From 8686d65dc64cad495de69d66ae3b249f5e9aff72 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Thu, 14 Aug 2025 06:22:00 +0000
Subject: [PATCH 1/2] fix: package.json & package-lock.json to reduce
 vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
---
 package-lock.json | 63 +++++++++++++++++++++++++++++++++++++++++++++++
 package.json      |  2 +-
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index 0deb6ec..51b1bf6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,11 +9,13 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
+        "axios": "0.19.0",
         "body-parser": "^1.20.2",
         "dotenv": "^16.4.5",
         "ejs": "^3.1.9",
         "express": "^4.18.2",
         "express-handlebars": "^7.1.2",
+        "lodash": "^4.17.12",
         "mongodb": "^6.3.0",
         "mongoose": "^8.1.0",
         "pug": "^3.0.2"
@@ -272,6 +274,40 @@
       "integrity": "sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA==",
       "license": "MIT"
     },
+    "node_modules/axios": {
+      "version": "0.19.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-0.19.0.tgz",
+      "integrity": "sha512-1uvKqKQta3KBxIz14F2v06AEHZ/dIoeKfbTRkK1E5oqjDnuEerLmYTgJB5AiQZHJcljpg1TuRzdjDR06qNk0DQ==",
+      "deprecated": "Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410",
+      "license": "MIT",
+      "dependencies": {
+        "follow-redirects": "1.5.10",
+        "is-buffer": "^2.0.2"
+      }
+    },
+    "node_modules/axios/node_modules/is-buffer": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.5.tgz",
+      "integrity": "sha512-i2R6zNFDwgEHJyQUtJEk0XFi1i0dPFn/oqjK3/vPCcDeJvW5NQ83V8QbicfF1SupOaB0h8ntgBC2YiE7dfyctQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=4"
+      }
+    },
     "node_modules/babel-walk": {
       "version": "3.0.0-canary-5",
       "resolved": "https://registry.npmjs.org/babel-walk/-/babel-walk-3.0.0-canary-5.tgz",
@@ -809,6 +845,27 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/follow-redirects": {
+      "version": "1.5.10",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz",
+      "integrity": "sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "=3.1.0"
+      },
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/follow-redirects/node_modules/debug": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
+      "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
     "node_modules/foreground-child": {
       "version": "3.3.1",
       "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz",
@@ -1271,6 +1328,12 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/lodash": {
+      "version": "4.17.12",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.12.tgz",
+      "integrity": "sha512-+CiwtLnsJhX03p20mwXuvhoebatoh5B3tt+VvYlrPgZC1g36y+RRbkufX95Xa+X4I59aWEacDFYwnJZiyBh9gA==",
+      "license": "MIT"
+    },
     "node_modules/lru-cache": {
       "version": "10.4.3",
       "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
diff --git a/package.json b/package.json
index 51bef14..7a869cc 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "mongodb": "^6.3.0",
     "mongoose": "^8.1.0",
     "pug": "^3.0.2",
-    "lodash": "4.17.4",
+    "lodash": "4.17.12",
     "axios": "0.19.0"
   },
   "engines": {

From 4c28d17502be92a83f59a0a0bf1a5b93b6a69a07 Mon Sep 17 00:00:00 2001
From: bhavin23012001 <makbhavin01@gmail.com>
Date: Thu, 14 Aug 2025 12:04:26 +0530
Subject: [PATCH 2/2] Update code-scan.yml

---
 .github/workflows/code-scan.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index 396e111..1537062 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -34,6 +34,10 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-node-
 
+      # ---------------- Sync package-lock ----------------
+      - name: Sync package-lock.json
+        run: npm install --package-lock-only
+
       - name: Install Node.js dependencies
         run: npm ci
 
@@ -46,7 +50,7 @@ jobs:
             -Dsonar.projectKey=bhavin23012001_ShopingKaro
             -Dsonar.projectName=ShopingKaro
             -Dsonar.qualitygate.wait=true
-            -X # Enables full debug logging
+            -X
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: "https://sonarcloud.io"