OWASP juice shop is currently the most extensive single page application (SPA) out there with deliberately built in vulnerabilities. This is the vulnerable web app you want to set up and hack against if you want to learn more about web vulnerabilities.
The application is maintained by the wonderful Bjoern Kimminich and can be downloaded from https://github.com/bkimminich/juice-shop.