OWASP juice shop is currently the most extensive single page application (SPA) out there with deliberately built in vulnerabilities.
