From cb0dcd1a620cff46e27892258efbdafbd704d299 Mon Sep 17 00:00:00 2001
From: Sean Murphy <sean@wordfence.com>
Date: Fri, 1 Aug 2025 22:04:40 -0400
Subject: [PATCH 1/3] Add dependency review demo with vulnerable dependency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add GitHub workflow using enhanced PR comment functionality from sgmurphy/dependency-review-action@update-pr-comment
- Include package.json with vulnerable lodash version to trigger review
- Demonstrates improved comment behavior in on-failure mode

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/dependency-review.yml | 16 ++++++++++++++++
 package.json                            | 18 ++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yml
 create mode 100644 package.json

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000..661fbc9
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,16 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: sgmurphy/dependency-review-action@update-pr-comment
+        with:
+          comment-summary-in-pr: on-failure
\ No newline at end of file
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..19355a2
--- /dev/null
+++ b/package.json
@@ -0,0 +1,18 @@
+{
+  "name": "fictional-garbanzo",
+  "version": "1.0.0",
+  "description": "Demo repository for dependency review action testing",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "lodash": "4.17.19"
+  },
+  "devDependencies": {
+    "eslint": "^8.0.0"
+  },
+  "keywords": ["demo", "dependency-review"],
+  "author": "Demo",
+  "license": "MIT"
+}
\ No newline at end of file

From 375dc0be910bfdf28241778ebb9d658b90b69820 Mon Sep 17 00:00:00 2001
From: Sean Murphy <sean@wordfence.com>
Date: Fri, 1 Aug 2025 22:05:54 -0400
Subject: [PATCH 2/3] Add pull-requests write permission for PR comments

---
 .github/workflows/dependency-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 661fbc9..566bdd4 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -3,6 +3,7 @@ on: [pull_request]
 
 permissions:
   contents: read
+  pull-requests: write
 
 jobs:
   dependency-review:

From ef5a5c52565609a9f8bfa311fb2dbb6cc0b1a513 Mon Sep 17 00:00:00 2001
From: Sean Murphy <sean@wordfence.com>
Date: Fri, 1 Aug 2025 22:07:15 -0400
Subject: [PATCH 3/3] Fix vulnerable lodash dependency

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 19355a2..514ac6c 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,7 @@
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "dependencies": {
-    "lodash": "4.17.19"
+    "lodash": "4.17.21"
   },
   "devDependencies": {
     "eslint": "^8.0.0"