | Demonstrate multiple CVEs per package |
These are NOT bugs to report. They are intentional for teaching.
If you discover a security vulnerability in the application code itself (not the intentional dependency vulnerabilities), please report it responsibly:
- Do NOT open a public GitHub issue
- Email: [email protected]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity
In Scope:
- XSS vulnerabilities in the React frontend
- Injection vulnerabilities in the Express backend
- Authentication/authorization bypass
- Sensitive data exposure in API responses
Out of Scope:
- Intentionally vulnerable npm packages (listed above)
- Denial of service (this is a demo app)
- Issues requiring physical access
Tim Warner Email: [email protected]
Thank you for helping keep this educational resource safe!