Let's intentionally add a toxic dependency to our dependencies and then see how Mend handles this.
Try adding at two levels:
- root-level package.json
- sub-project package.json
- "vm2": "^3.9.15",
- "minimist": "1.2.3",
- "handlebars": "4.7.3"
The candidates should:
- ... have a critical-level vulnerability
- ... this vulnerability should have a known fox
- ... this fix library should have the same major version as the vulnerable one